Hi, Our application (hosted on tomcat5.5.9, jdk 1.6_4 using JSSE) connects to the external webservice. During SSL handshake, based on the following messages, it appears that tomcat is unable to send client certificate chain to the server after serverhello has been received but this issue happens only intermittenly. When the ssl handshake is successful the only difference is that after serverhello, the tomcat application is able to find matching alias: and then able to send the certificate chain back to the server. I have gone through following bug https://issues.apache.org/bugzilla/show_bug.cgi?id=37869. Can someone kindly confirm does it solve the same issue and if the patch can be used safely against tomcat 5.5.9.
*** ClientHello, TLSv1 RandomCookie: GMT: 1250752588 bytes = { 254, 18, 193, 215, 139, 30, 229, 96, 185, 57, 70, 219, 54, 117, 98, 130, 213, 225, 17, 22, 64, 7, 118, 182, 254, 230, 98, 249 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 79 RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: SSLv2 client hello message, length = 107 RMI TCP Connection(25)-xx.xx.xx.xx, READ: TLSv1 Handshake, length = 2004 *** ServerHello, TLSv1 RandomCookie: GMT: 1250752588 bytes = { 32, 129, 54, 88, 10, 214, 152, 239, 226, 206, 229, 51, 23, 45, 165, 76, 226, 119, 151, 162, 163, 223, 246, 152, 101, 48, 142, 98 } Session ID: {75, 141, 248, 76, 232, 162, 241, 4, 153, 104, 144, 240, 141, 215, 226, 59, 0, 212, 81, 211, 191, 80, 169, 201, 226, 238, 195, 24,254, 191, 152, 80} Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA Compression Method: 0 *** %% Created: [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA] ** TLS_RSA_WITH_AES_128_CBC_SHA *** Certificate chain chain [0] = [ [ Version: V3 Subject: emailaddress=supp...@xx.com, C=GB, ST=England, L=London, O=Xxxxxxx, OU=EMP, CN=www.ws.xxxxxxx.co.uk Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 16162611199232823233425508780099750987125419660742934281961955972117378541058186137486428240040238581687349480496672869897783834258347125804210414091530301496353223561607070121681099669215297728417686799587105764278728480325557343219476259119320546884011084798277103308273666235262419825295319256304273466668578485966935492826750875858284641917095253856515172583714628445763789859607442240275914167338720348233597513648311014093918006192451527281147637064354340588151350762119918367896157881721760313234874893065293087246862013258834432826237700798003598398293316362809718059187206760048006681314966988913978521585333 public exponent: 65537 Validity: [From: Wed Apr 22 01:00:00 BST 2009, To: Sun Apr 22 00:59:59 BST 2012] Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx SerialNumber: [ 63df7cf5 89339db0 eead9c7e d6d141ae] Certificate Extensions: 7 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 13 62 DA 37 9A 42 E6 D5 A9 01 66 B9 86 18 B1 04 .b.7.B....f..... 0010: 61 64 69 E6 adi. ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f... 0010: 74 D4 8A 5B t..[ ] ] [3]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: supp...@xx.com ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://xxxxx.xxxxx.com/Xxxxxxxx/LatestCRL.crl] ]] [5]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] [6]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] [7]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [SHA1withRSA] Signature: 0000: 80 9F BA 48 F9 31 37 48 8B 10 63 70 E6 CC 26 8C ...H.17H..cp..&. 0010: 53 89 02 D2 64 6F D7 C1 B9 0A D2 F5 6D EC 3C EE S...do......m.<. 0020: 6D 37 A9 E6 BB 58 D4 16 64 45 64 62 20 A2 D7 70 m7...X..dEdb ..p 0030: 1D 9C 3C 5A EA C2 B7 91 3C DB 81 5E 4B D2 37 2F .. 0040: 69 D8 CE 22 A1 DA 88 D5 64 41 AC 82 FA 00 99 70 i.."....dA.....p 0050: C8 51 9A 43 78 B9 D6 43 0D 35 4D 17 36 A2 68 A4 .Q.Cx..C.5M.6.h. 0060: 37 17 1B 41 5D F9 50 D9 D5 4B 43 77 BC B5 26 E1 7..A].P..KCw..&. 0070: CE 5D 6D F7 B2 21 C5 01 A9 C7 27 D4 4A DE 82 4C .]m..!....'