Ssl-server on switch 12.2-53SE shows invalide cert-Type

Hello,
after enrolling a cert via m
Certificate type not approved for application.
(Error code: sec_error_inadequate_cert_type)

''SniperFodder [[#answer-626818|said]]''
<blockquote>
I however, do not. It's something specific to Firefox I seem to be having. Maybe I'm running an outdated version of Chrome? Which would be hard seeing as chrome itself says it's up to date: Version 37.0.2062.120 m
I appreciate the link to Bug 1034124, However the SSL certificate itself IS NOT self signed. Only the CA is, which signed the SSL Cert. I guess what I mean to be asking is... Is Firefox Rejecting my SSL Cert, because my CA Is Self Signed?
I also offer the CA Cert for download since no one would have the cert in their stores. Would this also affect it?
I've attached a screen shot of the error I'm getting so that it's available for the ticket. The following is also the "plaintext" verison of the error I'm getting:
"Certificate type not approved for application."
</blockquote>

Similar Messages

Soap sender adapter show invalid content type

Hi dear mates,
I have a SOAP-JMS scenario working succesfully on 7.3.1. But in 30 min after ICM restart (usin SMICM) something wrong happend because all Soap sender adapter fails showing that error.
<text>com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Could not parse XMBMessage due to invalid content type for SOAP: TEXT/HTML
If I restart manually ICM still working fine until next 30 min more or less.
I have added MP transform bean to ensure that I am sending UTF-8 propertly. But it doens't work.
Does anybody know a clue why occurs this strange behavior?
Thanks in advance and regards.
José Antonio.

Thanks Vladimir,
This is exactly the behavior. And yesterday we have to increase the memory because it has 32gb shared in two PI instances, 16gb(DEV) and 16gb(TEST). And the memory was always full.
Recently I found the trouble. Doing SLDCHECK have this trouble also. SLDCHECK error-Check and maintain the SLD content for the current client
So, I re-register once again the system in rz70 and review related Bussiness System. And BS pipeline URL was wrong :S because it hasn't be wrote with path /sap/xi/engine?type=entry.
After restart SLD I do sldcheck and it looks perfect.
Thanks to all.
I hope this stupid error do not disturb any other consultants.
Best Regards.
Jose.

SChannel error- The SSL server credential's certificate does not have a private key information property attached to it.

We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
not have a private key information property attached to it" There is no software firewall set on the DC. When I run Certutil -VerifyStore MY it shows the current certificates as well as the revoked and expired certificates
correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
appreciated.

Hi,
Have you tried this?
How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
http://support.microsoft.com/kb/889651
Best Regards,
Amy

SSL Server: No available certificate or key.... exception

Hi,
I want to create a very simple SSL Server for testing purposes.
I have searched google and these forums for an answer, but anything that I found did not help (will say below what I tried).
Here is my code:
import java.io.IOException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
public class Server {
     private int port = 25000;
     private SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
     public Server() {
          try {
               SSLServerSocket socket = (SSLServerSocket) factory.createServerSocket(port);
               Echo echo = new Echo(socket);
               Thread t = new Thread(echo);
               t.start();
          } catch (IOException e) {
               e.printStackTrace();
     public static void main(String[] args) {
          new Server();
}and
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
public class Echo implements Runnable {
     SSLServerSocket socket;
     public Echo(SSLServerSocket socket) {
          this.socket = socket;
     @Override
     public void run() {
          try {
               SSLSocket connectedSocket = (SSLSocket) socket.accept();
               // creating the streams
               InputStream inputstream = connectedSocket.getInputStream();
            InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
            BufferedReader in = new BufferedReader(inputstreamreader);
            OutputStream outputstream = connectedSocket.getOutputStream();
            OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream);
            BufferedWriter out = new BufferedWriter(outputstreamwriter);
            // echoing...
            String input = "";
            while (input.compareTo("abort") != 0) {
                 input = in.readLine();
                 System.out.println("Server received message: " + input);
                 out.write(input + " " + input);
                 out.flush();
          } catch (IOException e) {
               e.printStackTrace();
}When I run the code, I get
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
     at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
     at Echo.run(Echo.java:24)
Line 24 in Echo.java is SSLSocket connectedSocket = (SSLSocket) socket.accept();
I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
I have tried relative and full pathnames for javax.net.ssl.keyStore, as well as copying the keystore right into the directory with the class-files
I have tried to set javax.net.ssl.keyStore (and javax.net.ssl.keyStorePassword) via the command line's -D switch and via System.setProperty
After all that failed, I even tried to import the generated public key into the server's keystore as well
No matter what I did, I always get above exception upon calling accept().
I am using Java 6 (Java(TM) SE Runtime Environment (build 1.6.0_17-b04)) on Windows 7 64 Bit
Any help is appreciated.

