[HELP] Use of .PEM and self signed

Hi, I'm working with .pem files that out supplier give us. In DEV environment, it provided us 3 files:

certificate
private key
ca root (self-signed)

X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial(
   //certificate
   Paths.get("certificate.pem"),

   //private key
   Paths.get("private-key.pem"));

//trusted certificate
X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial(
   Paths.get("caroot.pem"));

SSLFactory sslFactory = SSLFactory.builder()
   .withIdentityMaterial(keyManager)
   .withTrustMaterial(trustManager)
   .build();

SSLContext contestoSSL = sslFactory.getSslContext();

I pass the context to Spring Integration. When I call the service, I got:

org.apache.cxf.binding.soap.SoapFault: Policy Falsified

To be honest, I got the same error without using your library but using directly trustore and keystore. The problem arise some weeks ago only in DEV enviroment. To avoid the "problem" to update and/or re-create trustore and keystore from .pem files every time the supplier give us a new version of .pem files, we tried to move to a smarter way and your library is the perfect choice for that. But we got the same error.

Using CURL it works!

curl --location 'https://webserver/service.ws' \
--key "./private-key.pem" \
-E "./certificate.pem" \
--cacert "./caroot.pem" \
--header 'SoapAction: http://....' \
--header 'Content-Type: text/xml' \
--data '<?xml version="1.0" encoding="UTF-8"?><xml>.....</xml>'

If anyone has any suggestions we greatly appreciate it.

Thanks! Daniele

Hi Daniele!

This seems to be an interesting issue as it works with curl but not with java. I would almost assume it is similar to an issue which another developer had, see here https://github.com/Hakky54/sslcontext-kickstart/issues/47

However I am not sure whether it is exactly the same issue as which you are facing. Would it be possible for you to provide me additional context and information?

Which operating system are you using?
Rerun your application with the following VM argument: -Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake and share the output here.

To avoid the "problem" to update and/or re-create trustore and keystore from .pem files every time the supplier give us a new version of .pem files, we tried to move to a smarter way and your library is the perfect choice for that.

Thank you very much! ❤️ I appreciate this 😄 Java is verbose when handling pem files and it is annoying to convert it into a keystore. It should just be able to handle those pem files out of the box with the JDK, but unfortunately it is very limited. So I created the PemUtils, which aims to hide away the verbosity while providing the capability of easily handling different pem files.

@Hakky54 here infos you asked me:

my OS is Ubuntu 20.04 but the issue appeared on TEST server, that is a CentOS (v.7 I suppose...)
I share the log, but I cut anything that may lead to the supplier. I hope I didn't cut to much... 😅

2023-04-30 13:58:18.915 [restartedMain] INFO  org.springframework.ws.soap.saaj.SaajSoapMessageFactory - Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
***
found key for : cn=xxx-sviluppo-2018_ou=sosi_o=banca-l=xx_st=it_c=ir
chain [0] = [
[
  Version: V3
  Subject: CN=xxx 2018, OU=SOSI, O=xxxx, L=Sxxx, ST=IT, C=IR
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2337125819840729719048492702 [...CUT...]
  public exponent: 65537
  Validity: [From: Wed Apr 18 16:45:51 CEST 2018,
               To: Sat Apr 15 16:45:51 CEST 2028]
  Issuer: CN=xxx 2018, OU=SOSI, O=xxx, L=xxx, ST=IT, C=IR
  SerialNumber: [    fb5b241d ......]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6C E5 39 77 51 7F 61 82   00 00 FE 00 00 20 00 00  l..xx..xx..xx
0010: B8 00 00 00                                        ..x.
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6C E5 39 00 00 7F 61 82   00 00 FE 00 00 20 00 00  l.XXX.X.XXX...Xp
0010: B8 DE 00 00                                        ..x.
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 1B 25 21 01 79 26 44 F0   02 EF 05 EA 96 F8 7E CD  .%!.y&D.........
0010: CC 32 DC 22 B3 A1 B8 66   FC 66 3D 34 A1 1F 98 69  .2."...f.f=4...i
[...CUT...]
00F0: 0D 39 4E 6E FA 47 EB 2A   B5 9D 84 4D 35 94 3C C7  .9Nn.G.*...M5.<.

