0

Environment- windows , java sdk 1.8 , apache http client 4.5.2 , keystore jks , trustore jks.
There is remote server , ssl connection done in both directions.
First part is trustore certifucate check done.
Keystore holds 2 chains of certificates with private keys Second part is key store client negotiation, at this point , threw handshake there is failure.
After investigeting by wireshark help , problem is that wrong certificate sent back to remote server.
All debug flags are used , remote server sends tcp reset flag.
Weather wrong certificate chain deleted from keystore , handshake works.
Issue began after “wrong” certificate was updated because was expired.
Have to work with both chains

RonyCh
  • 31
  • 5
  • So what is your question? Seems you already found a solution. – Andreas Sep 12 '18 at 15:23
  • I need to work with both chains – RonyCh Sep 12 '18 at 15:26
  • Then have 2 key-stores, and select which one to use when you connect. Since both seems compatible with server, *you* have to supply the selection logic. – Andreas Sep 12 '18 at 15:28
  • Intersting idea , problem that it is system level client. General idea is to treat all ssl communication with one key store , not replicate it for every third party. – RonyCh Sep 12 '18 at 15:32
  • Then you need to [customize HttpClient](http://hc.apache.org/httpclient-3.x/sslguide.html) so you can supply the selection logic. – Andreas Sep 12 '18 at 15:34
  • 1
    found same issue [link](https://stackoverflow.com/questions/23768843/jks-with-multiple-privatekeyentries) – RonyCh Sep 13 '18 at 10:15

0 Answers0