Client with TLS configuration not working on v21.8.0 - IllegalArgumentException: ApplicationProtocols.Supported is not supported at this time for SslContextClientEngineFactory. Remote Info: Not Available
Hakky54 opened this issue · comments
Describe the bug
I was using finagle http client v21.6.0 which was working fine but I attempted to upgrade it to v21.8.0 however my integration test is failing with the following stacktrace:
23:10:33.575 [finagle/netty4-6-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x42e3d02e]
com.twitter.finagle.ssl.SslConfigurationException: java.lang.IllegalArgumentException: ApplicationProtocols.Supported is not supported at this time for SslContextClientEngineFactory. Remote Info: Not Available
at com.twitter.finagle.ssl.SslConfigurationException$.notSupported(SslConfigurationException.scala:18)
at com.twitter.finagle.ssl.SslConfigurations$.checkApplicationProtocolsNotSupported(SslConfigurations.scala:228)
at com.twitter.finagle.ssl.client.SslContextClientEngineFactory.apply(SslContextClientEngineFactory.scala:37)
at com.twitter.finagle.netty4.ssl.client.Netty4ClientSslChannelInitializer.$anonfun$initChannel$1(Netty4ClientSslChannelInitializer.scala:141)
at com.twitter.finagle.netty4.ssl.client.Netty4ClientSslChannelInitializer.$anonfun$initChannel$1$adapted(Netty4ClientSslChannelInitializer.scala:138)
at scala.Option.foreach(Option.scala:437)
at com.twitter.finagle.netty4.ssl.client.Netty4ClientSslChannelInitializer.initChannel(Netty4ClientSslChannelInitializer.scala:138)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:938)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:181)
at io.netty.channel.DefaultChannelPipeline.addFirst(DefaultChannelPipeline.java:152)
at com.twitter.finagle.netty4.channel.AbstractNetty4ClientChannelInitializer.initChannel(AbstractNetty4ClientChannelInitializer.scala:88)
at com.twitter.finagle.netty4.channel.RawNetty4ClientChannelInitializer.initChannel(RawNetty4ClientChannelInitializer.scala:18)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:938)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46)
at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463)
at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115)
at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650)
at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514)
at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429)
at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at com.twitter.finagle.util.BlockingTimeTrackingThreadFactory$$anon$1.run(BlockingTimeTrackingThreadFactory.scala:23)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalArgumentException: ApplicationProtocols.Supported is not supported at this time for SslContextClientEngineFactory
... 36 common frames omitted
See here for the build logs on github action: https://github.com/Hakky54/mutual-tls-ssl/actions/runs/1203878245
On this repo I demonstrate how to easily configure 40+ http clients with ssl/tls and I discovered the exisitng code did not work anymore with the latest finagle client.
To Reproduce
git clone git@github.com:Hakky54/mutual-tls-ssl.gitor go to https://github.com/Hakky54/mutual-tls-ssl and download the repogit checkout bug/finagle-fails-over-ssl- run init script to prepare ssl material:
./script/configure-two-way-authentication-by-trusting-root-ca.sh black-hole - Run
mvn install - Analyse the integration test of the client module to find the error
Expected behavior
The client should not throw a runtime exception during initialisation just like how it worked fine on the previous version.
Environment
Finagle: 21.8.0
Java: 11 (OpenJDK)
Maven 3.6.3
OS: Mac OS X 11.5.2
IDEA: Intellij IDEA
Additional context
Used code snippet in project to configure finagle:
@Bean
public Service<Request, Response> finagle(@Autowired(required = false) SSLFactory sslFactory) throws URISyntaxException {
var uri = new URI(SERVER_URL);
var client = Http.client();
if (nonNull(sslFactory)) {
client = client
.withTransport()
.tls(sslFactory.getSslContext());
}
return client.newService(uri.getHost() + ":" + uri.getPort());
}
Hi @Hakky54, I'm a Finagle maintainer. Thank you for the detailed report.
