search

Ecwid / consul-api

Java client for Consul HTTP API
Apache License 2.0
417 stars 175 forks source link

2-way SSL from Spring to Consul fails. (Keystore is not being read) #67

Closed rogerhill01234 closed 8 years ago

rogerhill01234 commented 8 years ago

We have a very simple application. All it does is read KVs from Consul. During SSL handshake, the client fails to send the client certificate resulting in bad certificate error. What we found was that ID keystore specified in command line JVM param -Djavax.net.ssl.keyStore was not being read. Appears to be a bug in the library. While debugging through the code, we saw that Spring Consul library is using deprecated classes of http client. Is that the reason we are seeing this issue?

Here is the code. We have a single file.

com.test.TestApp.java;

package com.test;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;

/**
 * Main Spring Boot Application class for
 * the TestApp Consul implementation.
 */
@SpringBootApplication
public class TestApp {

    public static void main(String[] args) {
        SpringApplication app = new SpringApplication( TestApp.class );
        app.run( args );
    }

}

Here is the gradle build file:

buildscript {
    ext {
        springBootVersion = '1.3.5.RELEASE'
    }
    repositories {
        mavenLocal()
        maven { url "http://artifactory:8081/artifactory/repo" }
        mavenCentral()
        maven { url "http://repo.spring.io/libs-release" }
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}") 
        classpath('io.spring.gradle:dependency-management-plugin:0.6.0.RELEASE')
    }
}

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: 'spring-boot' 
apply plugin: 'io.spring.dependency-management' 

jar {
    baseName = 'TestApp'
    version = '1.0.3'
}
sourceCompatibility = 1.8
targetCompatibility = 1.8

repositories {
    mavenLocal()
    maven { url "http://artifactory:8081/artifactory/repo" }
    mavenCentral()
    maven { url "http://repo.spring.io/libs-release" }
    maven { url "http://repo.spring.io/libs-milestone" }
}

dependencies {
    compile('org.springframework.boot:spring-boot-starter-actuator')
    compile('org.springframework.boot:spring-boot-configuration-processor')
    compile('org.springframework.cloud:spring-cloud-starter-consul-all')
    testCompile('org.springframework.boot:spring-boot-starter-test') 
    testCompile('org.mockito:mockito-all:1.10.19')
}

dependencyManagement {
    imports { 
        mavenBom "org.springframework.cloud:spring-cloud-starter-parent:Brixton.SR5" 
        mavenBom "org.springframework.cloud:spring-cloud-consul-dependencies:1.0.2.RELEASE" 
    }
}

task sourcesJar(type: Jar, dependsOn: classes) {
    classifier = 'sources'
    from sourceSets.main.allSource
}
artifacts {
    archives sourcesJar
}

eclipse {
    classpath {
         containers.remove('org.eclipse.jdt.launching.JRE_CONTAINER')
         containers 'org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8'
    }
}

task wrapper(type: Wrapper) {
    gradleVersion = '2.14'
}

def filesToCopy = copySpec {
    from 'build/libs/'
    include '*SHOT.jar'
}

Here is the log file contents with SSL debug enabled:

2016-08-30 13:35:51.292  INFO 34035 --- [           main] s.c.a.AnnotationConfigApplicationContext : Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@608416bd: startup date [Tue Aug 30 13:35:51 CDT 2016]; root of context hierarchy
2016-08-30 13:35:52.023  INFO 34035 --- [           main] f.a.AutowiredAnnotationBeanPostProcessor : JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
2016-08-30 13:35:52.107  INFO 34035 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'configurationPropertiesRebinderAutoConfiguration' of type [class org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$4dc2a8d4] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
trustStore is: /<REDACTED>
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
<REDACTED>
trigger seeding of SecureRandom
done seeding SecureRandom

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v1.3.5.RELEASE)

