search

playframework / play-scala-tls-example

A Play application using HTTPS and WS with optional client authentication
https://developer.lightbend.com/start/?group=play
Creative Commons Zero v1.0 Universal
44 stars 26 forks source link

No trust manager was able to validate this certificate chain #52

Closed todor-kolev closed 5 years ago

todor-kolev commented 6 years ago

After launching the Play server successfully I get the following error when I run the Main program. Has anybody come across anything similar? 

[info] [error] application - failure = java.net.ConnectException: General SSLEngine problem
[info] java.net.ConnectException: General SSLEngine problem
[info]  at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)
[info]  at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)
[info]  at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:122)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1443)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1435)
[info] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[info]  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
[info]  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
[info]  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
[info]  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
[info]  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1122)
[info]  at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491)
[info] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[info]  at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
[info]  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
[info]  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
[info]  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
[info]  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1595)
[info]  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:220)
[info]  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
[info]  at java.security.AccessController.doPrivileged(Native Method)
[info] Caused by: com.typesafe.sslconfig.ssl.CompositeCertificateException: No trust manager was able to validate this certificate chain: # of exceptions = 1
[info]  at com.typesafe.sslconfig.ssl.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.scala:90)
[info]  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
[info]  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1582)
[info]  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:220)
[info]  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
[info]  at java.security.AccessController.doPrivileged(Native Method)
[info]  at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
[info] AsyncHttpClient-2-1, called closeOutbound()
[info] AsyncHttpClient-2-1, closeOutboundInternal()

Obviously, looking at the truststore, there's an entry for exampleca which signed the one.example.com certificate: 

user$ keytool -list -keystore scripts/exampletrust.jks -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

exampleca, 15-May-2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 44:C6:5E:7F:7B:44:54:E8:6E:8A:FE:4F:8C:06:1E:EE:D6:73:50:05

Two immediate thoughts that sprang to mind from looking at the full log are: 1 - Is it picking the right trustStore 

[info] trustStore is: /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/lib/security/cacerts

2 - Why is the keyStore blank: 

[info] keyStore is : 
[info] keyStore type is : jks
[info] keyStore provider is :

Here's the full log: 