I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
Are you sure you created a keystore with an RSA keypair, and not a DSA keypair?

Step by Step : How to Create an SSL Server Certificate (Part 3)

How to Create an SSL Server Certificate (Part 3)
In the previous part you have completed step 10, now you are almost there.
Step 11:
This is another very important step.
Leave the settings as is or tick more options if you know what you do.
Step 12:
Again leave as it is.
Step 13:
Another important step !
In the DNS Name field enter the host name(s) separated by spaces (or commas), e.g.
myserver.name.private myserver.dyndns.org
You can enter your local IP if you wish.
Step 14:
Certificate Assistant now procedes to create your certificate. Within a few seconds you should see the new certificate in your Keychain.
Switch to Server App (if at this stage Server App has crashed, don't worry , re-open Server App and proceed.
Repeat step 2 described in Part 1 and select the new certificate from the drop-down menu of available certificates.
You may want to use this certificate for all services (iChat, iCal, Mail, Web) or create different ones.
If you use the same certificate for all services the name of the certificate is diplayed next to "SSL Certificate", if you don't you will see "Custom" instead.
Addendum:
1. Do not forget to open port 443 in your router to enable https connections.
2. Enable SSL in your iCal account settings if you wish.
Enjoy your server !

Hi,
Are you talking about the Mercedes leaderboard ad? Because that look a lot more complicated than "fade in - fade out" images?
Anyway... I am looking at the easiest way to create a banner ad with fade in - fade out images that I have created in illustrator.
This tutorial helped me alot.
http://www.youtube.com/watch?v=gFw-1D8yaMs&NR=1
cheers

SSL Server PSE - loading existing certificate via STRUST

We are configuring XI ABAP stack (via transaction STRUST) to use HTTP adapter for secure communication with business partners for inbound communication (SAP WAS will take a role of SSL server).
We would like to re-use SSL Global Server certificate purchased and installed already on our XI JAVA stack for RNIF adapter (can this be done at all?), but importing/installing it via STRUST in SSL Server PSE is so confusing and it does not work. How can we load servers private/public keys in STRUST?
We used Replace function to change default SAP cert in SSL Server PSE to our own server cert, entered all possible CNs, OUs and Os, however little popup screen during Replace does not allow to enter all needed values according to the naming convention of CA we are using, default SAP CA uses less information, can this create a problem?
We installed Intermediate and Root certs in IE, but still getting message that server certificate is not trusted when trying https from the browser.
Any help will be appreciated.
Thanks!
Margaret

We just went through a similar situation. We are switching from external to internal ITS. We also tried to "import" an existing certificate - unsuccessfully. We opened an OSS note and were told this funcitionality was not meant for this use - you have to create a new certificate. You can however use the root certificates in the SAP database - if the one you use is in the list. Click on "certificates" in transaction STRUST and then import.
Hope this helps.

Netscape cert type does not permit use for SSL server on Weblogic

We have WLS 11g (11.1.1.5 SOA) on UNIX and we are trying to connect secured service (Using client certificate along with UserName and Password for Authentication ). I was able to test it using SOAP UI.
But when I am testing the webservice I am facing listed error
java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://abcd:1111/JWSs/V1/TermsWS at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at
and domain log shows that
Caused By: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Please help me to resolve listed issue.
Can I use Netscape client certificate on WLS?
Do I need to take any extra care while working with client cert?
I appreciate your help.

Netscape cert type does not permit use for SSL clientTry using another certificate. Your certificate can't be used as a web browser client certificate.

Server Busy, Switch To...

Upon Start-Up, I get the error message 'Server Busy, Switch to..." However, most of the fixes for this involve using keyboard or mouse. They are currently inaccessible. I know it's NOT the keyboard or mouse functionality, however. How can
I start up without this error message showing. I tried starting in Safe Mode to no avail. Any suggestions would be appreciated.
Thanks, Piper

Obviously.
The subject of this thread is "How to stop "server busy" switch to message.".
Therefore, my question, which I think was pretty clear, especially related to the thread topic was "Any update on this?! I've been through seven Customer Service calls/chats and still nothing has helped."
Where's you're confusion?