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455739401 bytes = { 131, 144, 62, 92, 121, 62, 206, 192, 62, 91, 69, 244, 64, 45, 201, 1, 95, 138, 111, 228, 1, 200, 50, 90, 207, 86, 60, 197 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes:  len = 117
0000: 01 00 00 71 03 03 57 C5   D2 09 83 90 3E 5C 79 3E  ...q..W.....>\y>
0010: CE C0 3E 5B 45 F4 40 2D   C9 01 5F 8A 6F E4 01 C8  ..>[E.@-.._.o...
0020: 32 5A CF 56 3C C5 00 00   2C 00 3D 00 6B 00 6A 00  2Z.V<...,.=.k.j.
0030: 35 00 39 00 38 00 3C 00   67 00 40 00 2F 00 33 00  5.9.8.<.g.@./.3.
0040: 32 00 9D 00 9F 00 A3 00   9C 00 9E 00 A2 00 0A 00  2...............
0050: 16 00 13 00 FF 01 00 00   1C 00 0D 00 18 00 16 06  ................
0060: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................
0070: 03 02 01 02 02                                     .....
main, WRITE: TLSv1.2 Handshake, length = 117
[Raw write]: length = 122
0000: 16 03 03 00 75 01 00 00   71 03 03 57 C5 D2 09 83  ....u...q..W....
0010: 90 3E 5C 79 3E CE C0 3E   5B 45 F4 40 2D C9 01 5F  .>\y>..>[E.@-.._
0020: 8A 6F E4 01 C8 32 5A CF   56 3C C5 00 00 2C 00 3D  .o...2Z.V<...,.=
0030: 00 6B 00 6A 00 35 00 39   00 38 00 3C 00 67 00 40  .k.j.5.9.8.<.g.@
0040: 00 2F 00 33 00 32 00 9D   00 9F 00 A3 00 9C 00 9E  ./.3.2..........
0050: 00 A2 00 0A 00 16 00 13   00 FF 01 00 00 1C 00 0D  ................
0060: 00 18 00 16 06 03 06 01   05 03 05 01 04 03 04 01  ................
0070: 03 03 03 01 02 03 02 01   02 02                    ..........
[Raw read]: length = 5
0000: 16 03 03 00 31                                     ....1
[Raw read]: length = 49
0000: 02 00 00 2D 03 03 33 39   BD CB CE 4B E2 D5 30 19  ...-..39...K..0.
0010: 56 D9 F3 E4 BC 67 D2 C6   A6 90 23 0F 58 CF 2D FF  V....g....#.X.-.
0020: E3 18 17 5C A8 13 00 00   35 00 00 05 FF 01 00 01  ...\....5.......
0030: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 49
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 859356363 bytes = { 206, 75, 226, 213, 48, 25, 86, 217, 243, 228, 188, 103, 210, 198, 166, 144, 35, 15, 88, 207, 45, 255, 227, 24, 23, 92, 168, 19 }
Session ID:  {}
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes:  len = 49
0000: 02 00 00 2D 03 03 33 39   BD CB CE 4B E2 D5 30 19  ...-..39...K..0.
0010: 56 D9 F3 E4 BC 67 D2 C6   A6 90 23 0F 58 CF 2D FF  V....g....#.X.-.
0020: E3 18 17 5C A8 13 00 00   35 00 00 05 FF 01 00 01  ...\....5.......
0030: 00                                                 .
[Raw read]: length = 5
0000: 16 03 03 09 3B                                     ....;
[Raw read]: length = 2363
<REDACTED>
main, READ: TLSv1.2 Handshake, length = 2363
*** Certificate chain
chain [0] = [
<REDACTED>
]
  Algorithm: [SHA256withRSA]
  Signature:
]
chain [1] = [
[
<REDACTED>
]

]
  Algorithm: [SHA1withRSA]
  Signature:
<REDACTED>
]
***
Found trusted certificate:
[
[
REDACTED]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
REDACTED
]
[read] MD5 and SHA1 hashes:  len = 2363
REDACTED
[Raw read]: length = 5
REDACTED
[Raw read]: length = 97
REDACTED