]
***
adding as trusted cert:
  Subject: CN=RootCA01, DC=xxxxx, DC=root, DC=dom
  Issuer:  CN=RootCA01, DC=xxxxx, DC=root, DC=dom
  Algorithm: RSA; Serial number: 0x395fc307c00000000000000000000004
  Valid from Tue Feb 03 09:50:51 CET 2015 until Sat Feb 03 10:00:50 CET 2035

trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : cn=xxxxxxxxxxxx-2018_ou=sosi_o=xxxxxxxxxxxxxxxxxxxxxxxxx_l=xxxxxxo_st=it_c=ir
chain [0] = [
[
  Version: V3
  Subject: CN=xxxxxxxxxxxxx2018, OU=SOSI, O=xxxxxxxxxxxxxxxxxxxxxxxxO, L=xxxxxxO, ST=IT, C=IR
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2337125819840729719048492702  [...CUT...]
  public exponent: 65537
  Validity: [From: Wed Apr 18 16:45:51 CEST 2018,
               To: Sat Apr 15 16:45:51 CEST 2028]
  Issuer: CN=xxxxxxxxxxxxx2018, OU=SOSI, O=xxxxxxxxxxxxxxxxxxxxxxxxO, L=xxxxxxO, ST=IT, C=IR
  SerialNumber: [    fb5b241d 00000008]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6C E5 39 77 51 7F 61 82   00 00 00 00 00 00 00 00  l.xxxxxxxxxxxxxx
0010: B8 00 00 00                                        ..x.
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6C E5 39 77 51 7F 61 82   00 00 00 00 00 00 00 00  l.xxxxxxxxxxxxxx
0010: B8 00 00 00                                        ..x.
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 1B 25 21 01 79 26 44 F0   02 EF 05 EA 96 F8 7E CD  .%!.y&D.........
0010: CC 32 DC 22 B3 A1 B8 66   FC 66 3D 34 A1 1F 98 69  .2."...f.f=4...i
[...CUT...]
00E0: 81 E4 AA 4F 93 B0 EE 32   D6 F7 59 6F 59 B6 7B 4F  ...O...2..YoY..O
00F0: 0D 39 4E 6E FA 47 EB 2A   B5 9D 84 4D 35 94 3C C7  .9Nn.G.*...M5.<.

]
***
adding as trusted cert:
  Subject: CN=RootCA01, DC=xxxxo, DC=root, DC=dom
  Issuer:  CN=RootCA01, DC=xxxxo, DC=root, DC=dom
  Algorithm: RSA; Serial number: 0x395fc307c95c69a44000000000000004
  Valid from Tue Feb 03 09:50:51 CET 2015 until Sat Feb 03 10:00:50 CET 2035

trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : cn=xxxxxxxxxxxxxxxx8_ou=sosi_o=xxxxxxxxxxxxxxxxxxxxxxxxxxl=xxxxxxx_st=it_c=ir

[...CUT...]

trigger seeding of SecureRandom
done seeding SecureRandom

2023-04-30 13:58:20.023 [restartedMain] INFO  xxxxxxx - Can not initialize the default wsdl from wsdl/service.wsdl
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called closeSocket(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called closeSocket(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called closeSocket(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called closeSocket(true)