X.509v3 KeyUsage for an SSL Server

Hello,
Apparently, JSSE clients (incl. 1.0.2) will not trust an SSL server if its cert has a critical keyUsage extension that does not include the digitalSignature usage. However, I have come across a number of CAs which routinely issue SSL server certs including a critical keyUsage extension which only has the keyEncipherment usage.
I came across a posting in the comp.lang.java.security newsgroup where the author indicated he subitted this behavior as a bug to Sun, but it's not currently showing up in the bug database.
Does any one know if JSSE is correct in requiring the digitalSignature usage? Where can I find an authoritative answer? Also, what's Sun's position on the matter?
Thanks in advance,
Chase

Here's a work around for this problem. I've tested it only on 1.3.1_01, so YMMV.
The idea is to wrap the default X509TrustManagers with a new Manager that intercepts the isServerTrusted method. From there, you can wrap the first certificate in the chain with a new X509Certificate object that reports that the digitalSignature KeyUsage is present for all certs.
Now when the REAL isServerTrusted is called, the certificate will report that digitalSignature is present -- even if it isn't.
It may be possible to approach this from the other side and change the default CertificateFactory...but I haven't really looked into that...and probably won't.
Wayne
---BEGIN CODE FRAGMENT---
//Create TrustStore
KeyStore ts = KeyStore.getInstance("JKS");
InputStream truststream = new FileInputStream(truststore);
ts.load(truststream, trustphrase.toCharArray());
//Get Trust Factory
TrustManagerFactory tmanagerFac = TrustManagerFactory.getInstance("SunX509");
tmanagerFac.init(ts);
//Wrap the TrustManagers
TrustManager[] trustManagers = tmanagerFac.getTrustManagers();
for(int mancount=0; mancount<trustManagers.length; mancount++) {
if(trustManagers[mancount] instanceof X509TrustManager) {
TrustManager tempMan =
new FixedX509TrustManager((X509TrustManager)trustManagers[mancount]);
trustManagers[mancount] = tempMan;
//Create Context
SSLContext context = SSLContext.getInstance("TLS");
context.init(
kmanagerFac.getKeyManagers(), //very similar to creating TrustManagerFactory, code not provided.
trustManagers,
null);
//Now you can pull SocketFactory's and ServerSocketFactory's off this SSLContext.
//SUPPORTING CLASSES
* Wrapper class for X509TrustManager.
* It intercepts calls to isServerTrusted() to replace the base certificate
* with a FixedX509Certificate which will report that the digitalSignature
* flag is set in the KeyUsage extension.
* By default, the Sun implementation of JSSE requires Server certs to have
* the digitalSignature flag set. However, many production certs do not have
* this set because it probably SHOULDN'T be set.
* By using this class to wrap all the X509TrustManagers in your SSLContext,
* you can defeat this bug, and restore order to the universe.
private class FixedX509TrustManager implements X509TrustManager {
private X509TrustManager tm_ = null; //wrapped trustmanager
public FixedX509TrustManager(X509TrustManager tm) {
tm_ = tm;
//replace the base cert with a cert that has a forced digitalSignature Usage.
public boolean isServerTrusted(X509Certificate[] chain) {
if(chain.length > 0) {
X509Certificate forcedCert = new FixedX509Certificate(chain[0]);
chain[0] = forcedCert;
return tm_.isServerTrusted(chain);
public boolean isClientTrusted(X509Certificate[] chain) {
return tm_.isClientTrusted(chain);
public X509Certificate[] getAcceptedIssuers() {
return tm_.getAcceptedIssuers();
* Wrapper class for X509Certificate.
* Calls to getKeyUsage() are intercepted to always report that the digitalSingature
* usage flag is set.
* @see FixedX509TrustManager
private class FixedX509Certificate extends X509Certificate {
private X509Certificate cert_ = null; //the wrapped cert
public FixedX509Certificate(X509Certificate cert) {
cert_ = cert;
// "Override" to force every cert to have digitalSignature set.
public boolean[] getKeyUsage()
boolean[] bits = cert_.getKeyUsage();
if(bits.length > 0) {
bits[0] = true; //force digitalSignature.
return bits;
//Just wrap the rest of the methods....
public void checkValidity()
throws CertificateExpiredException, CertificateNotYetValidException
cert_.checkValidity();
public void checkValidity(Date date)
throws CertificateExpiredException, CertificateNotYetValidException
cert_.checkValidity(date);
public int getVersion()
return cert_.getVersion();
public BigInteger getSerialNumber()
return cert_.getSerialNumber();
public Principal getIssuerDN()
return cert_.getIssuerDN();
public Principal getSubjectDN()
return cert_.getSubjectDN();
public Date getNotBefore()
return cert_.getNotBefore();
public Date getNotAfter()
return cert_.getNotAfter();
public byte[] getTBSCertificate()
throws CertificateEncodingException
return cert_.getTBSCertificate();
public byte[] getSignature() {
return cert_.getSignature();
public String getSigAlgName()
return cert_.getSigAlgName();
public String getSigAlgOID()
return cert_.getSigAlgOID();
public byte[] getSigAlgParams()
return cert_.getSigAlgParams();
public boolean[] getIssuerUniqueID()
return cert_.getIssuerUniqueID();
public boolean[] getSubjectUniqueID()
return cert_.getSubjectUniqueID();
public int getBasicConstraints()
return cert_.getBasicConstraints();
public boolean hasUnsupportedCriticalExtension()
return cert_.hasUnsupportedCriticalExtension();
public Set getCriticalExtensionOIDs() {
return cert_.getCriticalExtensionOIDs();
public Set getNonCriticalExtensionOIDs()
return cert_.getNonCriticalExtensionOIDs();
public byte[] getExtensionValue(java.lang.String ext)
return cert_.getExtensionValue(ext);
public byte[] getEncoded() throws CertificateEncodingException
return cert_.getEncoded();
public PublicKey getPublicKey()
return cert_.getPublicKey();
public int hashCode()
return cert_.hashCode();
public String toString()
return cert_.toString();
public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException, SignatureException
cert_.verify(key);
public void verify(PublicKey key, String provider) throws CertificateException, NoSuchAlgorithmException,
InvalidKeyException, NoSuchProviderException, SignatureException
cert_.verify(key, provider);
</pre>
---END CODE FRAGMENT---

