2016-05-29 27 views
1

Ich habe das Zertifikat bereits in den Truststore importiert, aber kann nicht erfolgreich Verbindung zu dieser URL herstellen. Ich habe alle Wege versucht, kann jemand die Ausgabe sehen und helfen, was los ist?Java SSL-Handshake-Fehler (SSLPoke)

java -Djavax.net.debug=all SSLPoke services.americanexpress.com 443 

keyStore is : 
keyStore type is : jks 
keyStore provider is : 
init keystore 
init keymanager of type SunX509 
trustStore is: /usr/java/jdk1.8.0_60/jre/lib/security/cacerts 
trustStore type is : jks 
trustStore provider is : 
init truststore 
adding as trusted cert: 
...... 
adding as trusted cert: 
    Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US 
    Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    Algorithm: RSA; Serial number: 0x35f39c9233cdc61333b1d58614e578b2 
    Valid from Wed Jun 26 00:00:00 UTC 2013 until Fri Sep 01 23:59:59 UTC 2017 
.... 

trigger seeding of SecureRandom 
done seeding SecureRandom 
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 
for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1 
%% No cached client session 
*** ClientHello, TLSv1.2 
RandomCookie: GMT: 1464494977 bytes = { 253, 148, 218, 101, 153, 160, 57, 246, 36, 129, 111, 62, 106, 226, 141, 140, 102, 47, 123, 244, 108, 192, 12, 140, 187, 249, 208, 106 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 28_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA 
Extension server_name, server_name: [type=host_name (0), value=services.americanexpress.com] 
*** 
[write] MD5 and SHA1 hashes: len = 232 

00B0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................ 
00C0: 02 01 01 00 00 00 21 00 1F 00 00 1C 73 65 72 76 ......!.....serv 
00D0: 69 63 65 73 2E 61 6D 65 72 69 63 61 6E 65 78 70 ices.americanexp 
00E0: 72 65 73 73 2E 63 6F 6D       ress.com 
main, WRITE: TLSv1.2 Handshake, length = 232 
[Raw write]: length = 237 
0000: 16 03 03 00 E8 01 00 00 E4 03 03 57 4A 6C 81 FD ...........WJl.. 
0010: 94 DA 65 99 A0 39 F6 24 81 6F 3E 6A E2 8D 8C 66 ..e..9.$.o>j...f 
0020: 2F 7B F4 6C C0 0C 8C BB F9 D0 6A 00 00 3A C0 23 /..l......j..:.# 
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.)[email protected] 
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./.. 

00D0: 1C 73 65 72 76 69 63 65 73 2E 61 6D 65 72 69 63 .services.americ 
00E0: 61 6E 65 78 70 72 65 73 73 2E 63 6F 6D   anexpress.com 
[Raw read]: length = 5 
0000: 16 03 03 00 51          ....Q 
[Raw read]: length = 81 
0000: 02 00 00 4D 03 03 90 E6 BB 39 B7 B1 8E 67 DA 71 ...M.....9...g.q 
0010: 65 74 25 D1 B7 CF ED D4 1A 6C 2B 0B 06 8C 0E 5E et%......l+....^ 
0020: 25 07 3F 8D E3 6F 20 49 AD 22 CA E7 8B 8A E5 41 %.?..o I.".....A 
0030: BE 9A B5 25 E0 70 D8 F9 73 A0 E0 5D 2F F3 3C AD ...%.p..s..]/.<. 
0040: DE 1E 88 98 3B 65 B1 00 3C 00 00 05 FF 01 00 01 ....;e..<....... 
0050: 00             . 
main, READ: TLSv1.2 Handshake, length = 81 
*** ServerHello, TLSv1.2 
RandomCookie: GMT: -1880769735 bytes = { 183, 177, 142, 103, 218, 113, 101, 116, 37, 209, 183, 207, 237, 212, 26, 108, 43, 11, 6, 140, 14, 94, 37, 7, 63, 141, 227, 111 } 
Session ID: {73, 173, 34, 202, 231, 139, 138, 229, 65, 190, 154, 181, 37, 224, 112, 216, 249, 115, 160, 224, 93, 47, 243, 60, 173, 222, 30, 136, 152, 59, 101, 177} 
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
*** 
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256] 
** TLS_RSA_WITH_AES_128_CBC_SHA256 
[read] MD5 and SHA1 hashes: len = 81 
0000: 02 00 00 4D 03 03 90 E6 BB 39 B7 B1 8E 67 DA 71 ...M.....9...g.q 
0010: 65 74 25 D1 B7 CF ED D4 1A 6C 2B 0B 06 8C 0E 5E et%......l+....^ 
0020: 25 07 3F 8D E3 6F 20 49 AD 22 CA E7 8B 8A E5 41 %.?..o I.".....A 
0030: BE 9A B5 25 E0 70 D8 F9 73 A0 E0 5D 2F F3 3C AD ...%.p..s..]/.<. 
0040: DE 1E 88 98 3B 65 B1 00 3C 00 00 05 FF 01 00 01 ....;e..<....... 
0050: 00             . 
[Raw read]: length = 5 
0000: 16 03 03 10 8E          ..... 
[Raw read]: length = 4238 

