RE: Intermitten issues with SSL handshake

[Honey Bajaj]

 Hi,

Our application (hosted on tomcat5.5.9, jdk 1.6_4 using JSSE) connects to the 
external webservice.
During SSL handshake, based on the following messages, it appears that tomcat 
is unable to send client certificate chain to the server after serverhello has 
been received but this issue happens only intermittenly.  When the ssl 
handshake is successful the only difference is that after serverhello, the 
tomcat application is able to find matching alias:  and then able to send the 
certificate chain back to the server.
I have gone through following bug   
https://issues.apache.org/bugzilla/show_bug.cgi?id=37869. Can someone kindly
confirm does it solve the same issue and if the patch can be used safely   
against tomcat 5.5.9.

*** ClientHello, TLSv1
RandomCookie: GMT: 1250752588 bytes = { 254, 18, 193, 215, 139, 30, 229, 96,
185, 57, 70, 219, 54, 117, 98, 130, 213, 225, 17, 22, 64, 7, 118, 182, 254,
230, 98, 249 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 79
RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: SSLv2 client hello message, length =
107
RMI TCP Connection(25)-xx.xx.xx.xx, READ: TLSv1 Handshake, length = 2004
*** ServerHello, TLSv1
RandomCookie: GMT: 1250752588 bytes = { 32, 129, 54, 88, 10, 214, 152, 239,
226, 206, 229, 51, 23, 45, 165, 76, 226, 119, 151, 162, 163, 223, 246, 152,
101, 48, 142, 98 }
Session ID: {75, 141, 248, 76, 232, 162, 241, 4, 153, 104, 144, 240, 141, 215,
226, 59, 0, 212, 81, 211, 191, 80, 169, 201, 226, 238, 195, 24,254, 191, 152,
80}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: emailaddress=supp...@xx.com, C=GB, ST=England, L=London, O=Xxxxxxx,
OU=EMP, CN=www.ws.xxxxxxx.co.uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus:
16162611199232823233425508780099750987125419660742934281961955972117378541058186137486428240040238581687349480496672869897783834258347125804210414091530301496353223561607070121681099669215297728417686799587105764278728480325557343219476259119320546884011084798277103308273666235262419825295319256304273466668578485966935492826750875858284641917095253856515172583714628445763789859607442240275914167338720348233597513648311014093918006192451527281147637064354340588151350762119918367896157881721760313234874893065293087246862013258834432826237700798003598398293316362809718059187206760048006681314966988913978521585333
public exponent: 65537
Validity: [From: Wed Apr 22 01:00:00 BST 2009,
To: Sun Apr 22 00:59:59 BST 2012]
Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx
SerialNumber: [ 63df7cf5 89339db0 eead9c7e d6d141ae]

Certificate Extensions: 7
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 62 DA 37 9A 42 E6 D5 A9 01 66 B9 86 18 B1 04 .b.7.B....f.....
0010: 61 64 69 E6 adi.
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f...
0010: 74 D4 8A 5B t..[
]

]

[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: supp...@xx.com
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://xxxxx.xxxxx.com/Xxxxxxxx/LatestCRL.crl]
]]

[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 80 9F BA 48 F9 31 37 48 8B 10 63 70 E6 CC 26 8C ...H.17H..cp..&.
0010: 53 89 02 D2 64 6F D7 C1 B9 0A D2 F5 6D EC 3C EE S...do......m.<.
0020: 6D 37 A9 E6 BB 58 D4 16 64 45 64 62 20 A2 D7 70 m7...X..dEdb ..p
0030: 1D 9C 3C 5A EA C2 B7 91 3C DB 81 5E 4B D2 37 2F .. 0040: 69 D8 CE 22 A1 
DA 88 D5 64 41 AC 82 FA 00 99 70 i.."....dA.....p
0050: C8 51 9A 43 78 B9 D6 43 0D 35 4D 17 36 A2 68 A4 .Q.Cx..C.5M.6.h.
0060: 37 17 1B 41 5D F9 50 D9 D5 4B 43 77 BC B5 26 E1 7..A].P..KCw..&.
0070: CE 5D 6D F7 B2 21 C5 01 A9 C7 27 D4 4A DE 82 4C .]m..!....'....L

]
chain [1] = [
[
Version: V3
Subject: CN=B2B Xxxxxxx, O=Xxxxxxx
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus:
136846065372317538061089166156165357583468716380366996471197328070132843792166503451548745338433502584592530976823733915600031064121671237645044956861960283807908277541163850367175181563842388465347872229405738887863442595931343517005913010511798422638402979134266100093374956526837394977218319598829645787333
public exponent: 65537
Validity: [From: Thu Feb 09 00:00:00 GMT 2006,
To: Mon Feb 08 23:59:59 GMT 2016]
Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx
SerialNumber: [ 2d50b6ab d1e84e70 a06362df 807d235b]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f...
0010: 74 D4 8A 5B t..[
]
]