[info] Running (fork) Main 
[error] objc[4583]: Class JavaLaunchHelper is implemented in both /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/bin/java and /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/lib/libinstrument.dylib. One of the two will be used. Which one is undefined.
[error] [jetty-alpn-agent] Using: alpn-boot-8.1.11.v20170118.jar
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/Alerts
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ClientHandshaker$1
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ClientHandshaker$2
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ClientHandshaker
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ExtensionType
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/HelloExtensions
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ServerHandshaker$1
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ServerHandshaker$2
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ServerHandshaker$3
[error] [jetty-alpn-agent] Replacing: sun/security/ssl/ServerHandshaker
[info] ***
[info] found key for : clientca
[info] chain [0] = [
[info] [
[info]   Version: V3
[info]   Subject: CN=clientca, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
[info]   Key:  Sun EC public key, 256 bits
[info]   public x coord: 66600178323990434091429505456221986389956610527515094100876202907609767809207
[info]   public y coord: 39981919656179605960563297807977898753095123904953444661304035192164170594721
[info]   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
[info]   Validity: [From: Mon May 15 23:37:46 BST 2017,
[info]                To: Tue May 15 23:37:46 BST 2018]
[info]   Issuer: CN=clientca, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   SerialNumber: [    4c30d94d]
[info] Certificate Extensions: 3
[info] [1]: ObjectId: 2.5.29.19 Criticality=true
[info] BasicConstraints:[
[info]   CA:true
[info]   PathLen:2147483647
[info] ]
[info] [2]: ObjectId: 2.5.29.15 Criticality=true
[info] KeyUsage [
[info]   Key_CertSign
[info] ]
[info] [3]: ObjectId: 2.5.29.14 Criticality=false
[info] SubjectKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: E1 C2 6B C1 29 64 69 59   8A 0D 2A AF 35 56 56 CA  ..k.)diY..*.5VV.
[info] 0010: 42 C5 E2 9A                                        B...
[info] ]
[info] ]
[info] ]
[info]   Algorithm: [SHA256withECDSA]
[info]   Signature:
[info] 0000: 30 46 02 21 00 98 68 ED   3F 89 3A DD 84 36 1E D6  0F.!..h.?.:..6..
[info] 0010: EA D9 3C 44 03 C1 BC DC   CE 97 6F A8 0F 42 E5 FB  ..<D......o..B..
[info] 0020: 3B DC BC 41 56 02 21 00   A5 0C B0 90 1D 12 A3 2E  ;..AV.!.........
[info] 0030: 31 C3 02 C3 83 32 C2 00   4C C9 7B A3 57 CE AC BF  1....2..L...W...
[info] 0040: 9C 42 55 02 51 3B 08 12                            .BU.Q;..
[info] ]
[info] ***
[info] ***
[info] found key for : client
[info] chain [0] = [
[info] [
[info]   Version: V3
[info]   Subject: CN=client, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
[info]   Key:  Sun EC public key, 256 bits
[info]   public x coord: 44297222968117830209847875843052182103557829000758561201210962586561851588096
[info]   public y coord: 614210147463812705960737657537591654641232092754041828112551229763588328757
[info]   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
[info]   Validity: [From: Mon May 15 23:37:47 BST 2017,
[info]                To: Sun Aug 13 23:37:47 BST 2017]
[info]   Issuer: CN=clientca, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   SerialNumber: [    56a6dc40]
[info] Certificate Extensions: 3
[info] [1]: ObjectId: 2.5.29.35 Criticality=false
[info] AuthorityKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: E1 C2 6B C1 29 64 69 59   8A 0D 2A AF 35 56 56 CA  ..k.)diY..*.5VV.
[info] 0010: 42 C5 E2 9A                                        B...
[info] ]
[info] ]
[info] [2]: ObjectId: 2.5.29.37 Criticality=false
[info] ExtendedKeyUsages [
[info]   clientAuth
[info] ]
[info] [3]: ObjectId: 2.5.29.14 Criticality=false
[info] SubjectKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: EE 03 E0 22 00 43 43 F3   23 C1 7B BB 9F 43 87 CB  ...".CC.#....C..
[info] 0010: 2F FC 3B 5A                                        /.;Z
[info] ]
[info] ]
[info] ]
[info]   Algorithm: [SHA256withECDSA]
[info]   Signature:
[info] 0000: 30 44 02 20 1D 3A FF 42   5D 09 A5 15 79 3B 96 F5  0D. .:.B]...y;..
[info] 0010: 9A 75 46 51 12 96 17 A0   62 3D 5A FF B4 7F 6C 68  .uFQ....b=Z...lh
[info] 0020: B0 D0 68 3A 02 20 06 BB   45 8D 4D 42 FF E5 B3 7A  ..h:. ..E.MB...z
