Hello,
I have been using mina 2.0.0-X for about a year and it has been working
great. Thanks for putting together such a great library!
One of the things I do with mina is make SSL connections. Recently one of
our certificates expired and we got a new certificate. Our private key did
not change. Most of the my SSL connections used the new certificate without
any problem. However, a few of the connections no longer work with the new
certificate (lets call the servers who I can't connect to X). Using the new
cert I am able to establish a SSL connection to X using PHP and openssl, but
not mina.
I have spent a good deal of energy trying to debug the issue. It appears
that the connection setup and SSL handshake go fine, then suddenly the
server closes the connection before the SSL is established. I can't find a
reason for it. I have created a small project that duplicates this issue. I
am attaching the code and example output with system property
javax.net.debug set to "all". "test_tar_gz" is a gzipped tar so just rename
it to "test.tar.gz" (sorry I have to change the ext or my email will get
filtered) . "bad.txt" is the run where I don't get connected. "good.txt" is
the run where I do. For good.txt I am using one of our old certs that has
not yet expired (but will soon!). I tested this with 2.0.0-M1 though
2.0.0-M4 with the same problem showing up. The output was generated with
2.0.0-M4.
I would very much appreciate it if some "experts" could take a look at the
the attached output and source code and help me fix this issue.
Thanks,
--Nate
--
[email protected]
***
found key for : test.java
chain [0] = [
[
Version: V3
Subject: CN=XXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: 65537
Validity: [From: Wed Apr 02 18:00:00 MDT 2008,
To: Sun Apr 26 17:59:59 MDT 2009]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network
SerialNumber: [ XXX]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl]
]]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://SVRIntl-aia.verisign.com/SVRIntl-aia.cer]
]
[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
adding as trusted cert:
Subject: CN=XXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=US
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network
Algorithm: RSA; Serial number: 0x17166bf7519d2955f2d61d0aac507f18
Valid from Wed Apr 02 18:00:00 MDT 2008 until Sun Apr 26 17:59:59 MDT 2009
trigger seeding of SecureRandom
done seeding SecureRandom
TestConnection.connect()
Using SSLEngineImpl.
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1232325089 bytes = { 70, 21, 67, 130, 175, 118, 220, 247,
136, 58, 18, 175, 194, 71, 60, 223, 192, 177, 211, 176, 54, 34, 158, 246, 111,
226, 76, 62 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
XXX
NioProcessor-1, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
XXX
NioProcessor-1, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
XXX
sessionCreated:
session:(0x60F47BF5: nio socket, client, /10.0.10.28:60190 =>
XXX/XXX:XXX)
sessionOpened:
session:(0x60F47BF5: nio socket, client, /10.0.10.28:60190 =>
XXX/XXX:XXX)
[Raw read]: length = 5
XXX
[Raw read]: length = 4643
XXX
NioProcessor-1, READ: SSLv3 Handshake, length = 4643
*** ServerHello, SSLv3
RandomCookie: GMT: 1232325090 bytes = { 97, 216, 147, 210, 113, 169, 137, 194,
217, 189, 11, 246, 200, 219, 206, 49, 7, 126, 130, 50, 141, 18, 11, 159, 164,
147, 71, 31 }
Session ID: {0, 0, 0, 0, 0, 0, 0, 0, 73, 51, 41, 42, 0, 5, 222, 111}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 58
XXX
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=XXX, OU=O/I, O="VeriSign, Inc.", L=Dulles, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Jan 01 17:00:00 MST 2008,
To: Fri Jan 01 16:59:59 MST 2010]
Issuer: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-crl.verisign.com/SVRSecure2005.crl]
]]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName:
http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer]
]
[8]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Jan 18 17:00:00 MST 2005,
To: Sun Jan 18 16:59:59 MST 2015]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US]
SerialNumber: [ XXX]
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-45
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
[read] MD5 and SHA1 hashes: len = 2488
XXX
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network>
<[email protected], CN=Starfield Secure Certification
Authority, OU=http://www.starfieldtech.com/repository, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US>
<OU=Equifax Secure Certificate Authority, O=Equifax, C=US>
<CN=Class 3 Open Financial Exchange CA - G2, OU=Terms of use at
https://www.verisign.com/rpa (c)01, OU=VeriSign Trust Network, O="VeriSign,
Inc.">
<[email protected], CN=http://www.valicert.com/, OU=ValiCert Class
2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation
Network>
<CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA>
<CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US>
<OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority,
OU=http://certificates.starfieldtech.com/repository, O="Starfield Technologies,
Inc.", L=Scottsdale, ST=Arizona, C=US>
<OU=Starfield Class 2 Certification Authority, O="Starfield Technologies,