[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]

[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=BTPrivate1-98
]

[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]

[5]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 27 01 3D 42 A2 AB 93 98 1D D5 AB FC 98 FB 6C 22 '.=B..........l"
0010: 5C 6E 2D 10 E7 6B D5 E2 C2 E0 AE 38 E6 5E CF 59 n-..k.....8.^.Y
0020: D8 33 0F 95 98 50 87 19 F7 A6 D7 1A 63 8F 94 2A .3...P......c..*
0030: FB 16 48 F8 7E 53 6C 8D 02 AE 54 0C 35 B9 6B 6D ..H..Sl...T.5.km
0040: FD 8E 12 29 35 53 A4 1E EA 83 96 31 3E 24 9D 5E ...)5S.....1>$.^
0050: 70 09 1E 2F E4 2B 27 7B 9D 99 45 DE 42 FD F4 11 p../.+'...E.B...
0060: 37 64 8B 85 EB 2A 2D 87 A2 02 99 E3 99 DD 34 80 7d...*-.......4.
0070: C9 23 EA 8C 89 46 F6 8E B2 DB 14 40 1B 3B 05 38 .#...f.....@.;.8

]
***
Found trusted certificate:
[
[
Version: V3
Subject: emailaddress=supp...@xx.com, C=GB, ST=England, L=London, O=Xxxxxxx,
OU=EMP, CN=www.ws.xxxxxxx.co.uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus:
16162611199232823233425508780099750987125419660742934281961955972117378541058186137486428240040238581687349480496672869897783834258347125804210414091530301496353223561607070121681099669215297728417686799587105764278728480325557343219476259119320546884011084798277103308273666235262419825295319256304273466668578485966935492826750875858284641917095253856515172583714628445763789859607442240275914167338720348233597513648311014093918006192451527281147637064354340588151350762119918367896157881721760313234874893065293087246862013258834432826237700798003598398293316362809718059187206760048006681314966988913978521585389
public exponent: 65537
Validity: [From: Wed Apr 22 01:00:00 BST 2009,
To: Sun Apr 22 00:59:59 BST 2012]
Issuer: CN=B2B Xxxxxxx, O=Xxxxxxx
SerialNumber: [ 63df7cf5 89339db0 eead9c7e d6d141ae]

Certificate Extensions: 7
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 62 DA 37 9A 42 E6 D5 A9 01 66 B9 86 18 B1 04 .b.7.B....f.....
0010: 61 64 69 E6 adi.
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 43 8A 4C B5 D6 60 34 F9 B2 35 AB B3 66 06 E8 82 C.L..`4..5..f...
0010: 74 D4 8A 5B t..[
]

]

[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: supp...@xx.com
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://xxxxx.xxxxx.com/Xxxxxxxx/LatestCRL.crl]
]]

[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 80 9F BA 48 F9 31 37 48 8B 10 63 70 E6 CC 26 8C ...H.17H..cp..&.
0010: 53 89 02 D2 64 6F D7 C1 B9 0A D2 F5 6D EC 3C EE S...do......m.<.
0020: 6D 37 A9 E6 BB 58 D4 16 64 45 64 62 20 A2 D7 70 m7...X..dEdb ..p
0030: 1D 9C 3C 5A EA C2 B7 91 3C DB 81 5E 4B D2 37 2F .. 0040: 69 D8 CE 22 A1 
DA 88 D5 64 41 AC 82 FA 00 99 70 i.."....dA.....p
0050: C8 51 9A 43 78 B9 D6 43 0D 35 4D 17 36 A2 68 A4 .Q.Cx..C.5M.6.h.
0060: 37 17 1B 41 5D F9 50 D9 D5 4B 43 77 BC B5 26 E1 7..A].P..KCw..&.
0070: CE 5D 6D F7 B2 21 C5 01 A9 C7 27 D4 1A DE 82 4C .]m..!....'....L

]
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:


York, C=US, emailaddress=xxxx...@xx.com>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 1F 78 DB 39 2F C6 F1 53 63 EA 26 AA 01 53 ...x.9/..Sc.&..S
0010: FD 2F 19 21 5A 9A 7F 97 4C 3E 6C 02 BB 37 E8 0F ./.!Z...L>l..7..
0020: 97 CB 23 20 0A 81 06 C0 EC 96 37 CC 1E 76 4D FB ..# ......7..vM.
CONNECTION KEYGEN:
Client Nonce:
0000: 4B 8D F8 4C FE 12 C1 D7 8B 1E E5 60 B9 39 46 DB K..L.......`.9F.
0010: 36 75 62 82 D5 E1 11 16 40 07 76 B6 FE E6 62 F9 6ub.....@.v...b.
Server Nonce:
0000: 4B 8D F8 4C 20 81 36 58 0A D6 98 EF E2 CE E5 33 K..L .6X.......3
0010: 17 2D A5 4C E2 77 97 A2 A3 DF F6 98 65 30 8E 62 .-.L.w......e0.b
Master Secret:
0000: D0 CB 16 6B 96 DA D8 77 CA DC 97 F8 8C EE BB E9 ...k...w........
0010: E3 1E 8A AC 3E 1C 88 22 44 07 F6 07 5E 91 4A 22 ....>.."D...^.J"
0020: 70 BA 26 43 11 D2 6A 2E E4 DA EE C4 EC 62 68 80 p.&C..j......bh.
Client MAC write Secret:
0000: 81 B2 E3 3B F2 A9 CB 30 72 17 FF 8F 88 B7 4B B3 ...;...0r.....K.
0010: 0B B5 B7 5C ...
Server MAC write Secret:
0000: 50 72 1A 61 2A 57 93 87 97 88 5C E0 73 C8 C9 4D Pr.a*W.....s..M
0010: F6 23 E0 EC .#..
Client write key:
0000: F8 3D 71 99 0B 52 C0 BB F3 3F AE AF D2 86 65 E9 .=q..R...?....e.
Server write key:
0000: E2 18 CD 1A 15 3F 40 2C 00 07 B7 34 14 9B D6 5E .....?@,...4...^
Client write IV:
0000: 28 B3 96 47 4A 52 56 26 C9 1B CD CE 30 05 9C D4 (..GJRV&....0...
Server write IV:
0000: A0 11 79 FC 68 4E CA 3B BD DE AF 62 B4 26 86 7E ..y.hN.;...b.&..
RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 156, 244, 254, 207, 105, 214, 249, 53, 171, 101, 254, 37 }
***
RMI TCP Connection(25)-xx.xx.xx.xx, WRITE: TLSv1 Handshake, length = 48
RMI TCP Connection(25)-xx.xx.xx.xx, READ: TLSv1 Alert, length = 2
RMI TCP Connection(25)-xx.xx.xx.xx, RECV TLSv1 ALERT: fatal, bad_certificate
RMI TCP Connection(25)-xx.xx.xx.xx, called closeSocket()
RMI TCP Connection(25)-xx.xx.xx.xx, handling exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[ 03-Mar-2010 05:49:00:411 ERROR LluCheckerRequestSender RMI TCP
Connection(25)-xx.xx.xx.xx] Error type: 121 | Error code: 17001 |
null:communicateWithBtWebService:There is some problem at BT side but customer
can proceed with order placement
[ 03-Mar-2010 05:49:00:411 ERROR LluCheckerRequestSender RMI TCP
Connection(25)-xx.xx.xx.xx] EXCEPTION:
com.be.bss.emp.communication.exception.EMPCommunicationException,
MESSAGE: There is some problem at BT side but customer can proceed with order
placement;
CAUSE: (javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate)
at
com.be.bss.emp.communication.LluCheckerRequestSender.communicateWithBtWebService(LluCheckerRequestSender.java:266)
at
com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.EMPWSLluCheckerDNRequestProcessor.process(EMPWSLluCheckerDNRequestProcessor.java:74)
at
com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.AvailabilityCheckerServiceImpl.getResponseFromService(AvailabilityCheckerServiceImpl.java:493)
at
com.be.bss.provisioning.thirdparty.bt.availabilitycheck.service.AvailabilityCheckerServiceImpl.getLluDetails(AvailabilityCheckerServiceImpl.java:410)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:280)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
at
org.springframework.remoting.support.RemoteInvocationTraceInterceptor.invoke(RemoteInvocationTraceInterceptor.java:70)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
at $Proxy135.getLluDetails(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.remoting.support.RemoteInvocation.invoke(RemoteInvocation.java:181)
at
org.springframework.remoting.support.DefaultRemoteInvocationExecutor.invoke(DefaultRemoteInvocationExecutor.java:38)
at
org.springframework.remoting.support.RemoteInvocationBasedExporter.invoke(RemoteInvocationBasedExporter.java:76)
at
org.springframework.remoting.rmi.RmiBasedExporter.invoke(RmiBasedExporter.java:72)
at
com.be.bss.framework.rmi.RmiServiceExporter.invoke(RmiServiceExporter.java:43)
at
org.springframework.remoting.rmi.RmiInvocationWrapper.invoke(RmiInvocationWrapper.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
at org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:1910)
at
com.be.bss.emp.communication.LluCheckerRequestSender.communicateWithBtWebService(LluCheckerRequestSender.java:250)
... 38 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
bad_certificate
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
at
org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at
org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 46 more
AxisFault

Thanks,



[http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline....@middle]<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline....@middle?>