[info] 0030: 65 64 AB 76 5D EA 21 83   AA ED A7 62 1D 79 0C 2C  ed.v].!....b.y.,
[info] 0040: 19 5F EE 9A FB 15                                  ._....
[info] ]
[info] chain [1] = [
[info] [
[info]   Version: V3
[info]   Subject: CN=clientca, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
[info]   Key:  Sun EC public key, 256 bits
[info]   public x coord: 66600178323990434091429505456221986389956610527515094100876202907609767809207
[info]   public y coord: 39981919656179605960563297807977898753095123904953444661304035192164170594721
[info]   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
[info]   Validity: [From: Mon May 15 23:37:46 BST 2017,
[info]                To: Tue May 15 23:37:46 BST 2018]
[info]   Issuer: CN=clientca, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   SerialNumber: [    4c30d94d]
[info] Certificate Extensions: 3
[info] [1]: ObjectId: 2.5.29.19 Criticality=true
[info] BasicConstraints:[
[info]   CA:true
[info]   PathLen:2147483647
[info] ]
[info] [2]: ObjectId: 2.5.29.15 Criticality=true
[info] KeyUsage [
[info]   Key_CertSign
[info] ]
[info] [3]: ObjectId: 2.5.29.14 Criticality=false
[info] SubjectKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: E1 C2 6B C1 29 64 69 59   8A 0D 2A AF 35 56 56 CA  ..k.)diY..*.5VV.
[info] 0010: 42 C5 E2 9A                                        B...
[info] ]
[info] ]
[info] ]
[info]   Algorithm: [SHA256withECDSA]
[info]   Signature:
[info] 0000: 30 46 02 21 00 98 68 ED   3F 89 3A DD 84 36 1E D6  0F.!..h.?.:..6..
[info] 0010: EA D9 3C 44 03 C1 BC DC   CE 97 6F A8 0F 42 E5 FB  ..<D......o..B..
[info] 0020: 3B DC BC 41 56 02 21 00   A5 0C B0 90 1D 12 A3 2E  ;..AV.!.........
[info] 0030: 31 C3 02 C3 83 32 C2 00   4C C9 7B A3 57 CE AC BF  1....2..L...W...
[info] 0040: 9C 42 55 02 51 3B 08 12                            .BU.Q;..
[info] ]
[info] ***
[info] adding as trusted cert:
[info]   Subject: CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Issuer:  CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Algorithm: EC; Serial number: 0x72e43aca
[info]   Valid from Mon May 15 23:37:45 BST 2017 until Thu Sep 29 23:37:45 BST 2044
[info] trigger seeding of SecureRandom
[info] done seeding SecureRandom
[info] %% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
[info] trustStore is: /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/lib/security/cacerts
[info] trustStore type is : jks
[info] trustStore provider is : 
[info] init truststore
[info] adding as trusted cert:
[info]   Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
[info]   Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
[info]   Algorithm: RSA; Serial number: 0xc3517
[info]   Valid from Mon Jun 21 05:00:00 BST 1999 until Mon Jun 22 05:00:00 BST 2020
...
[info] adding as trusted cert:
[info]   Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
[info]   Issuer:  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
[info]   Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
[info]   Valid from Thu Aug 01 13:00:00 BST 2013 until Fri Jan 15 12:00:00 GMT 2038
[info] keyStore is : 
[info] keyStore type is : jks
[info] keyStore provider is : 
[info] init keystore
[info] init keymanager of type SunX509
[info] trigger seeding of SecureRandom
[info] done seeding SecureRandom
[info] Finalizer, called close()
[info] Finalizer, called closeInternal(true)
[info] Finalizer, called closeSocket(true)
[info] Finalizer, called close()
[info] Finalizer, called closeInternal(true)
[info] Finalizer, called closeSocket(true)
[info] Using SSLEngineImpl.
[info] Allow unsafe renegotiation: false
[info] Allow legacy hello messages: true
[info] Is initial handshake: true
[info] Is secure renegotiation: false
[info] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
[info] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
[info] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
[info] %% No cached client session
[info] *** ClientHello, TLSv1.2
[info] RandomCookie:  GMT: 1515414972 bytes = { 81, 15, 60, 89, 54, 121, 181, 124, 183, 88, 151, 109, 199, 58, 248, 165, 145, 98, 108, 227, 30, 90, 20, 202, 58, 234, 52, 122 }
[info] Session ID:  {}
[info] Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[info] Compression Methods:  { 0 }
[info] Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
[info] Extension ec_point_formats, formats: [uncompressed]
[info] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
[info] Extension server_name, server_name: [type=host_name (0), value=one.example.com]
