0

Below is a snippet from the debug output of a failing SSL handshake with client authentication. I'm nearly certain I have all relevant certificates in my keystore. I've also attempted to trust all servers like this -Dcom.sun.net.ssl.checkRevocation=false and based Medhi's answer to this Is there a java setting for disabling certificate validation?. I always get the same unknown_ca exception.

Is it possible this exception is coming from the server not liking the credentials i'm supplying as a client instead? How can one tell which side this error is from? 

0000: A6 B5 D1 75 74 B2 73 97   E1 B2 BA 5B 56 75 6E 09  ...ut.s....[Vun.
Server write key:
0000: E3 DF 3B CC 9A 6C DF A4   47 A0 69 51 D9 80 0F F2  ..;..l..G.iQ....
... no IV derived for this protocol
*** CertificateVerify
Signature Algorithm SHA512withRSA
MyMain, WRITE: TLSv1.2 Handshake, length = 264
MyMain, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 69, 68, 30, 177, 182, 137, 211, 81, 29, 49, 195, 244 }
***
MyMain, WRITE: TLSv1.2 Handshake, length = 80
MyMain, READ: TLSv1.2 Alert, length = 2
MyMain, RECV TLSv1.2 ALERT:  fatal, unknown_ca
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
MyMain, called closeSocket()
Evan
  • 2,441
  • 23
  • 36

1 Answers1

2
MyMain, RECV TLSv1.2 ALERT:  fatal, unknown_ca

The client received a TLS alert from the server because the server does not know (unknown) and therefore does not trust the issuer (ca) of the certificate sent by the client.

This means that either your client does not send the certificate expected by the server, that the client failed to include necessary intermediate certificates so that the certificate verification failed or it might be misconfiguration on the server side.

... I've also attempted to trust all servers ...

This does not help here. The problem is not the client failing to validate the server certificate but the server failing to validate the client certificate. Disabling certificate validation on the client site has no effect on the certificate validation on the server side which is the problem here.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • It also seems to be a protocol error by the client, as it isn't permitted to send a certificate that isn't ultimately signed by one of the signers the server mentioned in the CertificateRequest message. – user207421 Jun 18 '19 at 23:32
  • @user207421: Nothing in the provided debug information shows that the server is sending a list of accepted CA's. Note that such a list is optional (i.e. might by empty) in which case *"... the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary"* (RFC 5246 section 7.4.4). – Steffen Ullrich Jun 19 '19 at 05:48
  • Thanks for confirming. I suspected as much. This web service is run by a partner, who insists that I don't have their certs installed on my side. Made me question. The cert I provide to them to identify me is one they generated for me. It does not have an intermediate certificate. It does chain to a root cert which they also make available. Is it possible I need to send this root cert with the public key of the cert they provided me? Seems crazy, and I suspect something is just broken on their side, but I'm a noob in SSL. – Evan Jun 19 '19 at 16:07
  • @Evan: root certificates do not need to be sent and should not be sent. – Steffen Ullrich Jun 19 '19 at 16:12
  • Appreciate it. Makes perfect sense to me. – Evan Jun 19 '19 at 16:12
  • The third party involved here finally fixed their server. Pointed them to this page. – Evan Jun 25 '19 at 17:54