0310: 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 30 34 06 .U...........04. 
0320: 03 55 1D 25 04 2D 30 2B 06 08 2B 06 01 05 05 07 .U.%.-0+..+..... 


0450: 33 2D 61 69 61 2E 76 65 72 69 73 69 67 6E 2E 63 3-aia.verisign.c 
0460: 6F 6D 2F 53 56 52 49 6E 74 6C 47 33 2E 63 65 72 om/SVRIntlG3.cer 

main, READ: TLSv1.2 Handshake, length = 4238 
*** Certificate chain 
chain [0] = [ 
[ 
    Version: V3 
    Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773 
    public exponent: 65537 
    Validity: [From: Wed Jun 26 00:00:00 UTC 2013, 
       To: Fri Sep 01 23:59:59 UTC 2017] 
    Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    SerialNumber: [ 35f39c92 33cdc613 33b1d586 14e578b2] 

Certificate Extensions: 8 
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://ocsp.verisign.com 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer 
] 
] 

[2]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X. 
0010: BC 46 00 B5          .F.. 
] 
] 

[3]: ObjectId: 2.5.29.19 Criticality=false 
BasicConstraints:[ 
    CA:false 
    PathLen: undefined 
] 

[4]: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl] 
]] 

[5]: ObjectId: 2.5.29.32 Criticality=false 
CertificatePolicies [ 
    [CertificatePolicyId: [2.16.840.1.113733.1.7.54] 
[PolicyQualifierInfo: [ 
    qualifierID: 1.3.6.1.5.5.7.2.1 
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73  risign.com/cps 

]] ] 
] 

[6]: ObjectId: 2.5.29.37 Criticality=false 
ExtendedKeyUsages [ 
    serverAuth 
    clientAuth 
    2.16.840.1.113730.4.1 
    1.3.6.1.4.1.311.10.3.3 
] 

[7]: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
    Key_Encipherment 
] 

[8]: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    DNSName: services.americanexpress.com 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 2D E6 45 41 B1 52 D9 55 57 04 45 DC 07 51 E5 8E -.EA.R.UW.E..Q.. 
0010: 5C 00 41 5F AB D5 84 A4 64 4D 55 CC 38 88 18 4E \.A_....dMU.8..N 

00D0: FD E9 93 D2 6A 55 24 F3 62 BE BD 99 EE 24 53 F5 ....jU$.b....$S. 
00E0: 96 E7 2E DE 3E D2 7B 1C 77 9A 45 C7 FA 68 A1 76 ....>...w.E..h.v 
00F0: 67 BA EC 81 83 FF 54 E2 A4 7E 47 AD 2C 39 62 F2 g.....T...G.,9b. 

] 
chain [1] = [ 
[ 
    Version: V3 
    Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: 19420289231323388569960227299938029487260953720447310437792509462236918786001726710037662040142546936643383523519471181931421354900828966157275086870493679916429749573 
    public exponent: 65537 
    Validity: [From: Mon Feb 08 00:00:00 UTC 2010, 
       To: Fri Feb 07 23:59:59 UTC 2020] 
    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    SerialNumber: [ 641be820 ce020813 f32d4d2d 95d67e67] 

Certificate Extensions: 10 
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U.. 
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0.. 
0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+.............. 
0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.# 
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri 
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo. 
0060: 67 69 66           gif 


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://ocsp.verisign.com 
] 
] 

[3]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9.. 
0010: AF 33 31 33          .313 
] 
] 

[4]: ObjectId: 2.5.29.19 Criticality=true 
BasicConstraints:[ 
    CA:true 
    PathLen:0 
] 

[5]: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://crl.verisign.com/pca3-g5.crl] 
]] 