main, READ: TLSv1.2 Handshake, length = 97
*** CertificateRequest
Cert Types: RSA, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withECDSA, SHA384withRSA, SHA384withECDSA, SHA1withRSA, SHA1withECDSA
Cert Authorities:
REDACTED
[read] MD5 and SHA1 hashes:  len = 97
REDACTED
[Raw read]: length = 5
REDACTED
[Raw read]: length = 4
REDACTED
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
[write] MD5 and SHA1 hashes:  len = 269
REDACTED
main, WRITE: TLSv1.2 Handshake, length = 269
[Raw write]: length = 274
REDACTED
SESSION KEYGEN:
PreMaster Secret:
REDACTED
CONNECTION KEYGEN:
Client Nonce:
REDACTED
Server Nonce:
REDACTED
Master Secret:
REDACTED
Client MAC write Secret:
REDACTED
Server MAC write Secret:
REDACTED
Client write key:
REDACTED
Server write key:
REDACTED
... no IV derived for this protocol
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01                                  ......
*** Finished
verify_data:  { 3, 113, 121, 151, 216, 225, 246, 250, 255, 32, 107, 196 }
***
[write] MD5 and SHA1 hashes:  len = 16
REDACTED
Padded plaintext before ENCRYPTION:  len = 64
REDACTED
main, WRITE: TLSv1.2 Handshake, length = 64
main, waiting for close_notify or alert: state 1
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 2A                                              .*
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, called close()
main, called closeInternal(true)
2016-08-30 13:35:53.922 ERROR 34035 --- [           main] o.s.c.c.c.ConsulPropertySourceLocator    : Fail fast is set and there was an error reading configuration from consul.
2016-08-30 13:35:53.925 ERROR 34035 --- [           main] o.s.boot.SpringApplication               : Application startup failed

com.ecwid.consul.transport.TransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:91) ~[consul-api-1.1.10.jar!/:na]
        at com.ecwid.consul.transport.AbstractHttpTransport.makeGetRequest(AbstractHttpTransport.java:50) ~[consul-api-1.1.10.jar!/:na]
        at com.ecwid.consul.v1.ConsulRawClient.makeGetRequest(ConsulRawClient.java:81) ~[consul-api-1.1.10.jar!/:na]
        at com.ecwid.consul.v1.kv.KeyValueConsulClient.getKVValues(KeyValueConsulClient.java:150) ~[consul-api-1.1.10.jar!/:na]
        at com.ecwid.consul.v1.ConsulClient.getKVValues(ConsulClient.java:404) ~[consul-api-1.1.10.jar!/:na]
        at org.springframework.cloud.consul.config.ConsulPropertySource.init(ConsulPropertySource.java:64) ~[spring-cloud-consul-config-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
        at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.create(ConsulPropertySourceLocator.java:135) ~[spring-cloud-consul-config-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
        at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.locate(ConsulPropertySourceLocator.java:113) ~[spring-cloud-consul-config-1.0.2.RELEASE.jar!/:1.0.2.RELEASE]
        at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:89) ~[spring-cloud-context-1.1.0.RELEASE.jar!/:1.1.0.RELEASE]
        at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:640) ~[spring-boot-1.3.5.RELEASE.jar!/:1.3.5.RELEASE]
        at org.springframework.boot.SpringApplication.createAndRefreshContext(SpringApplication.java:343) ~[spring-boot-1.3.5.RELEASE.jar!/:1.3.5.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:307) ~[spring-boot-1.3.5.RELEASE.jar!/:1.3.5.RELEASE]
        at com.test.TestApp.main(TestApp.java:23) [TestApp-1.0.3.jar!/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_101]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_101]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_101]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_101]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:54) [TestApp-1.0.3.jar!/:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_101]
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1769) ~[na:1.8.0_101]
        at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) ~[na:1.8.0_101]
        at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1083) ~[na:1.8.0_101]
        at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1222) ~[na:1.8.0_101]
        at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1134) ~[na:1.8.0_101]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) ~[na:1.8.0_101]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_101]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_101]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_101]
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:220) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:164) ~[httpclient-4.5.jar!/:4.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:139) ~[httpclient-4.5.jar!/:4.5]
        at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:75) ~[consul-api-1.1.10.jar!/:na]
        ... 18 common frames omitted

