With regards to this problem report involving SSL "bad_record_mac" errors resulting in "Peer Not Authenticated" exceptions: http://marc.info/?l=httpclient-commons-dev&m=131404829606745&w=2
I am debugging the same / similar problem using HttpClient 4.1.2 & the trusting ssl socket factory procedure that other online forum users confirm commonly addresses these issues in most circumstances. Note the following below (same results whether I specify TLS or SSL3: main, WRITE: SSLv3 Handshake, length = 56 main, READ: SSLv3 Alert, length = 2 main, RECV SSLv3 ALERT: fatal, bad_record_mac main, handling exception: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac main, IOException in getSession(): javax.net.ssl.SSLException: Received fatal alert: bad_record_mac TLS Exception connecting to 'https://tradingpartners.comcast.com/PortOut/' [peer not authenticated] Suggestions please? One comment I've seen about this error occurring in non-Java cases is that SSLv3 does not support re-negotiating buffer sizes and this error might reflect such circumstances (56 vs. 2) Thanks, Steve ---------------------------------------------------------------------------------- Connected to the target VM, address: '127.0.0.1:13834', transport: 'socket' trustStore is: C:\Program Files\Java\jdk1.6.0_25\jre\lib\security\cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH Algorithm: RSA; Serial number: 0x4eb200670c035d4f Valid from Wed Oct 25 01:36:00 PDT 2006 until Sat Oct 25 01:36:00 PDT 2036 ...... trigger seeding of SecureRandom done seeding SecureRandom trigger seeding of SecureRandom done seeding SecureRandom main, setSoTimeout(0) called Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1300927393 bytes = { 1, 224, 230, 11, 28, 105, 61, 203, 220, 156, 189, 78, 132, 4, 85, 182, 150, 158, 207, 174, 44, 143, 220, 18, 97, 160, 55, 232 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } *** main, WRITE: TLSv1 Handshake, length = 75 main, WRITE: SSLv2 client hello message, length = 101 main, READ: SSLv3 Handshake, length = 74 *** ServerHello, SSLv3 RandomCookie: GMT: 1300926476 bytes = { 129, 221, 2, 46, 217, 107, 118, 229, 242, 150, 54, 253, 128, 55, 114, 90, 103, 166, 87, 41, 69, 184, 107, 116, 187, 206, 85, 205 } Session ID: {245, 74, 213, 226, 95, 235, 34, 54, 53, 21, 158, 192, 168, 137, 31, 83, 176, 86, 23, 150, 103, 123, 26, 211, 146, 80, 72, 50, 248, 239, 174, 114} Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 *** Warning: No renegotiation indication extension in ServerHello %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5] ** SSL_RSA_WITH_RC4_128_MD5 main, READ: SSLv3 Handshake, length = 1390 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=tradingpartners.comcast.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=Enterprise Operations Systems, O=COMCAST, L=Philadelphia, ST=Pennsylvania, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 135979757163351386119347120778548084182634229212075494309092616911328980324886687996312424370404019391106543711992998492903122281233207263130358630631981832822063448747316858174548160205492347063457420646171330683024153903223409478625580955202914873982552143019550437396188110472108396829437745303637511413631 public exponent: 65537 Validity: [From: Sun Mar 14 17:00:00 PDT 2010, To: Tue Apr 30 16:59:59 PDT 2013] Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US SerialNumber: [ 5b3a67ef 9d91b8c6 cb02d119 9b371dbc] Certificate Extensions: 8 [1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 62 30 60 A1 5E A0 5C 30 5A 30 58 30 56 16 09 .b0`.^.\0Z0X0V.. 0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0.. 0020: 05 2B 0E 03 02 1A 04 14 4B 6B B9 28 96 06 0C BB .+......Kk.(.... 0030: D0 52 38 9B 29 AC 4B 07 8B 21 05 18 30 26 16 24 .R8.).K..!..0&.