[6]: ObjectId: 2.5.29.32 Criticality=false 
CertificatePolicies [ 
    [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] 
[PolicyQualifierInfo: [ 
    qualifierID: 1.3.6.1.5.5.7.2.1 
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73  risign.com/cps 

], PolicyQualifierInfo: [ 
    qualifierID: 1.3.6.1.5.5.7.2.2 
    qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www. 
0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa 

]] ] 
] 

[7]: ObjectId: 2.5.29.37 Criticality=false 
ExtendedKeyUsages [ 
    serverAuth 
    clientAuth 
    2.16.840.1.113730.4.1 
    2.16.840.1.113733.1.8.1 
] 

[8]: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    Key_CertSign 
    Crl_Sign 
] 

[9]: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    CN=VeriSignMPKI-2-7 
] 

[10]: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X. 
0010: BC 46 00 B5          .F.. 
] 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 71 B5 7D 73 52 4A DD D7 4D 34 2B 2E AF 94 46 A5 q..sRJ..M4+...F. 
0010: 49 50 02 4F F8 2F 17 70 F2 13 DC 1F 21 86 AA C2 IP.O./.p....!... 
0020: 4F 7C 37 3C D4 46 78 AE 5D 78 6F D1 BA 5A BC 10 O.7<.Fx.]xo..Z.. 
0030: AB 58 36 C5 8C 62 15 45 60 17 21 E2 D5 42 A8 77 .X6..b.E`.!..B.w 
0040: A1 55 D8 43 04 51 F6 6E BA 48 E6 5D 4C B7 44 D3 .U.C.Q.n.H.]L.D. 
0050: 3E A4 D5 D6 33 9A 9F 0D E6 D7 4E 96 44 95 5A 6C >...3.....N.D.Zl 
0060: D6 A3 16 53 0E 98 43 CE A4 B8 C3 66 7A 05 5C 62 ...S..C....fz.\b 
0070: 10 E8 1B 12 DB 7D 2E 76 50 FF DF D7 6B 1B CC 8A .......vP...k... 
0080: CC 71 FA B3 40 56 7C 33 7A 77 94 5B F5 0B 53 FB [email protected][..S. 
0090: 0E 5F BC 68 FB AF 2A EE 30 37 79 16 93 25 7F 4D ._.h..*.07y..%.M 
00A0: 10 FF 57 FB BF 6E 3B 33 21 DE 79 DC 86 17 59 2D ..W..n;3!.y...Y- 
00B0: 43 64 B7 A6 66 87 EA BC 96 46 19 1A 86 8B 6F D7 Cd..f....F....o. 
00C0: B7 49 00 5B DB A3 BF 29 9A EE F7 D3 33 AE A3 F4 .I.[...)....3... 
00D0: 9E 4C CA 5E 69 D4 1B AD B7 90 77 6A D8 59 6F 79 .L.^i.....wj.Yoy 
00E0: AB 01 FA 55 F0 8A 21 66 E5 65 6E FD 7C D3 DF 1E ...U..!f.en..... 
00F0: EB 7E 3F 06 90 FB 19 0B D3 06 02 1B 78 43 99 A8 ..?.........xC.. 

] 
chain [2] = [ 
[ 
    Version: V3 
    Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: 22109471102059671383796642714942393631149792360856487955190294587841800871022486252652612163196360832938367608763978013876844944237576704237206902072810376180366897841695320192789360300658269712766474225042097261456189264772686300705672328691871464945536513831768596383894122798581104077921511815271705394605095257256954381366139644740877956016759414080557948459417160074173313082409422023967584984099389949088073277478112907997447136173994433125025479812790590943737038696590266840534396683337181295383175344548120097700121250428676269067140626584500149856482388498317203907790209503513966223821253856296202557465877 
    public exponent: 65537 
    Validity: [From: Wed Nov 08 00:00:00 UTC 2006, 
       To: Wed Jul 16 23:59:59 UTC 2036] 
    Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    SerialNumber: [ 18dad19e 267de8bb 4a2158cd cc6b3b4a] 

Certificate Extensions: 4 
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U.. 
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0.. 
0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+.............. 
0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.# 
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri 
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo. 
0060: 67 69 66           gif 


[2]: ObjectId: 2.5.29.19 Criticality=true 
BasicConstraints:[ 
    CA:true 
    PathLen:2147483647 
] 

[3]: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    Key_CertSign 
    Crl_Sign 
] 

[4]: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9.. 
0010: AF 33 31 33          .313 
] 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 93 24 4A 30 5F 62 CF D8 1A 98 2F 3D EA DC 99 2D .$J0_b..../=...- 