Connecting Java client to SSL server with existing certificates

I am currently trying to connect my Java client to an existing server application
written in C++. I have been provided the needed certificates (root.pem, server.pem,
and client.pem). My code simply creates a SSLSocket and then attempts to read
from it. Something goes wrong during the handshake process and I get a SSLHandshakeException. The certificates have been added to the keystore
I am using, and I do not know any other action to take.
Here is the debug output:
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: keystore.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=Employee, OU=test, O=company-USA, L=City, ST=AL, C=US
Issuer: [email protected], CN=company Employee, OU=test, O="company, Inc.", L=City, ST=AL, C=US
Algorithm: RSA; Serial number: 0xb40b909f74d167aa
Valid from Tue Sep 12 09:42:01 CDT 2006 until Thu Oct 12 09:42:01 CDT 2006
adding as trusted cert:
Subject: [email protected], CN=Employee, OU=test, O="company, Inc.", L=City, ST=AL, C=US
Issuer: [email protected], CN=ISAC Employee, OU=test, O="company, Inc.", L=City, ST=AL, C=US
Algorithm: RSA; Serial number: 0xb40b909f74d167ab
Valid from Tue Sep 12 09:49:12 CDT 2006 until Thu Oct 12 09:49:12 CDT 2006
adding as trusted cert:
Subject: [email protected], CN=company Employee, OU=test, O="company, Inc.", L=City, ST=AL, C=US
Issuer: [email protected], CN=company, OU=test, O="company, Inc.", L=City, ST=AL, C=US
Algorithm: RSA; Serial number: 0xf6e3ada87dc4004f
Valid from Tue Sep 12 09:40:32 CDT 2006 until Thu Oct 12 09:40:32 CDT 2006
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
SSL socket created
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1158089181 bytes = { 138, 112, 170, 91, 246, 86, 216, 146, 160, 188, 243, 154, 238, 132, 33, 219, 251, 3, 93, 25, 191, 247, 41, 14, 99, 135, 130, 23 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 79
0000: 01 00 00 4B 03 01 45 07 0A DD 8A 70 AA 5B F6 56 ...K..E....p.[.V
0010: D8 92 A0 BC F3 9A EE 84 21 DB FB 03 5D 19 BF F7 ........!...]...
0020: 29 0E 63 87 82 17 00 00 24 00 04 00 05 00 2F 00 ).c.....$...../.
0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00 5.3.9.2.8.......
0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ...............
Client Thread, WRITE: TLSv1 Handshake, length = 79
[write] MD5 and SHA1 hashes: len = 107
0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B... .......
0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00 ..../..5..3..9..
0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13 2..8............
0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 .....@..........
0040: 00 80 00 00 08 00 00 14 00 00 11 45 07 0A DD 8A ...........E....
0050: 70 AA 5B F6 56 D8 92 A0 BC F3 9A EE 84 21 DB FB p.[.V........!..
0060: 03 5D 19 BF F7 29 0E 63 87 82 17 .]...).c...
Client Thread, WRITE: SSLv2 client hello message, length = 107
[Raw write]: length = 109
0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B... .....
0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 ....../..5..3..9
0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 ..2..8..........
0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00 .......@........
0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 45 07 0A .............E..
0050: DD 8A 70 AA 5B F6 56 D8 92 A0 BC F3 9A EE 84 21 ..p.[.V........!
0060: DB FB 03 5D 19 BF F7 29 0E 63 87 82 17 ...]...).c...
Client Thread, received EOFException: error
Client Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Client Thread, SEND TLSv1 ALERT: fatal, description = handshake_failure
Client Thread, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......(
Client Thread, called closeSocket()
Error: Remote host closed connection during handshake
Thread-4, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