....L ] chain [1] = [ [ Version: V3 Subject: CN=B2B Xxxxxxx, O=Xxxxxxx Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 136846065372317538061089166156165357583468716380366996471197328070132843792166503451548745338433502584592530976823733915600031064121671237645044956861960283807908277541163850367175181563842388465347872229405738887863442595931343517005913010511798422638402979134266100093374956526837394977218319598829645787333 public exponent: 65537 Validity: [From: Thu Feb 09 00:00:00 GMT 2006, To: Mon Feb 08 23:59:59 GMT 2016] Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx SerialNumber: [ 2d50b6ab d1e84e70 a06362df 807d235b] Certificate Extensions: 5 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f... 0010: 74 D4 8A 5B t..[ ] ] [2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA S/MIME CA ] [3]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=BTPrivate1-98 ] [4]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign Crl_Sign ] [5]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:0 ] ] Algorithm: [SHA1withRSA] Signature: 0000: 27 01 3D 42 A2 AB 93 98 1D D5 AB FC 98 FB 6C 22 '.=B..........l" 0010: 5C 6E 2D 10 E7 6B D5 E2 C2 E0 AE 38 E6 5E CF 59 n-..k.....8.^.Y 0020: D8 33 0F 95 98 50 87 19 F7 A6 D7 1A 63 8F 94 2A .3...P......c..* 0030: FB 16 48 F8 7E 53 6C 8D 02 AE 54 0C 35 B9 6B 6D ..H..Sl...T.5.km 0040: FD 8E 12 29 35 53 A4 1E EA 83 96 31 3E 24 9D 5E ...)5S.....1>$.^ 0050: 70 09 1E 2F E4 2B 27 7B 9D 99 45 DE 42 FD F4 11 p../.+'...E.B... 0060: 37 64 8B 85 EB 2A 2D 87 A2 02 99 E3 99 DD 34 80 7d...*-.......4. 0070: C9 23 EA 8C 89 46 F6 8E B2 DB 14 40 1B 3B 05 38 .#...f.....@.;.8 ] *** Found trusted certificate: [ [ Version: V3 Subject: emailaddress=supp...@xx.com, C=GB, ST=England, L=London, O=Xxxxxxx, OU=EMP, CN=www.ws.xxxxxxx.co.uk Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 16162611199232823233425508780099750987125419660742934281961955972117378541058186137486428240040238581687349480496672869897783834258347125804210414091530301496353223561607070121681099669215297728417686799587105764278728480325557343219476259119320546884011084798277103308273666235262419825295319256304273466668578485966935492826750875858284641917095253856515172583714628445763789859607442240275914167338720348233597513648311014093918006192451527281147637064354340588151350762119918367896157881721760313234874893065293087246862013258834432826237700798003598398293316362809718059187206760048006681314966988913978521585389 public exponent: 65537 Validity: [From: Wed Apr 22 01:00:00 BST 2009, To: Sun Apr 22 00:59:59 BST 2012] Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx SerialNumber: [ 63df7cf5 89339db0 eead9c7e d6d141ae] Certificate Extensions: 7 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 13 62 DA 37 9A 42 E6 D5 A9 01 66 B9 86 18 B1 04 .b.7.B....f..... 0010: 61 64 69 E6 adi. ] ] [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f... 0010: 74 D4 8A 5B t..[ ] ] [3]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: supp...@xx.com ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://xxxxx.xxxxx.com/Xxxxxxxx/LatestCRL.crl] ]] [5]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] [6]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] [7]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [SHA1withRSA] Signature: 0000: 80 9F BA 48 F9 31 37 48 8B 10 63 70 E6 CC 26 8C ...H.17H..cp..&. 0010: 53 89 02 D2 64 6F D7 C1 B9 0A D2 F5 6D EC 3C EE S...do......m.<. 0020: 6D 37 A9 E6 BB 58 D4 16 64 45 64 62 20 A2 D7 70 m7...X..dEdb ..p 0030: 1D 9C 3C 5A EA C2 B7 91 3C DB 81 5E 4B D2 37 2F .. 0040: 69 D8 CE 22 A1 DA 88 D5 64 41 AC 82 FA 00 99 70 i.."....dA.....p 0050: C8 51 9A 43 78 B9 D6 43 0D 35 4D 17 36 A2 68 A4 .Q.Cx..C.5M.6.h. 0060: 37 17 1B 41 5D F9 50 D9 D5 4B 43 77 BC B5 26 E1 7..A].P..KCw..&. 0070: CE 5D 6D F7 B2 21 C5 01 A9 C7 27 D4 1A DE 82 4C .]m..!....'....L ] *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: York, C=US, emailaddress=xxxx...@xx.com> *** ServerHelloDone *** Certificate chain *** *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 269 SESSION KEYGEN: PreMaster Secret: 0000: 03 01 1F 78 DB 39 2F C6 F1 53 63 EA 26 AA 01 53 ...x.9/..Sc.&..S 0010: FD 2F 19 21 5A 9A 7F 97 4C 3E 6C 02 BB 37 E8 0F ./.!Z...L>l..7.. 0020: 97 CB 23 20 0A 81 06 C0 EC 96 37 CC 1E 76 4D FB ..# ......7..vM. CONNECTION KEYGEN: Client Nonce: 0000: 4B 8D F8 4C FE 12 C1 D7 8B 1E E5 60 B9 39 46 DB K..L.......