00C0: EF A5 7D 45 40 72 8E B7 0E 6B 0E 06 FB 33 35 48 [email protected] 
00D0: 71 B8 9D 27 8B C4 65 5F 0D 86 76 9C 44 7A F6 95 q..'..e_..v.Dz.. 
00E0: 5C F6 5D 32 08 33 A4 54 B6 18 3F 68 5C F2 42 4A \.]2.3.T..?h\.BJ 
00F0: 85 38 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED 63 6A .8T._..,......cj 

] 
*** 
Found trusted certificate: 
[ 
[ 
    Version: V3 
    Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773 
    public exponent: 65537 
    Validity: [From: Wed Jun 26 00:00:00 UTC 2013, 
       To: Fri Sep 01 23:59:59 UTC 2017] 
    Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US 
    SerialNumber: [ 35f39c92 33cdc613 33b1d586 14e578b2] 

Certificate Extensions: 8 
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://ocsp.verisign.com 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer 
] 
] 

[2]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X. 
0010: BC 46 00 B5          .F.. 
] 
] 

[3]: ObjectId: 2.5.29.19 Criticality=false 
BasicConstraints:[ 
    CA:false 
    PathLen: undefined 
] 

[4]: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl] 
]] 

[5]: ObjectId: 2.5.29.32 Criticality=false 
CertificatePolicies [ 
    [CertificatePolicyId: [2.16.840.1.113733.1.7.54] 
[PolicyQualifierInfo: [ 
    qualifierID: 1.3.6.1.5.5.7.2.1 
    qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve 
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73  risign.com/cps 

]] ] 
] 

[6]: ObjectId: 2.5.29.37 Criticality=false 
ExtendedKeyUsages [ 
    serverAuth 
    clientAuth 
    2.16.840.1.113730.4.1 
    1.3.6.1.4.1.311.10.3.3 
] 

[7]: ObjectId: 2.5.29.15 Criticality=true 
KeyUsage [ 
    DigitalSignature 
    Key_Encipherment 
] 

[8]: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    DNSName: services.americanexpress.com 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 2D E6 45 41 B1 52 D9 55 57 04 45 DC 07 51 E5 8E -.EA.R.UW.E..Q.. 
0010: 5C 00 41 5F AB D5 84 A4 64 4D 55 CC 38 88 18 4E \.A_....dMU.8..N 
0020: 1D CB 0D 88 D5 02 A5 E2 73 72 62 B3 51 49 6F 20 ........srb.QIo 

00C0: B7 1E 87 B7 AE D8 AB 29 83 A5 69 00 D3 07 BE 45 .......)..i....E 
00D0: FD E9 93 D2 6A 55 24 F3 62 BE BD 99 EE 24 53 F5 ....jU$.b....$S. 
00E0: 96 E7 2E DE 3E D2 7B 1C 77 9A 45 C7 FA 68 A1 76 ....>...w.E..h.v 
00F0: 67 BA EC 81 83 FF 54 E2 A4 7E 47 AD 2C 39 62 F2 g.....T...G.,9b. 

] 
[read] MD5 and SHA1 hashes: len = 4238 
0000: 0B 00 10 8A 00 10 87 00 05 7A 30 82 05 76 30 82 .........z0..v0. 
0010: 04 5E A0 03 02 01 02 02 10 35 F3 9C 92 33 CD C6 .^.......5...3.. 
0020: 13 33 B1 D5 86 14 E5 78 B2 30 0D 06 09 2A 86 48 .3.....x.0...*.H 
0030: 86 F7 0D 01 01 05 05 00 30 81 BC 31 0B 30 09 06 ........0..1.0.. 
0040: 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 .U....US1.0...U. 
0050: 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 ...VeriSign, Inc 
0060: 2E 31 1F 30 1D 06 03 55 04 0B 13 16 56 65 72 69 .1.0...U....Veri 
0070: 53 69 67 6E 20 54 72 75 73 74 20 4E 65 74 77 6F Sign Trust Netwo 

07A0: C4 28 C6 E3 AD 79 1F 27 10 98 B8 BB 20 97 C1 28 .(...y.'.... ..(
07B0: 44 41 0F EA A9 A8 52 CF 4D 4E 1B 8B BB B5 C4 76 DA....R.MN.....v 
07C0: D9 CC 56 06 EE B3 55 20 2A DE 15 8D 71 CB 54 C8 ..V...U *...q.T. 
07D0: 6F 17 CD 89 00 E4 DC FF E1 C0 1F 68 71 E9 C7 29 o..........hq..) 
07E0: 2E 7E BC 3B FC E5 BB AB 26 54 8B 66 90 CD F6 92 ...;....&T.f.... 
07F0: B9 31 24 80 BC 9E 6C D5 FC 7E D2 E1 4B 8C DC 42 .1$...l.....K..B 