(I am the original poster of this message, I had to create a new username though).
The original problem had to do with incompatibilities with the protocol and/or cipher suites
used. Now, the client and server perform most of the handshake process, but something
goes wrong as the server requests the client certificate. In other words, the server requires
mutual authentication, but for some reason it seems like my JSSE client won't send over
it's client certificate. I don't get any type of bad certificate exceptions, so I'm not sure
where the source of the error lies.
Updated output:
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : keystore
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: truststore
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=Employee, OU=default, O="default Inc.", L=default, ST=AL, C=US
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Algorithm: RSA; Serial number: 0xb40b909f74d167ab
Valid from Tue Sep 12 09:49:12 CDT 2006 until Thu Oct 12 09:49:12 CDT 2006
adding as trusted cert:
Subject: [email protected], CN=default-Server, OU=HawkEye, O=default, L=default, ST=AL, C=US
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Algorithm: RSA; Serial number: 0xb40b909f74d167ac
Valid from Tue Sep 12 14:42:28 CDT 2006 until Thu Oct 12 14:42:28 CDT 2006
adding as trusted cert:
Subject: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Algorithm: RSA; Serial number: 0xf6e3ada87dc4004f
Valid from Tue Sep 12 09:40:32 CDT 2006 until Thu Oct 12 09:40:32 CDT 2006
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1158242806 bytes = { 71, 195, 185, 44, 86, 96, 14, 11, 171, 76, 105, 135, 136, 114, 53, 54, 137, 75, 202, 254, 112, 208, 240, 91, 199, 246, 175, 207 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Client Thread, WRITE: TLSv1 Handshake, length = 79
Client Thread, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1158242807 bytes = { 63, 93, 48, 73, 98, 251, 160, 215, 61, 110, 246, 12, 5, 209, 95, 194, 152, 193, 0, 181, 135, 26, 150, 174, 52, 92, 56, 250 }
Session ID: {83, 31, 134, 30, 76, 200, 183, 120, 7, 94, 26, 65, 186, 91, 197, 25, 10, 193, 94, 220, 198, 250, 162, 153, 6, 89, 12, 250, 66, 105, 249, 211}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
%% Created: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
Client Thread, READ: TLSv1 Handshake, length = 1903
*** Certificate chain
chain [0] = [
Version: V3
Subject: [email protected], CN=Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 164546130673614659100546464587508805401937082626997447139358150641653094778762702643605529386963945060462618417820295217144739538713137107756847225226998964727905246706969036839701385553183842454061172884072035749790213037240682893878786969498404371282074360019097248835858617183835587887295684928062301303789
public exponent: 65537
Validity: [From: Tue Sep 12 09:49:12 CDT 2006,
               To: Thu Oct 12 09:49:12 CDT 2006]
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
SerialNumber: [    b40b909f 74d167ab]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 EA 02 93 42 9E 44 D1 55 7D 2D 32 4B 9B 1C 6D ....B.D.U.-2K..m
0010: 63 6B 73 82 cks.