2023-04-30 13:58:21.349 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=SSHPlugin,interface=SSHPlugin]
2023-04-30 13:58:21.350 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=SSHInlinePlugin,interface=CommandPlugin]
2023-04-30 13:58:21.352 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=KeyAuthenticationPlugin,interface=KeyAuthenticationPlugin]
2023-04-30 13:58:21.357 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=CronPlugin,interface=CronPlugin]
2023-04-30 13:58:21.360 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=MailPlugin,interface=MailPlugin]
2023-04-30 13:58:21.362 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=CRaSHShellFactory,interface=ShellFactory]
2023-04-30 13:58:21.363 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=GroovyLanguageProxy,interface=Language]
2023-04-30 13:58:21.364 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=JavaLanguage,interface=Language]
2023-04-30 13:58:21.365 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=ScriptLanguage,interface=Language]
2023-04-30 13:58:21.365 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=JaasAuthenticationPlugin,interface=AuthenticationPlugin]
2023-04-30 13:58:21.366 [restartedMain] INFO  org.crsh.plugin.PluginManager - Loaded plugin Plugin[type=SimpleAuthenticationPlugin,interface=AuthenticationPlugin]
2023-04-30 13:58:21.368 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property ssh.port=2000 from properties
2023-04-30 13:58:21.369 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property ssh.auth_timeout=600000 from properties
2023-04-30 13:58:21.369 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property ssh.idle_timeout=600000 from properties
2023-04-30 13:58:21.369 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property ssh.default_encoding=UTF-8 from properties
2023-04-30 13:58:21.370 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property auth=simple from properties
2023-04-30 13:58:21.370 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property auth.simple.username=user from properties
2023-04-30 13:58:21.370 [restartedMain] INFO  org.springframework.boot.actuate.autoconfigure.CrshAutoConfiguration$CrshBootstrapBean - Configuring property auth.simple.password=45d4efe9-1831-432e-a1dd-7d176549c58a from properties
2023-04-30 13:58:21.373 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=KeyAuthenticationPlugin,interface=KeyAuthenticationPlugin]
2023-04-30 13:58:21.373 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=JaasAuthenticationPlugin,interface=AuthenticationPlugin]
2023-04-30 13:58:21.373 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=SimpleAuthenticationPlugin,interface=AuthenticationPlugin]
2023-04-30 13:58:21.374 [restartedMain] INFO  org.crsh.ssh.SSHPlugin - Booting SSHD
2023-04-30 13:58:21.384 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=GroovyLanguageProxy,interface=Language]
2023-04-30 13:58:21.387 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=JavaLanguage,interface=Language]
2023-04-30 13:58:21.387 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=ScriptLanguage,interface=Language]
2023-04-30 13:58:21.391 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=CRaSHShellFactory,interface=ShellFactory]
2023-04-30 13:58:21.397 [restartedMain] INFO  org.apache.sshd.common.util.SecurityUtils - BouncyCastle already registered as a JCE provider
2023-04-30 13:58:21.719 [restartedMain] INFO  org.crsh.ssh.term.SSHLifeCycle - About to start CRaSSHD
2023-04-30 13:58:21.734 [restartedMain] INFO  org.crsh.ssh.term.SSHLifeCycle - CRaSSHD started on port 2000
2023-04-30 13:58:21.734 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=SSHPlugin,interface=SSHPlugin]
2023-04-30 13:58:21.734 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=SSHInlinePlugin,interface=CommandPlugin]
2023-04-30 13:58:21.735 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=CronPlugin,interface=CronPlugin]
2023-04-30 13:58:21.735 [restartedMain] INFO  org.crsh.plugin.PluginManager - Initialized plugin Plugin[type=MailPlugin,interface=MailPlugin]

I also tried to:

add client.cer to both keyManager and trustManager as in the example related to #47 : https://github.com/tadhgpearson/sslfactory-client-cert-test/blob/main/src/main/java/ie/tpearson/sslcontext/SSLContextFactory.java
specify .withProtocols("TLSv1.3") on SSLFactory

In both cases I got same error result.

Another piece of information came to mind: supplier tried to log my call and he said that he received an empty certificate (o something like that, I don't remember now...).

Thanks for your help!

I actually need also the part your have trimmed. Would it be possible to share the full sslhandshake. You can replace any supplier related text with some random text, that would be ok for me. I just need to analyse the ssl handshake to understand the root cause as the answer will be most likely there.

Can I send log file by email to addess present here: https://github.com/Hakky54 ? Sorry, but I don't feel confident to share here...

Sure, that's fine! I am looking forward to it

I have received the file, but it contains only the logs till application startup. Can you also include the part where you also run the https request?

I received your logs, but it seems like there is no SSL Handshake at all, so it might be that your client is not configured correctly. Can you share your client configuration here? The apache cxf and how you configure it with the sslcontext?

I'm using old library versions, related to Spring Boot 1.5.22.RELEASE (we must update, I know...).

org.apache.httpcomponents: 4.5.9
org.apache.cxf (cxf-spring-boot-starter-jaxws): 3.2.7

Here the configuration that we then use to make a SOAP call:

private ServiceWritePortTypeV1 creaServiceWrite(SSLContext contestoSSL) {  //contestoSSL is created with your library
  ServiceV1 serviceV1 = new ServiceV1();
  ServiceWritePortTypeV1 port = serviceV1.getServiceWritePortV1();

  HttpClientSSLBuilder.valorizzaContestoSSLNelServizio(contestoSSL, (BindingProvider) port,
     parametri.getUrlService());

  return port;
}

public static void valorizzaContestoSSLNelServizio(SSLContext sslContext, BindingProvider port, String url) {
  port.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);   // ENDPOINT_ADDRESS_PROPERTY = "javax.xml.ws.service.endpoint.address"

  // Get the underlying http conduit of the client proxy
  Client client = ClientProxy.getClient(port);             //org.apache.cxf.endpoint.Client
  HTTPConduit http = (HTTPConduit) client.getConduit();    //org.apache.cxf.transport.http.HTTPConduit

  TLSClientParameters parameters = new TLSClientParameters();     //org.apache.cxf.configuration.jsse.TLSClientParameters
  parameters.setSSLSocketFactory(sslContext.getSocketFactory());
  http.setTlsClientParameters(parameters);
}

We use the result of creaServiceWrite to make a SOAP call.