[info] ***
[info] AsyncHttpClient-2-1, WRITE: TLSv1.2 Handshake, length = 233
[info] AsyncHttpClient-2-1, READ: TLSv1.2 Handshake, length = 1622
[info] *** ServerHello, TLSv1.2
[info] RandomCookie:  GMT: 1515414972 bytes = { 186, 106, 87, 67, 31, 80, 32, 13, 202, 9, 201, 81, 13, 165, 86, 205, 24, 217, 0, 224, 27, 144, 51, 66, 150, 148, 31, 163 }
[info] Session ID:  {90, 83, 102, 188, 152, 226, 92, 88, 104, 79, 209, 92, 200, 171, 228, 101, 78, 58, 232, 88, 170, 140, 217, 168, 125, 103, 10, 94, 248, 34, 140, 187}
[info] Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[info] Compression Method: 0
[info] Extension renegotiation_info, renegotiated_connection: <empty>
[info] ***
[info] %% Initialized:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384]
[info] ** TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[info] *** Certificate chain
[info] chain [0] = [
[info] [
[info]   Version: V3
[info]   Subject: CN=one.example.com, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
[info]   Key:  Sun EC public key, 256 bits
[info]   public x coord: 12919396288456902233976640161237048815156576160429441835392270624795846096375
[info]   public y coord: 70496434976171164818467039846707814600001883029644685617142760792536858883219
[info]   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
[info]   Validity: [From: Mon May 15 23:37:50 BST 2017,
[info]                To: Sun Aug 13 23:37:50 BST 2017]
[info]   Issuer: CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   SerialNumber: [    5443eefa]
[info] Certificate Extensions: 5
[info] [1]: ObjectId: 2.5.29.35 Criticality=false
[info] AuthorityKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: 83 5A E2 CF 38 1F AF 00   EE A4 57 09 59 B5 49 21  .Z..8.....W.Y.I!
[info] 0010: 0A 02 5E 97                                        ..^.
[info] ]
[info] ]
[info] [2]: ObjectId: 2.5.29.37 Criticality=false
[info] ExtendedKeyUsages [
[info]   serverAuth
[info] ]
[info] [3]: ObjectId: 2.5.29.15 Criticality=true
[info] KeyUsage [
[info]   DigitalSignature
[info]   Key_Encipherment
[info] ]
[info] [4]: ObjectId: 2.5.29.17 Criticality=false
[info] SubjectAlternativeName [
[info]   DNSName: one.example.com
[info] ]
[info] [5]: ObjectId: 2.5.29.14 Criticality=false
[info] SubjectKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: 4E D0 47 22 5F 3E E1 55   BD 17 9A CE C9 13 57 50  N.G"_>.U......WP
[info] 0010: 21 1F E7 21                                        !..!
[info] ]
[info] ]
[info] ]
[info]   Algorithm: [SHA256withECDSA]
[info]   Signature:
[info] 0000: 30 46 02 21 00 DE 22 5E   14 50 C5 3A 3D 5D F9 52  0F.!.."^.P.:=].R
[info] 0010: 43 F2 75 83 19 AE 8E 52   26 4E D0 A2 E9 36 0A 0D  C.u....R&N...6..
[info] 0020: 7A 10 AE C9 4C 02 21 00   8C 79 48 1A DA D5 F0 C6  z...L.!..yH.....
[info] 0030: 63 33 6D 6E 8F F1 BC 4E   09 A0 90 DD 55 30 BB 60  c3mn...N....U0.`
[info] 0040: 17 DB 80 D6 9C E4 B1 08                            ........
[info] ]
[info] chain [1] = [
[info] [
[info]   Version: V3
[info]   Subject: CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2
[info]   Key:  Sun EC public key, 256 bits
[info]   public x coord: 70310033362004550653036664969660851239303736980904864081454777492561020184864
[info]   public y coord: 21370874994400014720222136767587995388263316900153759375793350058661508681688
[info]   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
[info]   Validity: [From: Mon May 15 23:37:45 BST 2017,
[info]                To: Thu Sep 29 23:37:45 BST 2044]
[info]   Issuer: CN=exampleCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US
[info]   SerialNumber: [    72e43aca]
[info] Certificate Extensions: 3
[info] [1]: ObjectId: 2.5.29.19 Criticality=true
[info] BasicConstraints:[
[info]   CA:true
[info]   PathLen:2147483647
[info] ]
[info] [2]: ObjectId: 2.5.29.15 Criticality=true
[info] KeyUsage [
[info]   Key_CertSign
[info] ]
[info] [3]: ObjectId: 2.5.29.14 Criticality=false
[info] SubjectKeyIdentifier [
[info] KeyIdentifier [
[info] 0000: 83 5A E2 CF 38 1F AF 00   EE A4 57 09 59 B5 49 21  .Z..8.....W.Y.I!
[info] 0010: 0A 02 5E 97                                        ..^.
[info] ]
[info] ]
[info] ]
[info]   Algorithm: [SHA256withECDSA]
[info]   Signature:
[info] 0000: 30 44 02 20 1F 6B 09 8F   DA 99 19 9D C1 51 EF 1C  0D. .k.......Q..
[info] 0010: 29 17 EB B1 D3 6F 39 0D   43 35 C6 44 1B 5F 18 7A  )....o9.C5.D._.z
[info] 0020: E2 8A 5D 8A 02 20 36 46   0C 2F 7C 9C 24 22 94 6E  ..].. 6F./..$".n
