R: how to set TLS connection with ApacheDS

Maiorano Pasquale Wed, 05 Apr 2017 06:31:48 -0700

In order to complete the problem description, I set the option 
“-Djavax.net.debug=SSL” to the JVM in order tobetter ivestigate the stacktrace 
of the error. You can fin hereinafter the related log:


keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020

adding as trusted cert:
  Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Issuer:  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Algorithm: RSA; Serial number: 0xcf08e5c0816a5ad427ff0eb271859d0
  Valid from Tue Nov 07 20:31:18 CET 2006 until Mon Dec 31 20:40:55 CET 2029

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for 
TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for 
TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for 
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for 
TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1474553078 bytes = { 97, 165, 242, 70, 17, 207, 94, 124, 
191, 250, 0, 19, 241, 86, 141, 188, 47, 143, 200, 66, 162, 79, 151, 104, 109, 
139, 154, 144 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, 
secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, 
sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, 
secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, 
secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, 
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 
SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 189
main, READ: TLSv1.2 Handshake, length = 1235
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1474553078 bytes = { 3, 250, 184, 59, 171, 97, 220, 6, 168, 
187, 197, 108, 72, 130, 12, 38, 250, 68, 145, 75, 126, 120, 95, 94, 119, 203, 
148, 238 }
Session ID:  {88, 228, 229, 246, 10, 49, 190, 234, 22, 159, 94, 252, 85, 206, 
217, 123, 210, 11, 142, 183, 97, 39, 148, 65, 33, 190, 52, 122, 211, 226, 193, 
160}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=localhost, OU=ApacheDS, O=ASF, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 
19694022897753370855024226067897158073373712403717038689442717789193620856177748076883580905823384226420391325696571991489248437743789693887749967552693014905096292208789431622338120333110385365368496194179106667103097380342511341749026195520853982022002731247163065109199188420574049606093279058138612361346129073906833936335031851263478058500226722314234588499181434045874526338977873146793077303549168232689832459280249402307133420779862809823870761441419211019038709559895858973193607695734706824666327344291079103614468270904459494258007741934812915033513213664648071786694730906444492853746070458409303599705913
  public exponent: 65537
  Validity: [From: Wed Apr 05 11:12:11 CEST 2017,
               To: Fri Apr 05 11:12:11 CEST 2019]
  Issuer: CN=localhost, OU=ApacheDS, O=ASF, C=US
  SerialNumber: [    6b297e82]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 34 13 78 51 0E 73 20 06   58 BE 94 2E 94 53 77 42  4.xQ.s .X....SwB
0010: 9B E0 05 35                                        ...5
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 8F 5B E9 47 9B 68 E2 78   BD E0 59 16 A6 45 BE EE  .[.G.h.x..Y..E..
0010: 97 51 14 72 0C 8A 94 51   B4 09 7D D6 B3 02 29 2E  .Q.r...Q......).
0020: 76 CC 42 0A FD 4C 5A A8   07 2D 66 09 CD 2C 18 3E  v.B..LZ..-f..,.>
0030: 2B 6B 7A 2C 0E D0 B9 DB   66 5B 71 EC A6 E2 84 55  +kz,....f[q....U
0040: CA 88 8C D2 6E A3 45 43   3B E9 F4 B9 72 9C 17 6A  ....n.EC;...r..j
0050: A0 58 C5 46 7D 72 04 5A   58 3A 70 B4 7E 20 5F 84  .X.F.r.ZX:p.. _.
0060: CF 71 98 34 EF 18 F2 4B   1F FF 06 24 DE 42 5F F7  .q.4...K...$.B_.
0070: 8E F2 61 C7 20 2C 49 24   78 3F BC E8 C4 C1 65 E9  ..a. ,I$x?....e.
0080: 12 6A 68 D4 1C 51 B2 92   E4 77 BC 17 2B 48 FE CB  .jh..Q...w..+H..
0090: 81 19 F6 66 23 46 32 6E   CB C3 4F 85 91 7C DA F6  ...f#F2n..O.....
00A0: E2 3F 54 66 87 D1 95 C9   42 46 69 7E E6 EE AC 97  .?Tf....BFi.....
00B0: 76 34 40 33 F6 8F 17 CB   EC 9B 43 46 2D F6 1C 63  v...@3......cf-..c
00C0: D6 63 76 D4 73 7E 41 31   4F F1 D8 04 C4 90 27 01  .cv.s.A1O.....'.
00D0: 68 97 01 46 5B 0D B5 FA   C4 B6 97 6D 01 CE 42 95  h..F[......m..B.
00E0: F0 65 FC 38 0D E5 03 CA   76 89 79 25 64 BB 67 77  .e.8....v.y%d.gw
00F0: 4A 25 68 D7 B1 DA 03 34   E0 DA 15 10 16 6F 68 C0  J%h....4.....oh.

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
main, called close()

Sorry for a so long log, But I thinks is usefull for a comple troubleshuting.

Regards,

Pasquale

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati 
esclusivamente al destinatario indicato e considerarsi dal contenuto 
strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o 
avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire 
immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo 
allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia 
o archiviazione del presente messaggio da parte di chi non ne è il destinatario 
è strettamente proibito e può dar luogo a responsabilità di carattere civile e 
penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della 
normativa vigente.
________________________________
The contents of this email message and any attachments are intended solely for 
the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has 
been addressed to you in error, please immediately notify the sender and then 
delete this message and any attachments from your system. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited. 
Unauthorized disclosure and/or use of information contained in this email 
message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is 
digitally signed by the sender

R: how to set TLS connection with ApacheDS

Reply via email to