PS: I just found https://dzone.com/articles/configuring-ssl-tls-connection-made-easy where there is:

HttpClient httpClient = HttpClients.custom()
                .setSSLContext(sslFactory.getSslContext())
                .setSSLHostnameVerifier(sslFactory.getHostnameVerifier())
                .build();

I'm trying to using it, I'll update you...

Well I don't have much of experience in cxf, so it would be difficult to guide you in the right direction. I am not sure whether your configuration is incorrect, but I noticed it is different compared to which I have in one of my projects. A kind developer has contributed in my project related to cxf http clients, I am tagging his name here @skarzhevskyy maybe if he is available he might be able to help. He contributed in the following project: https://github.com/Hakky54/mutual-tls-ssl and added example ssl configuration for two different client configuration based on cxf, which might be helpful for you, see here:

I pasted the code example from the link here:

import nl.altindag.ssl.SSLFactory;
import org.apache.cxf.bus.CXFBusFactory;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.transport.http.HTTPConduitConfigurer;

public class App {

    public static void main(String[] args) {
        SSLFactory sslFactory = null; // your custom initialized SSLFactory

        JAXRSClientFactoryBean factory = new JAXRSClientFactoryBean();
        factory.setAddress(Constants.getServerUrl());
        factory.setBus(new CXFBusFactory().createBus());
        factory.getBus().setExtension((name, address, httpConduit) -> {
            TLSClientParameters tls = new TLSClientParameters();
            tls.setSSLSocketFactory(sslFactory.getSslSocketFactory());
            tls.setHostnameVerifier(sslFactory.getHostnameVerifier());
            httpConduit.setTlsClientParameters(tls);
        }, HTTPConduitConfigurer.class);

        WebClient webClient = factory.createWebClient();
    }

}

Would this be helpful for you?

PS: I just found https://dzone.com/articles/configuring-ssl-tls-connection-made-easy where there is I'm trying to using it, I'll update you...

I am the author of that one, nice that you have discovered that one

There are missing classes in my project... If @skarzhevskyy have some suggestions... If not... I think I have to update all the libraries of the project and bring it to the modern era 😂

I remember having problems loading WSDL from servers with self-signed certificates in the past....

But since I converted my apps to use SSLSocketFactory created with sslcontext-kickstart life became easy. and WSDL Loading was resolved.

And my REST usage example with CXF HTTPConduitConfigurer already shared above. Please note that:

I had not used spring to control CXF clients.
Also my workflow ended up with TrustMaterials only.

I'm planning to verify my setup with mutual ssl authentication, will tri to do it this month

While looking at above errors: it maybe spring adding some configurations change in HttpClientSSLBuilder...

My suggestion to create very simple client project where you cointroll classpath and verify that you certificates setup is working as expected. Try CXF only and than start adding Spring magic. also this way you can play with current and downgraded dependencies.

CXF approach for SOAP is the same as for REST

 Bus bus = new CXFBusFactory().createBus();
 bus.setExtension(yourConduitConfigurer, HTTPConduitConfigurer.class);
 JaxWsDynamicClientFactory dcf = JaxWsDynamicClientFactoryFix.newInstance(bus);
 dcf.createClient(wsdlUrl);

Thanks for suggestions.

Starting from my config:

public static void valorizzaContestoSSLNelServizio(SSLContext sslContext, BindingProvider port, String url) {
  port.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);   // ENDPOINT_ADDRESS_PROPERTY = "javax.xml.ws.service.endpoint.address"

  // Get the underlying http conduit of the client proxy
  Client client = ClientProxy.getClient(port);             //org.apache.cxf.endpoint.Client
  HTTPConduit http = (HTTPConduit) client.getConduit();    //org.apache.cxf.transport.http.HTTPConduit

  TLSClientParameters parameters = new TLSClientParameters();     //org.apache.cxf.configuration.jsse.TLSClientParameters
  parameters.setSSLSocketFactory(sslContext.getSocketFactory());
  http.setTlsClientParameters(parameters);
}

and your suggestions, I modify into:

public void valorizzaContestoSSLNelServizio(SSLFactory sslFactory, SSLContext sslContext, BindingProvider port,
      String url) {
/* port is :
ServiceV1 serviceV1 = new ServiceV1();
ServiceWritePortTypeV1 port = serviceV1.getServiceWritePortV1();
*/

   port.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, url);

   Client client = ClientProxy.getClient(port);
   Bus bus = client.getBus();
   bus.setExtension((name, address, httpConduit) -> {
      TLSClientParameters tls = new TLSClientParameters();
      tls.setSSLSocketFactory(sslFactory.getSslSocketFactory());
      tls.setHostnameVerifier(sslFactory.getHostnameVerifier());
      httpConduit.setTlsClientParameters(tls);
   }, HTTPConduitConfigurer.class);
}

But with same error: Policy Falsified. I'm afraid struggling to get outdated libraries working is a waste of time...