[info] 0030: 65 86 6D D0 61 DC 14 37   2D 56 E0 D9 85 BF DA 3B  e.m.a..7-V.....;
[info] 0040: A4 34 5B 75 A6 95                                  .4[u..
[info] ]
[info] ***
[info] AsyncHttpClient-2-1, fatal error: 46: General SSLEngine problem
[info] com.typesafe.sslconfig.ssl.CompositeCertificateException: No trust manager was able to validate this certificate chain: # of exceptions = 1
[info] %% Invalidated:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384]
[info] AsyncHttpClient-2-1, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
[info] AsyncHttpClient-2-1, WRITE: TLSv1.2 Alert, length = 2
[info] AsyncHttpClient-2-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[info] AsyncHttpClient-2-1, called closeOutbound()
[info] AsyncHttpClient-2-1, closeOutboundInternal()
[info] AsyncHttpClient-2-1, called closeInbound()
[info] AsyncHttpClient-2-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
[info] AsyncHttpClient-2-1, called closeOutbound()
[info] AsyncHttpClient-2-1, closeOutboundInternal()
[info] AsyncHttpClient-2-1, called closeOutbound()
[info] AsyncHttpClient-2-1, closeOutboundInternal()
[info] [error] application - failure = java.net.ConnectException: General SSLEngine problem
[info] java.net.ConnectException: General SSLEngine problem
[info]  at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)
[info]  at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)
[info]  at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:479)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:420)
[info]  at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:122)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1443)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1435)
[info] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[info]  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
[info]  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
[info]  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
[info]  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
[info]  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:272)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1175)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1087)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1122)
[info]  at play.shaded.ahc.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:491)
[info] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[info]  at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
[info]  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
[info]  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
[info]  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
[info]  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1595)
[info]  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:220)
[info]  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
[info]  at java.security.AccessController.doPrivileged(Native Method)
[info] Caused by: com.typesafe.sslconfig.ssl.CompositeCertificateException: No trust manager was able to validate this certificate chain: # of exceptions = 1
[info]  at com.typesafe.sslconfig.ssl.CompositeX509TrustManager.checkServerTrusted(CompositeX509TrustManager.scala:90)
[info]  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999)
[info]  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1582)
[info]  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:220)
[info]  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
[info]  at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
[info]  at java.security.AccessController.doPrivileged(Native Method)
[info]  at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
[info]  at play.shaded.ahc.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1324)
[success] Total time: 7 s, completed 08-Jan-2018 12:40:29
wsargent commented 6 years ago

Are you running the included ./play script?

todor-kolev commented 6 years ago

My bad. I generated a fresh set of certificates using the script and everything works fine. Apparently the *example.com certificates had expired.

ndimas commented 6 years ago

So should we close this?

todor-kolev commented 6 years ago

It might be a good idea to delete the expired certs from the project so people are forced to generate a new set of valid certificates. Other than that, sure!

octonato commented 5 years ago

There is a new issue for re-generating the certificates. https://github.com/playframework/play-scala-tls-example/issues/75

Closing this one...