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2C BC 66 DC 06 BA 62 79 3B 1A 20 92 E0 81 71 A0 ,.f...by;. ...q.
0010: 0D 05 3C 95 ..<.
[[email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US]
SerialNumber: [    f6e3ada8 7dc4004f]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: BF 60 5A 67 3E E6 F0 92 4F E4 81 6D 71 0A 2E E8 .`Zg>...O..mq...
0010: F3 59 A1 87 7B D1 3A 7A CB FF D6 39 63 79 B6 82 .Y....:z...9cy..
0020: 2A 22 D0 46 51 30 6B 2A 61 6B A0 4C F0 3B CE 5B *".FQ0k*ak.L.;.[
0030: 9C 1D 46 CB D7 C2 B2 23 E2 A5 06 CD 12 F8 A9 CB ..F....#........
0040: B5 A2 43 B1 06 4C 42 B5 67 F2 DF 50 6B BC 8A 5E ..C..LB.g..Pk..^
0050: 95 0D F3 2A 73 A8 5A C8 55 77 D7 36 74 16 9E 05 ...*s.Z.Uw.6t...
0060: 85 C6 DC 3C 44 D3 06 5E 47 0C 1F 80 40 30 C7 D8 ...<D..^G...@0..
0070: 8C 27 FF B9 0C 71 EB D4 31 5C 1F 15 A1 23 6F A2 .'...q..1\...#o.
chain [1] = [
Version: V3
Subject: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 140862286957037297158683104484469503810921697537964422595574798580128510755934413463045842414762254029728885690233847950678735782281077619629628663140568366247472189890316085560712610474766899389736269383565795688749374256479726939861138704211990111677657317335172626254520371267441364353295155431963634875809
public exponent: 65537
Validity: [From: Tue Sep 12 09:40:32 CDT 2006,
               To: Thu Oct 12 09:40:32 CDT 2006]
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
SerialNumber: [    f6e3ada8 7dc4004f]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2C BC 66 DC 06 BA 62 79 3B 1A 20 92 E0 81 71 A0 ,.f...by;. ...q.
0010: 0D 05 3C 95 ..<.
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2C BC 66 DC 06 BA 62 79 3B 1A 20 92 E0 81 71 A0 ,.f...by;. ...q.
0010: 0D 05 3C 95 ..<.
[[email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US]
SerialNumber: [    f6e3ada8 7dc4004f]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: AB 84 38 1F 7B 71 D8 87 FF 24 DB C2 7E DC D0 0B ..8..q...$......
0010: 60 60 14 A8 F8 D5 46 AD 6B FC 33 90 6F 43 08 17 ``....F.k.3.oC..
0020: AE 2B EE 6C 2B 29 85 E2 A6 67 EE 5D A4 61 F3 9E .+.l+)...g.].a..
0030: E7 CA B1 27 F9 11 36 ED 93 05 7B E1 20 90 57 B5 ...'..6..... .W.
0040: C6 F9 8A 9D 50 CD B3 4A 54 DC 1B 52 EC EA 7A 0B ....P..JT..R..z.
0050: B6 E6 95 FD DD 80 BE 66 F0 77 F4 E7 9A 8A A3 EF .......f.w......
0060: 9B 68 57 0C 9C 4B 4C C0 24 C5 34 16 D3 8E 45 27 .hW..KL.$.4...E'
0070: CA 23 F1 E0 C5 5E FB FB AA 1C 21 6E CB 5B 57 D9 .#...^....!n.[W.
Found trusted certificate:
Version: V3
Subject: [email protected], CN=Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 164546130673614659100546464587508805401937082626997447139358150641653094778762702643605529386963945060462618417820295217144739538713137107756847225226998964727905246706969036839701385553183842454061172884072035749790213037240682893878786969498404371282074360019097248835858617183835587887295684928062301303789
public exponent: 65537
Validity: [From: Tue Sep 12 09:49:12 CDT 2006,
               To: Thu Oct 12 09:49:12 CDT 2006]
Issuer: [email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US
SerialNumber: [    b40b909f 74d167ab]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 EA 02 93 42 9E 44 D1 55 7D 2D 32 4B 9B 1C 6D ....B.D.U.-2K..m