2016-08-30 13:35:53.938  INFO 34035 --- [           main] .b.l.ClasspathLoggingApplicationListener : Application failed to start with classpath: [jar:file:REDACTED, jar:file:REDACTED/]
Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:62)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:54)
        ... 1 more
Caused by: com.ecwid.consul.transport.TransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:91)
        at com.ecwid.consul.transport.AbstractHttpTransport.makeGetRequest(AbstractHttpTransport.java:50)
        at com.ecwid.consul.v1.ConsulRawClient.makeGetRequest(ConsulRawClient.java:81)
        at com.ecwid.consul.v1.kv.KeyValueConsulClient.getKVValues(KeyValueConsulClient.java:150)
        at com.ecwid.consul.v1.ConsulClient.getKVValues(ConsulClient.java:404)
        at org.springframework.cloud.consul.config.ConsulPropertySource.init(ConsulPropertySource.java:64)
        at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.create(ConsulPropertySourceLocator.java:135)
        at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.locate(ConsulPropertySourceLocator.java:113)
        at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:89)
        at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:640)
        at org.springframework.boot.SpringApplication.createAndRefreshContext(SpringApplication.java:343)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:307)
        at com.test.TestApp.main(TestApp.java:23)
        ... 6 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
        at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1769)
        at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
        at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1083)
        at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1222)
        at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1134)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:220)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:164)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:139)
        at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:75)
        ... 18 more
bryan-helm commented 8 years ago

AbstractHttpTransport default constructor uses deprecated DefaultHttpClient. Need to use HttpClientBuilder with useSystemProperties() now. Should this be a more general mechanism to set a custom HttpClient in the DefaultHttpsTransport instance? Dependency Injection would be nice here, but just a setter for the httpClient instance might do the trick.

spencergibb commented 8 years ago

Looks like you could do new ConsulClient(new ConsulRawClient(HttpClient). And to clarify, Spring Cloud Consul uses ConsulClient, so when @rogerhill01234 says "we saw that Spring Consul library is using deprecated classes of http client" he means ConsulClient.

bryan-helm commented 8 years ago

spring-cloud-consul depends on httpclient 4.5.2, but consul-api depends on httpclient 4.2.5. There is no 'curated jar' to satisfy both requirements. spring-cloud-consul class ConsulAutoConfiguration uses @ConditionalOnMissingBean, so perhaps I can inject a ConsulClient created as you suggest, I will try it. Thanks for the input.

spencergibb commented 8 years ago

@bryan-helm should keep spring related discussion in the original issue https://github.com/spring-cloud/spring-cloud-consul/issues/212

vgv commented 8 years ago

1) I've updated consul-api HttpClient dependency up to 4.5.2 in #58 2) I've change HttpClient setup and start to use modern HttpClientBuilder with useSystemProperties()

bryan-helm commented 7 years ago

Have you defined your key and trust store locations with system properties? You can’t have that stuff in consul and use it to call consul too.

BRYAN HELM Senior Strategic Projects Developer – Enterprise Architecture main 817.246.6760 | ext. 3027 | mobile 817.456.6677

From: Rafal Smolinski [mailto:notifications@github.com] Sent: Tuesday, July 11, 2017 6:07 AM To: Ecwid/consul-api consul-api@noreply.github.com Cc: Bryan Helm bhelm@pdxinc.com; Mention mention@noreply.github.com Subject: Re: [Ecwid/consul-api] 2-way SSL from Spring to Consul fails. (Keystore is not being read) (#67)

For me this issue is still present.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Ecwid/consul-api/issues/67#issuecomment-314410845, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AUX68CpBD0b0YNGTIcD6Pw_sIvmQOhZZks5sM1dpgaJpZM4Jxm4Y.

This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail.

rsmolin commented 7 years ago

I have same problem, -Djavax.net.ssl.keyStore property is not being read. If I use SSLPoke.class with same parameters I can successfully connect to consul server. 

public class Application {

    @RequestMapping("/")
    public String home() {
        return "Hello World";

    }

    public static void main(String[] args) {

        System.setProperty("javax.net.ssl.trustStore", "REDACTED");
        System.setProperty("javax.net.ssl.keyStore",  "REDACTED");
        System.setProperty("javax.net.ssl.keyStorePassword", "REDACTED");
        System.setProperty("javax.net.ssl.trustStorePassword", "REDACTED");
        SpringApplication.run(Application.class, args);
    }