$ 0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri 0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 31 sign.com/vslogo1 0060: 2E 67 69 66 .gif [2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H... 0010: 57 2D 7D 47 W-.G ] ] [3]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl] ]] [4]: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] [5]: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa ]] ] ] [6]: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] [7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer] ] [8]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [SHA1withRSA] Signature: 0000: A0 6D 76 98 73 48 13 AC 29 59 51 AF 0F C6 CF 51 .mv.sH..)YQ....Q 0010: 6A F8 FF BE 62 6E 85 0E 04 20 E0 B3 E3 1B C4 4E j...bn... .....N 0020: 55 78 E5 29 CF 8F A2 9E 53 09 DF B9 BD 24 10 5A Ux.)....S....$.Z 0030: FB 58 D6 4C 78 C9 EA FF F6 10 00 C2 22 9E 10 C9 .X.Lx......."... 0040: 48 20 67 93 7C 4D EB 94 3F 48 39 95 D0 AA E5 77 H g..M..?H9....w 0050: 0D D4 32 73 77 FF 8F F3 90 CD B2 30 44 4C 64 51 ..2sw......0DLdQ 0060: C8 F2 14 1C CB 68 0D 13 EB 26 5D 05 A9 36 45 49 .....h...&]..6EI 0070: 7F 2E ED 42 B3 7A 6A E8 7A FF A1 71 69 7F A1 C2 ...B.zj.z..qi... 0080: 69 F1 CB 88 C9 35 A5 CB 4B 8B C2 67 73 86 F2 75 i....5..K..gs..u 0090: 49 A3 F1 4E 0F 74 E2 AE 24 04 0D 07 66 25 81 2F I..N.t..$...f%./ 00A0: E7 88 F8 65 8A A6 7D B9 4F B7 28 C0 94 21 99 76 ...e....O.(..!.v 00B0: 43 D6 7A 1C F4 93 73 17 33 0A 46 D2 5F 94 33 34 C.z...s.3.F._.34 00C0: 01 70 D3 85 7C 76 96 2E 2E 6D 73 D2 C1 57 2B 92 .p...v...ms..W+. 00D0: 52 A4 2C 97 AD 57 7C 76 84 25 B7 DC B0 DD 88 A7 R.,..W.v.%...... 00E0: EF 9C 75 C3 EB 6B A9 89 59 EC 14 75 92 76 74 0E ..u..k..Y..u.vt. 00F0: B8 D6 3C 6A F0 2C 5F 48 2A 33 FF 26 88 88 47 94 ..<j.,_H*3.&..G. ] *** main, READ: SSLv3 Handshake, length = 4 *** ServerHelloDone *** ClientKeyExchange, RSA PreMasterSecret, SSLv3 main, WRITE: SSLv3 Handshake, length = 132 SESSION KEYGEN: PreMaster Secret: 0000: 03 00 10 6A FE F3 26 7C 0F 92 8E 65 0C A5 8F 5D ...j..&....e...] 0010: 7E 9F CF 5D 0B 31 76 04 F9 98 DA D0 7B 00 B8 17 ...].1v......... 0020: D3 64 0B 81 A4 AD 42 FB DF E8 81 ED D1 3F 90 3F .d....B......?.? CONNECTION KEYGEN: Client Nonce: 0000: 4E 8B 94 A1 01 E0 E6 0B 1C 69 3D CB DC 9C BD 4E N........i=....N 0010: 84 04 55 B6 96 9E CF AE 2C 8F DC 12 61 A0 37 E8 ..U.....,...a.7. Server Nonce: 0000: 4E 8B 90 0C 81 DD 02 2E D9 6B 76 E5 F2 96 36 FD N........kv...6. 0010: 80 37 72 5A 67 A6 57 29 45 B8 6B 74 BB CE 55 CD .7rZg.W)E.kt..U. Master Secret: 0000: A0 29 10 ED 20 2C 89 80 4A F6 85 FA 12 16 1E DE .).. ,..J....... 0010: 4C 65 10 F2 BB EB 23 51 10 77 81 B7 C2 E1 E8 B1 Le....#Q.w...... 0020: 59 DF 09 18 D7 B1 B8 83 FE 01 1F B0 22 AC B1 4E Y..........."..N Client MAC write Secret: 0000: 08 5D 36 64 D9 24 28 1C CD 87 2E 33 72 75 6C 0B .]6d.$(....3rul. Server MAC write Secret: 0000: 22 E6 A4 45 61 C4 F8 4E 9E 44 6C D2 AB 83 57 17 "..Ea..N.Dl...W. Client write key: 0000: 44 02 B3 1C B6 6C 40 A0 79 00 DA EE FF 89 52 AF [email protected]. Server write key: 0000: B8 8F 91 26 73 41 F4 C9 D2 19 F1 5B 4C E2 58 B5 ...&sA.....[L.X. ... no IV used for this cipher main, WRITE: SSLv3 Change Cipher Spec, length = 1 *** Finished verify_data: { 138, 133, 233, 37, 57, 115, 14, 223, 57, 185, 21, 168, 123, 148, 21, 51, 84, 90, 211, 79, 222, 85, 95, 53, 174, 1, 50, 246, 42, 175, 231, 181, 215, 172, 221, 49 } *** main, WRITE: SSLv3 Handshake, length = 56 TLS Exception connecting to 'https://tradingpartners.comcast.com/PortOut/' [peer not authenticated] main, READ: SSLv3 Alert, length = 2 main, RECV SSLv3 ALERT: fatal, bad_record_mac main, called closeSocket() main, handling exception: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac main, IOException in getSession(): javax.net.ssl.SSLException: Received fatal alert: bad_record_mac main, called close() main, called closeInternal(true) main, called close() main, called closeInternal(true) Disconnected from the target VM, address: '127.0.0.1:13834', transport: 'socket' Process finished with exit code 0