1080: 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED 63 6A  T._..,......cj 
[Raw read]: length = 5 
0000: 16 03 03 00 2E          ..... 
[Raw read]: length = 46 
0000: 0D 00 00 26 03 01 02 40 00 1E 06 01 06 02 06 03 ...&[email protected] 
0010: 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 ................ 
0020: 03 03 02 01 02 02 02 03 00 00 0E 00 00 00  .............. 
main, READ: TLSv1.2 Handshake, length = 46 
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA 
Cert Authorities: 
<Empty> 
[read] MD5 and SHA1 hashes: len = 42 
0000: 0D 00 00 26 03 01 02 40 00 1E 06 01 06 02 06 03 ...&[email protected] 
0010: 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 ................ 
0020: 03 03 02 01 02 02 02 03 00 00     .......... 
*** ServerHelloDone 
[read] MD5 and SHA1 hashes: len = 4 
0000: 0E 00 00 00          .... 
Warning: no suitable certificate found - continuing without client authentication 
*** Certificate chain 
<Empty> 
*** 
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2 
[write] MD5 and SHA1 hashes: len = 269 
0000: 0B 00 00 03 00 00 00 10 00 01 02 01 00 BE 4B B7 ..............K. 

0110: 8F 98            .. 
SESSION KEYGEN: 
PreMaster Secret: 
0000: 03 03 8D 61 C0 F9 AC 11 FA 20 C4 6D 78 C0 2E 3F ...a..... .mx..? 
0010: 0A 60 C6 BA 36 C2 E6 28 AE B3 12 38 EC F0 52 E0 .`..6..(...8..R. 
0020: 72 BC 31 16 34 B5 88 3C 4E BB C8 E2 50 EA 20 00 r.1.4..<N...P. . 
CONNECTION KEYGEN: 
Client Nonce: 
0000: 57 4A 6C 81 FD 94 DA 65 99 A0 39 F6 24 81 6F 3E WJl....e..9.$.o> 
0010: 6A E2 8D 8C 66 2F 7B F4 6C C0 0C 8C BB F9 D0 6A j...f/..l......j 
Server Nonce: 
0000: 90 E6 BB 39 B7 B1 8E 67 DA 71 65 74 25 D1 B7 CF ...9...g.qet%... 
0010: ED D4 1A 6C 2B 0B 06 8C 0E 5E 25 07 3F 8D E3 6F ...l+....^%.?..o 
Master Secret: 
0000: 38 C7 96 B8 C2 C3 51 55 49 E2 95 C2 D8 23 28 E9 8.....QUI....#(. 
0010: 9D 08 40 21 3F C6 85 E9 3E 3B B7 67 6A 76 26 7E [email protected]!?...>;.gjv&. 
0020: 97 E6 2C 80 FF 81 C4 33 D1 9F BF 42 35 2D AB 73 ..,....3...B5-.s 
Client MAC write Secret: 
0000: 67 7E 5C C7 7B 2B 5F 5E 38 42 A1 21 2C FE F1 F2 g.\..+_^8B.!,... 
0010: DD E4 BB 46 7D 35 BF C6 29 40 A8 8B B5 D6 DE 11 ...F.5..)@...... 
Server MAC write Secret: 
0000: AD 34 13 00 5F 27 F1 21 AA 3B 63 75 76 1A 1A 89 .4.._'.!.;cuv... 
0010: 9A CD 4D E3 1B DB 7F 83 65 1A 6A EE 0A 6F 33 86 ..M.....e.j..o3. 
Client write key: 
0000: E7 8D 41 0F FB 52 FF BF A1 D4 DB E8 BB 25 91 96 ..A..R.......%.. 
Server write key: 
0000: 3E 09 29 43 AF F4 AB 98 2A C3 4D 53 B1 9D 33 5D >.)C....*.MS..3] 
... no IV derived for this protocol 
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 
[Raw write]: length = 6 
0000: 14 03 03 00 01 01         ...... 
*** Finished 
verify_data: { 82, 58, 56, 177, 242, 110, 34, 212, 168, 243, 94, 249 } 
*** 
[write] MD5 and SHA1 hashes: len = 16 
0000: 14 00 00 0C 52 3A 38 B1 F2 6E 22 D4 A8 F3 5E F9 ....R:8..n"...^. 
Padded plaintext before ENCRYPTION: len = 80 
0000: 8C E5 C6 F2 8F A1 37 D2 7B 43 6A 26 FD 9F 23 48 ......7..Cj&..#H 
0010: 14 00 00 0C 52 3A 38 B1 F2 6E 22 D4 A8 F3 5E F9 ....R:8..n"...^. 
0020: EE EF 79 2B C0 62 2A 7B C9 63 A3 71 41 F3 CE E2 ..y+.b*..c.qA... 
0030: C2 6D EA 72 78 3C B5 10 FE BF D1 10 E8 A8 C1 BA .m.rx<.......... 
0040: 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F ................ 
main, WRITE: TLSv1.2 Handshake, length = 80 
[Raw write]: length = 85 
0000: 16 03 03 00 50 A5 DE 9B 39 37 C5 1F 81 3E E4 00 ....P...97...>.. 
0010: 18 C8 89 6B F3 46 9B 89 73 4A 64 20 52 0E BD 93 ...k.F..sJd R... 
0020: 4D F3 AF D8 6B 90 56 60 4F 9E DE 96 06 EE 05 F3 M...k.V`O....... 
0030: 32 CC 7A A6 85 C9 22 72 59 A9 05 B3 D4 A5 A9 E2 2.z..."rY....... 
0040: A9 6A B5 51 49 B8 E9 DC CC 56 DB EF DB DB 06 8E .j.QI....V...... 
0050: 37 BB F4 48 7F          7..H. 
[Raw read]: length = 5 
0000: 15 03 03 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
main, READ: TLSv1.2 Alert, length = 2 
main, RECV TLSv1.2 ALERT: fatal, handshake_failure 
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256] 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