0010: 63 6B 73 82 cks.
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2C BC 66 DC 06 BA 62 79 3B 1A 20 92 E0 81 71 A0 ,.f...by;. ...q.
0010: 0D 05 3C 95 ..<.
[[email protected], CN=default Employee, OU=default, O="default, Inc.", L=default, ST=AL, C=US]
SerialNumber: [    f6e3ada8 7dc4004f]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: BF 60 5A 67 3E E6 F0 92 4F E4 81 6D 71 0A 2E E8 .`Zg>...O..mq...
0010: F3 59 A1 87 7B D1 3A 7A CB FF D6 39 63 79 B6 82 .Y....:z...9cy..
0020: 2A 22 D0 46 51 30 6B 2A 61 6B A0 4C F0 3B CE 5B *".FQ0k*ak.L.;.[
0030: 9C 1D 46 CB D7 C2 B2 23 E2 A5 06 CD 12 F8 A9 CB ..F....#........
0040: B5 A2 43 B1 06 4C 42 B5 67 F2 DF 50 6B BC 8A 5E ..C..LB.g..Pk..^
0050: 95 0D F3 2A 73 A8 5A C8 55 77 D7 36 74 16 9E 05 ...*s.Z.Uw.6t...
0060: 85 C6 DC 3C 44 D3 06 5E 47 0C 1F 80 40 30 C7 D8 ...<D..^G...@0..
0070: 8C 27 FF B9 0C 71 EB D4 31 5C 1F 15 A1 23 6F A2 .'...q..1\...#o.
Client Thread, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 27, 159, 38, 131, 132, 24, 47, 148, 161, 90, 7, 39, 189, 28, 178, 156, 20, 151, 220, 192, 239, 182, 115, 234, 99, 225, 68, 250, 199, 173, 96, 181, 78, 180, 238, 37, 243, 72, 19, 91, 249, 11, 49, 83, 1, 150 }
Client Thread, WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 1B 9F 26 83 84 18 2F 94 A1 5A 07 27 BD 1C ....&.../..Z.'..
0010: B2 9C 14 97 DC C0 EF B6 73 EA 63 E1 44 FA C7 AD ........s.c.D...
0020: 60 B5 4E B4 EE 25 F3 48 13 5B F9 0B 31 53 01 96 `.N..%.H.[..1S..
CONNECTION KEYGEN:
Client Nonce:
0000: 45 09 62 F6 47 C3 B9 2C 56 60 0E 0B AB 4C 69 87 E.b.G..,V`...Li.
0010: 88 72 35 36 89 4B CA FE 70 D0 F0 5B C7 F6 AF CF .r56.K..p..[....
Server Nonce:
0000: 45 09 62 F7 3F 5D 30 49 62 FB A0 D7 3D 6E F6 0C E.b.?]0Ib...=n..
0010: 05 D1 5F C2 98 C1 00 B5 87 1A 96 AE 34 5C 38 FA .._.........4\8.
Master Secret:
0000: 0E 63 38 16 86 A1 84 72 33 2C D7 07 D7 C3 AC E0 .c8....r3,......
0010: AD 5B CD 3B 2E 2A 02 91 1E FE 17 97 4E 3B 56 C3 .[.;.*......N;V.
0020: 5D 0F 7A 99 90 0D 3D 4E 5F 39 C5 EB 6E AD DA 71 ].z...=N_9..n..q
Client MAC write Secret:
0000: 99 32 FA 60 0B 88 36 CD 88 02 D5 4A CA D2 A6 49 .2.`..6....J...I
0010: 69 60 42 B6 i`B.
Server MAC write Secret:
0000: 43 3F 85 72 FB 6D 28 1C BA 1E 8A 26 56 DE 18 FB C?.r.m(....&V...
0010: 01 83 20 7F .. .
Client write key:
0000: 6F 58 29 AB B3 8C F5 75 3C 70 04 DF 9D 01 43 F5 oX)....u<p....C.
Server write key:
0000: 4A D7 E9 63 53 32 78 DF E0 99 89 60 A4 1A 3C E7 J..cS2x....`..<.
Client write IV:
0000: 24 FB 0E 12 AB D2 70 6D 80 B1 B2 BC 78 1A 55 88 $.....pm....x.U.
Server write IV:
0000: E4 75 62 25 46 95 0F 7A 44 16 E2 39 38 AD 29 CD .ub%F..zD..98.).
HawkEye Client Thread, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 98, 254, 245, 75, 252, 23, 91, 164, 67, 197, 69, 44 }
Client Thread, WRITE: TLSv1 Handshake, length = 48
Client Thread, READ: TLSv1 Alert, length = 2
Client Thread, RECV TLSv1 ALERT: fatal, handshake_failure
Client Thread, called closeSocket()
Client Thread, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Error: Received fatal alert: handshake_failure
Thread-4, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