`.9F. 0010: 36 75 62 82 D5 E1 11 16 40 07 76 B6 FE E6 62 F9 6ub.....@.v...b. Server Nonce: 0000: 4B 8D F8 4C 20 81 36 58 0A D6 98 EF E2 CE E5 33 K..L .6X.......3 0010: 17 2D A5 4C E2 77 97 A2 A3 DF F6 98 65 30 8E 62 .-.L.w......e0.b Master Secret: 0000: D0 CB 16 6B 96 DA D8 77 CA DC 97 F8 8C EE BB E9 ...k...w........ 0010: E3 1E 8A AC 3E 1C 88 22 44 07 F6 07 5E 91 4A 22 ....>.."D...^.J" 0020: 70 BA 26 43 11 D2 6A 2E E4 DA EE C4 EC 62 68 80 p.&C..j......bh. Client MAC write Secret: 0000: 81 B2 E3 3B F2 A9 CB 30 72 17 FF 8F 88 B7 4B B3 ...;...0r.....K. 0010: 0B B5 B7 5C ... Server MAC write Secret: 0000: 50 72 1A 61 2A 57 93 87 97 88 5C E0 73 C8 C9 4D Pr.a*W.....s..M 0010: F6 23 E0 EC .#.. Client write key: 0000: F8 3D 71 99 0B 52 C0 BB F3 3F AE AF D2 86 65 E9 .=q..R...?....e. Server write key: 0000: E2 18 CD 1A 15 3F 40 2C 00 07 B7 34 14 9B D6 5E .....?@,...4...^ Client write IV: 0000: 28 B3 96 47 4A 52 56 26 C9 1B CD CE 30 05 9C D4 (..GJRV&....0... Server write IV: 0000: A0 11 79 FC 68 4E CA 3B BD DE AF 62 B4 26 86 7E ..y.hN.;...b.&.. RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Change Cipher Spec, length = 1 *** Finished verify_data: { 156, 244, 254, 207, 105, 214, 249, 53, 171, 101, 254, 37 } *** RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 48 RMI TCP Connection(25)-xx.xx.xx.xx, READ: TLSv1 Alert, length = 2 RMI TCP Connection(25)-xx.xx.xx.xx, RECV TLSv1 ALERT: fatal, bad_certificate RMI TCP Connection(25)-xx.xx.xx.xx, called closeSocket() RMI TCP Connection(25)-xx.xx.xx.xx, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate [ 03-Mar-2010 05:49:00:411 ERROR LluCheckerRequestSender RMI TCP Connection(25)-xx.xx.xx.xx] Error type: 121 | Error code: 17001 | null:communicateWithBtWebService:There is some problem at BT side but customer can proceed with order placement [ 03-Mar-2010 05:49:00:411 ERROR LluCheckerRequestSender RMI TCP Connection(25)-xx.xx.xx.xx] EXCEPTION: com.be.bss.emp.communication.exception.EMPCommunicationException, MESSAGE: There is some problem at BT side but customer can proceed with order placement; CAUSE: (javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate) at com.be.bss.emp.communication.LluCheckerRequestSender.communicateWithBtWebService(LluCheckerRequestSender.java:266) at com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.EMPWSLluCheckerDNRequestProcessor.process(EMPWSLluCheckerDNRequestProcessor.java:74) at com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.AvailabilityCheckerServiceImpl.getResponseFromService(AvailabilityCheckerServiceImpl.java:493) at com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.AvailabilityCheckerServiceImpl.getLluDetails(AvailabilityCheckerServiceImpl.java:410) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:280) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154) at org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:70) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210) at $Proxy135.getLluDetails(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:181) at org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:38) at org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:76) at org.springframework.remoting.rmi.RmiBasedExporter.invoke(RmiBasedExporter.java:72) at com.be.bss.framework.rmi.RmiServiceExporter.invoke(RmiServiceExporter.java:43) at org.springframework.remoting.rmi.RmiInvocationWrapper.invoke(RmiInvocationWrapper.java:62) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305) at sun.rmi.transport.Transport$1.run(Transport.java:159) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:155) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907) at java.lang.Thread.run(Thread.java:619) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:1910) at com.be.bss.emp.communication.LluCheckerRequestSender.communicateWithBtWebService(LluCheckerRequestSender.java:250) ... 38 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) ... 46 more AxisFault Thanks, [http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline....@middle]<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline....@middle?>