Kann nicht herausfinden, was das ist, Anwendung mit java1.6 arbeitete aber SSLPoke können beide Szenarien nicht

Antwort

0

Ich habe herausgefunden, dass Client auch Verifizierung hatte. Es war also 2-Wege-Authentifizierung. Der Client musste auch mein öffentliches Zertifikat in den Keystore importieren.

2
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Supported Signature Algorithms: ... 
Cert Authorities: 
<Empty> 
... 
Warning: no suitable certificate found - continuing without client authentication 

So offensichtlich der Server will, dass Sie ein Client-Zertifikat übergeben zurück senden (Certificate), die Sie haben nicht konfiguriert (kein passendes Zertifikat gefunden). Wahrscheinlich hatten Sie das erforderliche Zertifikat im Keystore mit Java 1.6, aber Sie haben es nicht im Keystore für Java 1.8.

+0

Danke für Ihre Antwort @Steffen. Ich bin sicher, dass ich das CERT importiert habe, und ich habe den anderen Truststore auch benutzt, den java1.6 benutzt, plus Gewohnheit, die wir haben. Alle 3 geben die gleiche Antwort. Ich habe das Zertifikat mit diesem Befehl erhalten, und es ist genau dasselbe Zertifikat, das sie zur Verfügung gestellt haben: openssl s_client -connect services.americanexpress.com:443 public.crt –

+0

'openssl s_client -connect services.americanexpress.com:443 public.crt' 'sudo/usr/java/aktuell/jre/bin/keytool -import -trustcacerts -alias s.amex. com -file public.crt -keystore /usr/java/jdk1.8.0_60/jre/lib/security/cacerts Das Zertifikat wurde zum Schlüsselspeicher' hinzugefügt. 'java SSLPoke services.americanexpress.com 443 javax.net.ssl.SSLHandshakeException : Erhaltene fatale Warnung: handshake_failure' –

+0

Da es cert gibt, beschwert es sich nicht, dass das Zertifikat nicht vorhanden ist: 'java -Djavax.net.ssl.trustStore =/usr/java/jdk1.8.0_60/jre/lib/Sicherheit/cacerts SSLPoke services.americanexpress.com 443 javax.net.ssl.SSLHandshakeException: Empfangene fatale Warnung: handshake_failure \t bei SSLPoke.main (SSLPoke.java:31) ' Sonst hätte sich beschwert wie: ' sun.security.validator.ValidatorException: PKIX-Pfad Gebäude fehlgeschlagen: sun.security.provider.certpath.SunCertPathBuilderException: nicht in der Lage, gültige Zertifizierung Pfad zum angeforderten Ziel zu finden ' –