} 
2017-08-09 13:29:32.348  INFO 29913 --- [           main] f.a.AutowiredAnnotationBeanPostProcessor : JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
2017-08-09 13:29:32.373  INFO 29913 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'configurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$9497abe0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
trustStore is: <REDACTED>
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
<REDACTED>

trigger seeding of SecureRandom
done seeding SecureRandom

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _ | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v1.5.2.RELEASE)

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1485435420 bytes = { 92, 68, 118, 90, 129, 203, 17, 41, 191, 111, 133, 174, 241, 236, 116, 177, 213, 9, 144, 212, 151, 158, 222, 197, 126, 82, 77, 233 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes:  len = 209
0000: 01 00 00 CD 03 03 59 8A   F2 1C 5C 44 76 5A 81 CB  ......Y...\DvZ..
0010: 11 29 BF 6F 85 AE F1 EC   74 B1 D5 09 90 D4 97 9E  .).o....t.......
0020: DE C5 7E 52 4D E9 00 00   64 C0 24 C0 28 00 3D C0  ...RM...d.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0   0A C0 14 00 35 C0 05 C0  &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0   27 00 3C C0 25 C0 29 00  ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00   2F C0 04 C0 0E 00 33 00  g.@...../.....3.
0060: 32 C0 2C C0 2B C0 30 00   9D C0 2E C0 32 00 9F 00  2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  ../...-.1.......
0080: 12 00 0A C0 03 C0 0D 00   16 00 13 00 FF 01 00 00  ................
0090: 40 00 0A 00 16 00 14 00   17 00 18 00 19 00 09 00  @...............
00A0: 0A 00 0B 00 0C 00 0D 00   0E 00 16 00 0B 00 02 01  ................
00B0: 00 00 0D 00 1C 00 1A 06   03 06 01 05 03 05 01 04  ................
00C0: 03 04 01 04 02 03 03 03   01 03 02 02 03 02 01 02  ................
00D0: 02                                                 .
main, WRITE: TLSv1.2 Handshake, length = 209
[Raw write]: length = 214
0000: 16 03 03 00 D1 01 00 00   CD 03 03 59 8A F2 1C 5C  ...........Y...\
0010: 44 76 5A 81 CB 11 29 BF   6F 85 AE F1 EC 74 B1 D5  DvZ...).o....t..
0020: 09 90 D4 97 9E DE C5 7E   52 4D E9 00 00 64 C0 24  ........RM...d.$
0030: C0 28 00 3D C0 26 C0 2A   00 6B 00 6A C0 0A C0 14  .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39   00 38 C0 23 C0 27 00 3C  .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40   C0 09 C0 13 00 2F C0 04  .%.).g.@...../..
0060: C0 0E 00 33 00 32 C0 2C   C0 2B C0 30 00 9D C0 2E  ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F   00 9C C0 2D C0 31 00 9E  .2...../...-.1..
0080: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
0090: 00 FF 01 00 00 40 00 0A   00 16 00 14 00 17 00 18  .....@..........
00A0: 00 19 00 09 00 0A 00 0B   00 0C 00 0D 00 0E 00 16  ................
00B0: 00 0B 00 02 01 00 00 0D   00 1C 00 1A 06 03 06 01  ................
00C0: 05 03 05 01 04 03 04 01   04 02 03 03 03 01 03 02  ................
00D0: 02 03 02 01 02 02                                  ......
[Raw read]: length = 5
0000: 16 03 03 00 31                                     ....1
[Raw read]: length = 49
0000: 02 00 00 2D 03 03 22 91   92 0D 53 9B B1 25 68 85  ...-.."...S..%h.
0010: 33 CB 9A 60 C7 9D 87 DA   6D 40 6C E0 60 3F CE 93  3......m@l.?..
0020: 15 DF C2 25 B5 64 00 C0   14 00 00 05 FF 01 00 01  ...%.d..........
0030: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 49
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 563122701 bytes = { 83, 155, 177, 37, 104, 133, 51, 203, 154, 96, 199, 157, 135, 218, 109, 64, 108, 224, 96, 63, 206, 147, 21, 223, 194, 37, 181, 100 }
Session ID:  {}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes:  len = 49
0000: 02 00 00 2D 03 03 22 91   92 0D 53 9B B1 25 68 85  ...-.."...S..%h.
0010: 33 CB 9A 60 C7 9D 87 DA   6D 40 6C E0 60 3F CE 93  3......m@l.?..
0020: 15 DF C2 25 B5 64 00 C0   14 00 00 05 FF 01 00 01  ...%.d..........
0030: 00                                                 .
[Raw read]: length = 5
0000: 16 03 03 03 59                                     ....Y
[Raw read]: length = 857
REDACTED
main, READ: TLSv1.2 Handshake, length = 857
*** Certificate chain
chain [0] = [
REDACTED
]