Thanks for your time, to both of you!

PS: where do you got JaxWsDynamicClientFactoryFix?

I grabbed an example ssl handshake log to demonstrate here how a successful ssl handshake looks like, so you can tweak and retest on your side to see if you can generate the same logs:

javax.net.ssl|DEBUG|30|Finalizer|2023-05-02 22:26:29.095 CEST|SSLSocketImpl.java:572|duplex close of SSLSocket
javax.net.ssl|DEBUG|30|Finalizer|2023-05-02 22:26:29.096 CEST|SSLSocketImpl.java:1775|close the SSL connection (passive)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.309 CEST|SessionTicketExtension.java:408|Stateless resumption supported
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.311 CEST|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.341 CEST|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.341 CEST|PreSharedKeyExtension.java:661|No session to resume.
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.341 CEST|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.344 CEST|ClientHello.java:641|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "69D8F43C6593E32FF648AC6E8A0E12688DF99A86EEF8100694AA7E0773BF9186",
  "session id"          : "F207E9F7AAC11E7D4C5E2276112319D567DA0E5DF0B13BE1AB3423179E88F403",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=localhost
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": x25519
          "key_exchange": {
            0000: 9F 7C 39 5D EC 4D 19 81   73 FD C3 7F ED 6A 57 C6  ..9].M..s....jW.
            0010: 1A 95 9D 9A B6 C9 BB 16   12 FF A7 B7 AE 62 FF 21  .............b.!
          }
        },
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 E2 8E D2 A5 02 09 EF   6D FE BE 34 15 88 DC F2  ........m..4....
            0010: A6 B1 D2 93 40 6A 1A 17   2A F8 DB 34 8A 7A 8B E4  ....@j..*..4.z..
            0020: 10 CA 8D CB 49 5A A4 2A   1E 01 B9 25 71 96 AA ED  ....IZ.*...%q...
            0030: 2A 09 D4 C5 99 02 E1 45   0C 5A 3F C5 38 A2 17 59  *......E.Z?.8..Y
            0040: D6
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.410 CEST|ServerHello.java:888|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "8132940B5CD14CE07FBF3CC89782D601A75BA15CCA841732063876E9513C5268",
  "session id"          : "F207E9F7AAC11E7D4C5E2276112319D567DA0E5DF0B13BE1AB3423179E88F403",
  "cipher suite"        : "TLS_AES_256_GCM_SHA384(0x1302)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: D3 76 69 D4 A9 42 7C 87   28 BF 58 FD 92 63 25 CA  .vi..B..(.X..c%.
          0010: 07 15 74 3E DC F2 FE 40   51 E1 4D 1B F0 80 9D 23  ..t>...@Q.M....#
        }
      },
    }
  ]
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.410 CEST|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.411 CEST|ServerHello.java:984|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.420 CEST|SSLExtensions.java:175|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.421 CEST|SSLExtensions.java:175|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.421 CEST|SSLExtensions.java:175|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.421 CEST|SSLExtensions.java:175|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.421 CEST|SSLExtensions.java:175|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.421 CEST|SSLExtensions.java:175|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.422 CEST|SSLExtensions.java:175|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.431 CEST|SSLExtensions.java:175|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.432 CEST|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.439 CEST|SSLExtensions.java:204|Consumed extension: key_share
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.440 CEST|SSLExtensions.java:175|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.440 CEST|PreSharedKeyExtension.java:924|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.440 CEST|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.441 CEST|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.441 CEST|SSLExtensions.java:219|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.441 CEST|SSLExtensions.java:219|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.441 CEST|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.441 CEST|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.442 CEST|SSLExtensions.java:219|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.486 CEST|SSLExtensions.java:219|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.486 CEST|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.486 CEST|SSLExtensions.java:227|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.486 CEST|SSLExtensions.java:219|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.487 CEST|SSLExtensions.java:219|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.498 CEST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.500 CEST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.503 CEST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
  "supported_groups (10)": {
    "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:185|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:204|Consumed extension: supported_groups
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.511 CEST|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.514 CEST|CertificateRequest.java:991|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate_request_context": "",