TS1702 Maps program does not work. In standard it only shows a grid. If I ask for a route it shows start and end point and three route boxes but nothing else. It does show directions. If I switch to hybrid it shows to routes but no roads. Background is a

Maps program does not work. In standard it only shows a grid. If I ask for a route it shows start and end point and three route boxes but nothing else. It does show directions. If I switch to hybrid it shows to routes but no roads. Background is a blur.

Do you have a question? This is a user to user help forum. Apple is not here only other users like yourself. You don't report problems to Apple here.
By the way, it might help if you indicated where you are located.
To complain to Apple use http://www.apple.com/feedback/ipad.html

A fatal error when attempting to access the SSL server credential private key. Error code 0x8009030d. Windows 8.1.

Hi,
We develop a server-side application which receives incoming https connections using self-signed certificate. It was all ok while we were using Windows 7 or Windows 2008 as OS, but when our clients started installing Windows 8 as server OS they encountered
big problem: application got unavailable in few hours after start.
In event logs we have following:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
After restart, application recreates certificate and all works normal few hours till next fatal error.
This
article did not help us. And I repeat that this error appears only on Windows 8 (we tested on Windows 8.1). Windows 2012 Server we did not test yet.
How we can solve this problem?
Best regards.

Hi,
Since this article released in 2008,I suspect the code mentioned in this article doesn't supprot Windows 8.
And since the certificate was written by C#,I suggest you submit a new case on MSDN Forum as they will be more professional on your issue:
https://social.msdn.microsoft.com/Forums/en-US/home
Regards,
Kelvin hsu
TechNet Community Support

Is it possible to install Lion on the second hard disk on my Mini (2010) Snow Leopard Server, and switch between Lion and Snow Leopard? I like those voices Lion has in speech.

Is it possible to install Lion on the second hard disk on my Mini (2010) Snow Leopard Server, and switch between Lion and Snow Leopard? I like those voices Lion has in speech.

When baltwosaid NO emphatically, that was described as CORRECT ANSWER. Ditto in the caeses of the radically different answers from Camelotand Matt Clifton
Could it be that CORRECT ANSWER needs better defining by Apple?
That apart, yes, switching might involve rebooting. About the voices, well, I was the other day adding voice to a commentary in a video I was working on. There's only American English accent in SL — Lion I believe has British ones as well.
Why not, I wondered, try to install Lion purely for academic interest, maybe with an SD card (Sandisk Ultra II, 16GB) as Tom Nelson says is possible at http://macs.about.com/od/macoperatingsystems/ss/Perform-A-Clean-Install-Of-Os-X- Lion-On-Your-Mac.htm

Switched video settings on my Mac Mini and now the bloody thing shows "Invalid Format" on my TV (used as monitor for years) and I cannot get it to switch back.

Switched video settings on my Mac Mini and now the bloody thing shows "Invalid Format" on my TV (used as monitor for years) and I cannot get it to switch back.
What can I do to get it to work again as more than an overpriced paperweight?

Hello,
Safe Boot from the HD, (holding Shift key down at bootup), see if you can set a good resolution.

Server Admin connected but doesn't show anything

Server Admin can't seem to show anything from the local server. Overview is empty and the services overview says Not available, Yet I know the services are available. I rebooted the server, but nothing.
Any hints as to what is happening. I look at system.log but nothing jumps at a me for a problem. And the servermgrd only shows:
#Start-Date: 2010-02-18 17:30:19 EST
#Fields: date time s-comment
2010-02-18 17:30:19 EST Initalizing plugins
2010-02-18 17:30:21 EST Listening for requests
How do I get back control?

I believe the GUI communicates via servermgrd. You could try "sudo launchctl load /System/Library/LaunchDaemons/ com.apple.servermgrd.plist" and replace "load" with "unload" as required.
Verify that servermgrd is running to begin with.
Also, you could remove the server from the list, reboot, and add it back via IP or loopback address and "server_name.local" to see if it responds.
You might also see if it will respond to the Admin Tools installed on an appropriate workstation.

Ssl-server on switch 12.2-53SE shows invalide cert-Type

Similar Messages

Maybe you are looking for