Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

java client certification: SSL handshaking failed or 403

843811May 5 2010 — edited May 10 2010
Using Java 6, I am writing an application connecting to the server over HTTPS. The server demands client side certification.

However, I keep getting errors:
java.io.IOException: Server returned HTTP response code: 403 if using -Dsun.security.ssl.allowUnsafeRenegotiation=true
or javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message if turning off the option above.

Last part of the log is:
main, READ: TLSv1 Handshake, length = 20
Padded plaintext after DECRYPTION: len = 20
0000: 00 00 00 00 3F AA BF 6E D7 F4 FA 8E BF C8 AD 38 ....?..n.......8
0010: F2 65 0F DD .e..
*** HelloRequest (empty)
main, SEND TLSv1 ALERT: warning, description = no_negotiation
Padded plaintext before ENCRYPTION: len = 18
0000: 01 64 9B F6 40 DC B0 9B AF DB 30 58 37 B7 3F D9 .d..@.....0X7.?.
0010: 2C E0 ,.
main, WRITE: TLSv1 Alert, length = 18
[Raw write]: length = 23
0000: 15 03 01 00 12 95 49 31 26 76 44 AF F6 38 AF 0B ......I1&vD..8..
0010: 90 05 9B 91 51 CC 72 ....Q.r
%% Invalidated: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 0A 09 14 D7 4C 37 1C C3 6F A7 01 69 C3 25 7D .....L7..o..i.%.
0010: 04 1B ..
main, WRITE: TLSv1 Alert, length = 18
[Raw write]: length = 23
0000: 15 03 01 00 12 52 AB EA 43 DA CF F8 8D 18 89 A3 .....R..C.......
0010: 82 9D 93 D7 3B 86 91 ....;..
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)

I tried to access the same https URL using a browser. After importing the client certificate and an intermediate certificate from Verisign, I got it working on both IE
and Firefox. I played around with keytool a lot and doubled checked that the keyStore has the client certificate and the trustStore has the intermediate
certificates. But not sure how to verify the 'certificate chain'.

It will be appreciated if anybody can shed any light on this issue.
Thanks.
Denis
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 7 2010
Added on May 5 2010
#java-secure-socket-extension-jsse
12 comments
6,174 views