  "extensions": [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "certificate_authorities (47)": {
      "certificate authorities": [
        CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL]
    }
  ]
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.539 CEST|SSLExtensions.java:204|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.540 CEST|SSLExtensions.java:204|Consumed extension: certificate_authorities
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.540 CEST|SSLExtensions.java:204|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.542 CEST|SSLExtensions.java:236|Populated with extension: signature_algorithms
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.543 CEST|SSLExtensions.java:227|Ignore impact of unsupported extension: certificate_authorities
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.544 CEST|SSLExtensions.java:236|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.548 CEST|CertificateMessage.java:1172|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "48DFD93D6DAEC057",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "not before"         : "2023-05-02 21:58:27.000 CEST",
      "not  after"         : "2033-04-29 21:58:27.000 CEST",
      "subject"            : "CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: E3 6C E2 36 4F 22 B3 4B   62 77 24 E8 36 F7 2F 0A  .l.6O".Kbw$.6./.
          0010: 5F 97 84 F5                                        _...
          ]
          ]
        },
        {
          ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
            serverAuth
            clientAuth
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
            DigitalSignature
            Key_Encipherment
            Data_Encipherment
            Key_Agreement
          ]
        },
        {
          ObjectId: 2.5.29.17 Criticality=true
          SubjectAlternativeName [
            DNSName: localhost
            DNSName: raspberrypi.local
            IPAddress: 127.0.0.1
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: 5E 01 B8 8F 84 11 F1 81   2F E8 F2 3D 37 EF F7 AF  ^......./..=7...
          0010: 20 7D 99 77                                         ..w
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "1FC77D0EE0172457",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "not before"         : "2023-05-02 21:58:21.000 CEST",
      "not  after"         : "2033-04-29 21:58:21.000 CEST",
      "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.19 Criticality=false
          BasicConstraints:[
            CA:true
            PathLen:3
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
            DigitalSignature
            Key_CertSign
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: E3 6C E2 36 4F 22 B3 4B   62 77 24 E8 36 F7 2F 0A  .l.6O".Kbw$.6./.
          0010: 5F 97 84 F5                                        _...
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.548 CEST|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.549 CEST|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.582 CEST|X509TrustManagerImpl.java:301|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "1FC77D0EE0172457",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-05-02 21:58:21.000 CEST",
    "not  after"         : "2033-04-29 21:58:21.000 CEST",
    "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:3
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_CertSign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: E3 6C E2 36 4F 22 B3 4B   62 77 24 E8 36 F7 2F 0A  .l.6O".Kbw$.6./.
        0010: 5F 97 84 F5                                        _...
        ]
        ]
      }
    ]}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.585 CEST|CertificateVerify.java:1166|Consuming CertificateVerify handshake message (
"CertificateVerify": {
  "signature algorithm": rsa_pss_rsae_sha256
  "signature": {
    0000: 4E 01 04 B7 E6 0B AA 84   51 0A AC 21 F3 9F B7 1C  N.......Q..!....
    0010: 7F 13 9A 20 94 53 13 64   7D 42 94 48 E7 02 FE DB  ... .S.d.B.H....
    0020: C0 3E DE FE 61 77 DE F0   91 BE D0 22 7B 17 05 B3  .>..aw....."....
    0030: 8A 38 F3 EB 55 BF 30 FA   A0 12 92 5C 3F 5B 76 A8  .8..U.0....\?[v.
    0040: 56 C5 C3 83 FD 6D AD A2   AF 43 84 24 DB 24 EE 6C  V....m...C.$.$.l
    0050: DF 25 0D 28 C7 15 8C D6   25 3E 34 CB 94 3C BE 53  .%.(....%>4..<.S
    0060: 9C EF 37 3A C9 CE 3D 55   80 BE C1 78 04 0A B1 C2  ..7:..=U...x....
    0070: 0B 2F 28 A0 80 62 BD 81   D2 15 2C 42 82 BD 3A AA  ./(..b....,B..:.
    0080: 8B DD 7E 90 27 BC 82 65   9D C5 43 CB 66 9F D5 87  ....'..e..C.f...
    0090: B1 9F 61 96 18 3D 99 7C   AF 42 EF 6C 89 B8 C3 D9  ..a..=...B.l....
    00A0: 44 77 C0 20 F2 91 B9 28   ED DE 61 13 CC B7 E4 23  Dw. ...(..a....#
    00B0: EE 60 0D B3 0E B8 54 54   81 C6 26 C5 83 7B FB 5D  .`....TT..&....]
    00C0: 2E 46 E0 B9 1D FB BD A2   6D 8B 7C 26 78 94 40 70  .F......m..&x.@p
    00D0: 66 A1 D4 6E B9 BD 40 35   C1 E5 F5 8F 15 CD 88 72  f..n..@5.......r
    00E0: 61 83 CB 95 81 3A E4 98   4C 3B 01 9D 91 0E A2 15  a....:..L;......
    00F0: E4 27 F0 A0 67 19 B4 E2   CB FF 6E E9 9D 06 61 FB  .'..g.....n...a.
  }
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.587 CEST|Finished.java:917|Consuming server Finished handshake message (
"Finished": {
  "verify data": {
    0000: BA 23 A3 96 E6 86 A8 E5   64 67 18 4B 22 6A 52 4B  .#......dg.K"jRK