Inc.", C=US>
<[email protected], CN=Thawte Server CA, OU=Certification
Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA>
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
[read] MD5 and SHA1 hashes: len = 2093
XXX
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
XXX
matching alias: test.java
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=XXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: 65537
Validity: [From: Wed Apr 02 18:00:00 MDT 2008,
To: Sun Apr 26 17:59:59 MDT 2009]
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network
SerialNumber: [ XXX]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl]
]]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[6]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://SVRIntl-aia.verisign.com/SVRIntl-aia.cer]
]
[7]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
[write] MD5 and SHA1 hashes: len = 1311
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 1311
SESSION KEYGEN:
PreMaster Secret:
XXX
CONNECTION KEYGEN:
Client Nonce:
XXX
Server Nonce:
XXX
Master Secret:
XXX
Client MAC write Secret:
XXX
Server MAC write Secret:
XXX
Client write key:
XXX
Server write key:
XXX
... no IV used for this cipher
*** CertificateVerify
[write] MD5 and SHA1 hashes: len = 134
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 134
NioProcessor-1, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 154, 175, 247, 166, 224, 55, 30, 157, 148, 64, 248, 91, 225,
213, 131, 255, 238, 76, 73, 215, 33, 198, 14, 49, 117, 221, 64, 243, 137, 15,
87, 114, 160, 82, 131, 225 }
***
[write] MD5 and SHA1 hashes: len = 40
XXX
Padded plaintext before ENCRYPTION: len = 56
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 56
[Raw write]: length = 1316
XXX
[Raw write]: length = 139
XXX
[Raw write]: length = 6
XXX
[Raw write]: length = 61
XXX
[Raw read]: length = 5
XXX
[Raw read]: length = 1
XXX
NioProcessor-1, READ: SSLv3 Change Cipher Spec, length = 1
[Raw read]: length = 5
XXX
[Raw read]: length = 56
XXX
NioProcessor-1, READ: SSLv3 Handshake, length = 56
Padded plaintext after DECRYPTION: len = 56
XXX
*** Finished
verify_data: { 15, 187, 152, 124, 43, 67, 35, 138, 229, 53, 104, 86, 81, 141,
200, 43, 240, 222, 172, 152, 81, 211, 79, 3, 78, 140, 176, 150, 37, 216, 65,
73, 210, 94, 27, 47 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
[read] MD5 and SHA1 hashes: len = 40
XXX
[Raw read (bb)]: length = 939
XXX
Padded plaintext after DECRYPTION: len = 934
XXX
[Test.java] messageReceived:
[Test.java] session:(0x60F47BF5: nio socket, client, /10.0.10.28:60190 =>
XXX/XXX:XXX)
[Test.java] message:
[Test.java] id:1626635253
[Test.java] isConnected:true
[Test.java] lastIoTime:1232390882659
[Test.java] id:1626635253
[Test.java] isConnected:true
[Test.java] lastIoTime:1232390882659
***
found key for : test.java
chain [0] = [
[
Version: V3
Subject: CNXXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=US, SERIALNUMBER=XXX, OID.2.5.4.15="V1.0, Clause 5.(b)",
OID.1.3.6.1.4.1.311.60.2.1.2=Wyoming, OID.1.3.6.1.4.1.311.60.2.1.3=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: XXX
Validity: [From: Tue Nov 18 17:00:00 MST 2008,
To: Thu Nov 19 16:59:59 MST 2009]
Issuer: CN=VeriSign Class 3 Extended Validation SSL CA, OU=Terms of use at
https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://EVSecure-crl.verisign.com/EVSecure2006.crl]
]]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [XXX]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://EVSecure-aia.verisign.com/EVSecure2006.cer]
]
[8]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: XXX
Validity: [From: Tue Nov 07 17:00:00 MST 2006,
To: Sun Nov 07 16:59:59 MST 2021]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US]
SerialNumber: [ XXX]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
serverAuth
clientAuth
]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
XXX
]] ]
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [2] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Extended Validation SSL CA, OU=Terms of use at
https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Nov 07 17:00:00 MST 2006,
To: Mon Nov 07 16:59:59 MST 2016]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 10
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://EVSecure-ocsp.verisign.com]
]
[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-47
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[8]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://EVSecure-crl.verisign.com/pca3-g5.crl]
]]
[9]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[10]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
adding as trusted cert:
Subject: CN=XXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=XXX, SERIALNUMBER=XXX, OID.2.5.4.15="V1.0, Clause 5.(b)",
OID.1.3.6.1.4.1.311.60.2.1.2=Wyoming, OID.1.3.6.1.4.1.311.60.2.1.3=US
Issuer: CN=VeriSign Class 3 Extended Validation SSL CA, OU=Terms of use at
https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Algorithm: RSA; Serial number: XXX
Valid from Tue Nov 18 17:00:00 MST 2008 until Thu Nov 19 16:59:59 MST 2009
trigger seeding of SecureRandom
done seeding SecureRandom
TestConnection.connect()
Using SSLEngineImpl.