]
***
Found trusted certificate:
[
REDACTED
]
*** CertificateRequest
Cert Types: RSA, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withECDSA, SHA384withRSA, SHA384withECDSA, SHA1withRSA, SHA1withECDSA
Cert Authorities:
[read] MD5 and SHA1 hashes:  len = 108
0000: 16 03 03 00 04                                     .....
[Raw read]: length = 4
0000: 0E 00 00 00                                        ....
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
[write] MD5 and SHA1 hashes:  len = 77
REDACTED
main, WRITE: TLSv1.2 Handshake, length = 77
[Raw write]: length = 82
REDACTED
SESSION KEYGEN:
PreMaster Secret:
REDACTED
CONNECTION KEYGEN:
Client Nonce:
REDACTED
Server Nonce:
REDACTED
Master Secret:
REDACTED
Client MAC write Secret:
REDACTED
Server MAC write Secret:
REDACTED
Client write key:
REDACTED
Server write key:
REDACTED
*** Finished
verify_data:  { 233, 249, 154, 229, 213, 66, 143, 69, 87, 27, 151, 7 }
***
[write] MD5 and SHA1 hashes:  len = 16
REDACTED 

Padded plaintext before ENCRYPTION:  len = 64
main, WRITE: TLSv1.2 Handshake, length = 64
main, waiting for close_notify or alert: state 1
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 2A                                              .*
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
2017-08-09 13:29:33.037 ERROR 29913 --- [           main] o.s.c.c.c.ConsulPropertySourceLocator    : Fail fast is set and there was an error reading configuration from consul.
2017-08-09 13:29:33.038  WARN 29913 --- [           main] o.s.boot.SpringApplication               : Error handling failed (ApplicationEventMulticaster not initialized - call 'refresh' before multicasting events via the context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@37ff4054: startup date [Thu Jan 01 01:00:00 CET 1970]; parent: org.springframework.context.annotation.AnnotationConfigApplicationContext@770d3326)
2017-08-09 13:29:33.045 ERROR 29913 --- [           main] o.s.boot.SpringApplication               : Application startup failed

com.ecwid.consul.transport.TransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:96) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.transport.AbstractHttpTransport.makeGetRequest(AbstractHttpTransport.java:55) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.ConsulRawClient.makeGetRequest(ConsulRawClient.java:81) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.kv.KeyValueConsulClient.getKVValues(KeyValueConsulClient.java:150) ~[consul-api-1.2.3.jar:na]
    at com.ecwid.consul.v1.ConsulClient.getKVValues(ConsulClient.java:492) ~[consul-api-1.2.3.jar:na]
    at org.springframework.cloud.consul.config.ConsulPropertySource.init(ConsulPropertySource.java:66) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.create(ConsulPropertySourceLocator.java:157) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.consul.config.ConsulPropertySourceLocator.locate(ConsulPropertySourceLocator.java:131) ~[spring-cloud-consul-config-1.2.1.RELEASE.jar:1.2.1.RELEASE]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:93) ~[spring-cloud-context-1.2.3.RELEASE.jar:1.2.3.RELEASE]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:611) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:348) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:312) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1162) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1151) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
    at hello.Application.main(Application.java:52) [main/:na]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_141]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779) ~[na:1.8.0_141]
    at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1130) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1216) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1128) ~[na:1.8.0_141]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[na:1.8.0_141]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[na:1.8.0_141]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[na:1.8.0_141]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165) ~[httpclient-4.5.3.jar:4.5.3]
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140) ~[httpclient-4.5.3.jar:4.5.3]
    at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:80) ~[consul-api-1.2.3.jar:na]
    ... 14 common frames omitted

Process finished with exit code 1