    0010: 4D BF 8A 8A 3D C5 42 88   35 2D 99 3D 61 00 F2 80  M...=.B.5-.=a...
    0020: 34 A4 9A 45 FA 99 6C 02   A4 A4 4F A2 FA B0 5F 14  4..E..l...O..._.
  }'}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.589 CEST|SSLCipher.java:1870|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.591 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.591 CEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.592 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.592 CEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.592 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|WARNING|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.593 CEST|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.593 CEST|SunX509KeyManagerImpl.java:397|matching alias: client
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.594 CEST|CertificateMessage.java:1140|Produced client Certificate message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "66E6E5266A493349",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "not before"         : "2023-05-02 21:58:26.000 CEST",
      "not  after"         : "2033-04-29 21:58:26.000 CEST",
      "subject"            : "CN=thunderberry, OU=Altindag, O=Altindag, C=NL",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.35 Criticality=false
          AuthorityKeyIdentifier [
          KeyIdentifier [
          0000: E3 6C E2 36 4F 22 B3 4B   62 77 24 E8 36 F7 2F 0A  .l.6O".Kbw$.6./.
          0010: 5F 97 84 F5                                        _...
          ]
          ]
        },
        {
          ObjectId: 2.5.29.37 Criticality=false
          ExtendedKeyUsages [
            serverAuth
            clientAuth
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
            DigitalSignature
            Key_Encipherment
            Data_Encipherment
            Key_Agreement
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: C3 65 F2 2A 74 CA C3 78   F6 24 B9 B2 10 37 55 6D  .e.*t..x.$...7Um
          0010: DD 84 C6 A0                                        ....
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "1FC77D0EE0172457",
      "signature algorithm": "SHA256withRSA",
      "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "not before"         : "2023-05-02 21:58:21.000 CEST",
      "not  after"         : "2033-04-29 21:58:21.000 CEST",
      "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.19 Criticality=false
          BasicConstraints:[
            CA:true
            PathLen:3
          ]
        },
        {
          ObjectId: 2.5.29.15 Criticality=false
          KeyUsage [
            DigitalSignature
            Key_CertSign
          ]
        },
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: E3 6C E2 36 4F 22 B3 4B   62 77 24 E8 36 F7 2F 0A  .l.6O".Kbw$.6./.
          0010: 5F 97 84 F5                                        _...
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.674 CEST|CertificateVerify.java:1131|Produced client CertificateVerify handshake message (
"CertificateVerify": {
  "signature algorithm": rsa_pss_rsae_sha256
  "signature": {
    0000: 65 79 84 EB ED 1F FF 7A   A9 EE 60 87 D6 06 83 B7  ey.....z..`.....
    0010: 67 CC FE CD 0D 1C 4D EE   1A 4A 9F CE 50 15 B1 3D  g.....M..J..P..=
    0020: CC C4 08 4A 4B 67 45 50   F0 A1 B8 C9 55 85 63 8F  ...JKgEP....U.c.
    0030: F8 92 20 B5 B1 7A B9 A1   FD 80 6B 00 2A 7C 43 0B  .. ..z....k.*.C.
    0040: 01 C7 E6 FB 0D 97 AB F5   18 AE F6 B7 11 02 8F 2F  .............../
    0050: 5E AC 7C 62 EE B0 B2 C2   D1 7E B9 A2 42 36 4F 54  ^..b........B6OT
    0060: C1 17 A8 BD 90 2B E4 06   A0 C9 DF B3 E4 1C F7 5D  .....+.........]
    0070: 0B 9A 23 BC 47 0E 84 16   8E 65 FD 66 FA 30 2B 57  ..#.G....e.f.0+W
    0080: E8 38 15 98 19 73 D3 E4   1E 52 4B 41 E1 F6 EB C9  .8...s...RKA....
    0090: 22 C1 15 1E A2 2F 8D FC   88 1E 08 CF E3 B4 59 93  "..../........Y.
    00A0: CE 77 AC 98 5C 8E 5D 8B   D3 9E AE 63 DA 8C FA EC  .w..\.]....c....
    00B0: 3D 54 7A 06 27 D1 CB A8   96 8B EC 45 D4 14 7F 34  =Tz.'......E...4
    00C0: 00 00 BF 25 DC F8 72 D5   99 EC 5C 06 A2 3D F5 67  ...%..r...\..=.g
    00D0: 0D B3 95 D5 39 AF 18 CC   08 0A 66 B3 9E 72 7B 4A  ....9.....f..r.J
    00E0: 3B 46 41 2E C2 62 9D 5E   FE FB 97 7F 8E E3 64 48  ;FA..b.^......dH
    00F0: A3 88 6E 61 4B 07 75 56   64 70 D6 D6 59 35 F5 38  ..naK.uVdp..Y5.8
  }
}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.675 CEST|Finished.java:687|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 14 B5 26 14 61 A1 26 29   D9 3E 07 73 16 79 A3 80  ..&.a.&).>.s.y..
    0010: F7 2A 62 68 BA 24 3D CA   01 8F 17 16 BF D7 E6 3F  .*bh.$=........?
    0020: AC 9B 89 48 F1 E4 ED 51   A5 38 AB CA A9 45 72 79  ...H...Q.8...Ery
  }'}
)
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.675 CEST|SSLCipher.java:2024|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|A6|HttpClient-1-Worker-0|2023-05-02 22:26:29.701 CEST|NewSessionTicket.java:567|Consuming NewSessionTicket message (
"NewSessionTicket": {
  "ticket_lifetime"      : "86,400",
  "ticket_age_add"       : "<omitted>",
  "ticket_nonce"         : "01",
  "ticket"               : {
    0000: 65 42 15 8D AA 87 00 60   03 0D 36 FA 8C 96 DB 7B  eB.....`..6.....
    0010: AE 97 17 02 F8 EC 37 AA   3C E6 3A C6 4A A1 5F AB  ......7.<.:.J._.
  }  "extensions"           : [
    <no extension>
  ]
}
)