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1232325445 bytes = { 152, 205, 87, 194, 83, 56, 34, 152,
213, 199, 27, 157, 5, 103, 37, 164, 3, 195, 248, 40, 136, 125, 154, 237, 114,
124, 6, 27 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
XXX
NioProcessor-1, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
XXX
NioProcessor-1, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
XXX
sessionCreated:
session:(0x25CD0888: nio socket, client, /XXX:XXX => XXX/XXX:XXX)
sessionOpened:
session:(0x25CD0888: nio socket, client, /XXX:XXX => XXX/XXX:XXX)
[Raw read]: length = 5
XXX
[Raw read]: length = 4643
XXX
NioProcessor-1, READ: SSLv3 Handshake, length = 4643
*** ServerHello, SSLv3
RandomCookie: GMT: 1232325445 bytes = { 10, 32, 54, 22, 172, 42, 32, 130, 220,
250, 83, 219, 223, 116, 187, 252, 47, 104, 184, 70, 7, 208, 197, 187, 223, 28,
23, 27 }
Session ID: {0, 0, 0, 0, 0, 0, 0, 0, 73, 51, 41, 50, 0, 5, 178, 50}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 58
XXX
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=XXX, OU=O/I, O="VeriSign, Inc.", L=Dulles, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Jan 01 17:00:00 MST 2008,
To: Fri Jan 01 16:59:59 MST 2010]
Issuer: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-crl.verisign.com/SVRSecure2005.crl]
]]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName:
http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer]
]
[8]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Jan 18 17:00:00 MST 2005,
To: Sun Jan 18 16:59:59 MST 2015]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US]
SerialNumber: [ XXX]
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-45
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
XXX
]] ]
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
[read] MD5 and SHA1 hashes: len = 2488
XXX
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign
Trust Network>
<[email protected], CN=Starfield Secure Certification
Authority, OU=http://www.starfieldtech.com/repository, O="Starfield
Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US>
<OU=Equifax Secure Certificate Authority, O=Equifax, C=US>
<CN=Class 3 Open Financial Exchange CA - G2, OU=Terms of use at
https://www.verisign.com/rpa (c)01, OU=VeriSign Trust Network, O="VeriSign,
Inc.">
<[email protected], CN=http://www.valicert.com/, OU=ValiCert Class
2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation
Network>
<CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA>
<CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at
https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US>
<OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority,
OU=http://certificates.starfieldtech.com/repository, O="Starfield Technologies,
Inc.", L=Scottsdale, ST=Arizona, C=US>
<OU=Starfield Class 2 Certification Authority, O="Starfield Technologies,
Inc.", C=US>
<[email protected], CN=Thawte Server CA, OU=Certification
Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA>
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
[read] MD5 and SHA1 hashes: len = 2093
XXX
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
XXX
matching alias: test.java
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=XXX, OU=Terms of use at www.verisign.com/rpa (c)05, O=XXX, L=XXX,
ST=XXX, C=XXX, SERIALNUMBER=XXX, OID.2.5.4.15="V1.0, Clause 5.(b)",
OID.1.3.6.1.4.1.311.60.2.1.2=Wyoming, OID.1.3.6.1.4.1.311.60.2.1.3=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Nov 18 17:00:00 MST 2008,
To: Thu Nov 19 16:59:59 MST 2009]
Issuer: CN=VeriSign Class 3 Extended Validation SSL CA, OU=Terms of use at
https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://EVSecure-crl.verisign.com/EVSecure2006.crl]
]]
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.6]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[7]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://EVSecure-aia.verisign.com/EVSecure2006.cer]
]
[8]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Nov 07 17:00:00 MST 2006,
To: Sun Nov 07 16:59:59 MST 2021]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
SerialNumber: [ XXX]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US]
SerialNumber: [ XXX]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
]]
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
serverAuth
clientAuth
]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
XXX
]] ]
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
chain [2] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Extended Validation SSL CA, OU=Terms of use at
https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: XXX
public exponent: 65537
Validity: [From: Tue Nov 07 17:00:00 MST 2006,
To: Mon Nov 07 16:59:59 MST 2016]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 5b7759c6 1784e15e c727c032 9529286b]
Certificate Extensions: 10
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
XXX
]
]
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://EVSecure-ocsp.verisign.com]
]
[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-47
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
XXX
]
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
XXX
]] ]
]
[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
S/MIME CA
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[8]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://EVSecure-crl.verisign.com/pca3-g5.crl]
]]
[9]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
XXX
[10]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
]
Algorithm: [SHA1withRSA]
Signature:
XXX
]
***
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
[write] MD5 and SHA1 hashes: len = 4383
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 4383
SESSION KEYGEN:
PreMaster Secret:
XXX
CONNECTION KEYGEN:
Client Nonce:
XXX
Server Nonce:
XXX
Master Secret:
XXX
Client MAC write Secret:
XXX
Server MAC write Secret:
XXX
Client write key:
XXX
Server write key:
XXX
... no IV used for this cipher
*** CertificateVerify
[write] MD5 and SHA1 hashes: len = 134
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 134
NioProcessor-1, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 142, 69, 228, 62, 218, 50, 196, 172, 143, 115, 31, 121, 5, 140,
121, 45, 121, 82, 78, 174, 60, 238, 214, 158, 90, 231, 233, 145, 183, 151, 81,
247, 173, 189, 17, 186 }
***
[write] MD5 and SHA1 hashes: len = 40
XXX
Padded plaintext before ENCRYPTION: len = 56
XXX
NioProcessor-1, WRITE: SSLv3 Handshake, length = 56
[Raw write]: length = 4388
XXX
[Raw write]: length = 139
XXX
[Raw write]: length = 6
XXX
[Raw write]: length = 61
XXX
[Test.java] id:634194056
[Test.java] isConnected:true
[Test.java] lastIoTime:1232390982128
[Test.java] exceptionCaught:
[Test.java] session:(0x25CD0888: nio socket, client, /XXX:XXX =>
XXX/XXX:XXX)
[Test.java] ,cause:
[Test.java] java.io.IOException: Connection reset by peer
[Test.java] at sun.nio.ch.FileDispatcher.read0(Native Method)
[Test.java] at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
[Test.java] at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
[Test.java] at sun.nio.ch.IOUtil.read(IOUtil.java:206)
[Test.java] at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:236)
[Test.java] at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:180)
[Test.java] at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:42)
[Test.java] at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:568)
[Test.java] at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:547)
[Test.java] at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:539)
[Test.java] at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:57)
[Test.java] at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:867)
[Test.java] at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:65)
[Test.java] at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
[Test.java] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
[Test.java] at java.lang.Thread.run(Thread.java:619)
NioProcessor-1, called closeInbound()
NioProcessor-1, fatal error: 80: Inbound closed before receiving peer's
close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
NioProcessor-1, SEND SSLv3 ALERT: fatal, description = internal_error
Padded plaintext before ENCRYPTION: len = 18
XXX
NioProcessor-1, WRITE: SSLv3 Alert, length = 18
[Raw write]: length = 23
XXX
NioProcessor-1, called closeOutbound()
NioProcessor-1, closeOutboundInternal()
sessionClosed:
session:(0x25CD0888: nio socket, client, /XXX:XXX => XXX/XXX:XXX)