Looking at your example code snippet I would assume that everything looks ok to me and it should work, but maybe something else elsewhere in your project is causing this issue, I am not able to help you any further with the limited code snippets and it is also not an issue with the library as it has already proven to be working with apache cxf. I would need either a minimal example project on github which contains the same error which I can try on my side or another option would be that I would be working for n amount of hours in your project to dig into the issue to resolve it, but I need access to the repo etc and it won't be free... That would be maybe a last resort, not quite sure whether your company is open for temporally technical support. Another option would be to ask help at stackoverflow, which has a bigger community having a-lot of ssl and java experts seeking for challenging questions like these 😄

Thanks Hakky54. Really thanks for your time! My next step is to create a new project from scratch and trying use both truststore/keystore and your library. My hope is than both works and in that case I will throw away truststore/keystore e stay on your lib. In case we still have problems, I already talked to project manager that I will need external help form an expert about SSL. In that case, I'll take into consideration your proposal (we will pay you of course) :-)

I am closing this issue as it is not related to this library. Feel free to post and link your project here, if you are able to create a repo with a similar setup as your actual project with the same exception, where I can try out your issue locally

I tried to create a new project to put some piece of original project but using updated libraries. At the same time I substituted the use of truststore/keystore with .PEM files through your library and... it works!

So, the problem was there, supplier changed something and old libraries stopped to work.

Thanks again for your time! And thanks for your library! We will use it in the project, instead of truststore/keystore because your library works like a charm and simplified my life!

Ah, very good news. So the issue was on the certificate supplier, any idea what they did wrong before?

Glad to hear it all worked out for you and I am happy to hear this library makes your task easier!

No idea about what supplier changed. But at the end of March it asked us to update the URL to call. The old URL, entered into the browser, responded with WSDL, but not the new one. Perhaps in the TEST environment, where the supplier uses a self-signed certificate, something is broken in the old libraries... I have no other plausible explanation...

Hakky54 / sslcontext-kickstart

[HELP] Use of .PEM and self signed #317