I looked at the changelog for version 21.8.0 and there isn't anything related to SSL that changed from 21.6.0 to 21.8.0: https://github.com/twitter/finagle/releases/tag/finagle-21.8.0.
To help me understand better, I have some questions. Links to code snippets are helpful, too:
- What TLS version does the client support? What TLS version does the server support?
- The stack trace indicates
ApplicationProtocols.Supportedis not supported. What ALPN protocols are you using? https://github.com/twitter/finagle/blob/develop/finagle-core/src/main/scala/com/twitter/finagle/ssl/ApplicationProtocols.scala#L19-L31
Hey Lily, thank you for replying this quickly!
Strange that nothing is popping up in the changelog. Let me dig into the logs on my side to provide more information.
1. What TLS version does the client support? What TLS version does the server support?
So the server supports:
- TLSv1.3
- TLSv1.2
- TLSv1.1
- TLSv1
And the client supports:
- TLSv1.3
- TLSv1.2
- TLSv1.1
- TLSv1
They negotiated to go with TLSv1.3
See here for the full handshake log of the server:
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.165 CEST|SignatureScheme.java:294|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.165 CEST|SignatureScheme.java:294|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.170 CEST|ClientHello.java:806|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "26 B6 B0 B3 2D D3 F9 DF 2B DB F7 0B 1F 18 F6 E4 87 FE 38 5D 8E 53 C7 DA 3F FD 96 ED 55 D0 E6 C5",
"session id" : "33 53 03 B6 2D 1F C4 FC 4F B8 51 59 DB E4 00 0D E2 8B F9 89 4C 3D C6 4D E8 6A 8C 87 1C 85 96 1C",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 1D 0A B8 A3 E8 C5 C6 33 C7 FA CA DF 21 BE DB ........3....!..
0010: 37 39 A7 E8 BF FF B5 F1 87 11 10 09 13 22 C1 EC 79..........."..
0020: 61 2E 22 9F 58 E8 26 79 45 85 39 51 01 3F 8D 96 a.".X.&yE.9Q.?..
0030: 0A EF A0 E0 18 EE 9B 06 31 53 35 24 FD 48 74 F2 ........1S5$.Ht.
0040: D9
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.170 CEST|SSLExtensions.java:188|Consumed extension: supported_versions
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.170 CEST|ClientHello.java:836|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:188|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|PreSharedKeyExtension.java:809|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:169|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:169|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:188|Consumed extension: status_request
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:188|Consumed extension: supported_groups
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.171 CEST|SSLExtensions.java:159|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.172 CEST|SSLExtensions.java:188|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.172 CEST|SSLExtensions.java:188|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.172 CEST|SSLExtensions.java:159|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.172 CEST|SSLExtensions.java:159|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.172 CEST|SSLExtensions.java:169|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:188|Consumed extension: key_share
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:159|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:203|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:203|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.173 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha256
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: ecdsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: rsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha1
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SSLExtensions.java:220|Populated with extension: signature_algorithms
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.174 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha256
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SignatureScheme.java:403|Unsupported signature scheme: ecdsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SignatureScheme.java:403|Unsupported signature scheme: rsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha224
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SignatureScheme.java:403|Unsupported signature scheme: dsa_sha1
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:220|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:203|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:203|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.175 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.176 CEST|SSLExtensions.java:203|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.176 CEST|ServerHello.java:729|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.189 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.190 CEST|ServerHello.java:580|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "82 9A E4 A6 27 EC 5F BC 7A 58 DC B7 E4 F5 C9 CE 59 8D C9 FC 6A 2D 67 A9 34 91 FC C4 EB 64 C4 A1",
"session id" : "33 53 03 B6 2D 1F C4 FC 4F B8 51 59 DB E4 00 0D E2 8B F9 89 4C 3D C6 4D E8 6A 8C 87 1C 85 96 1C",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": secp256r1
"key_exchange": {
0000: 04 C2 10 CD 41 4A 36 C5 65 2E A4 A0 AC 3D 4A 91 ....AJ6.e....=J.
0010: 30 BC 2B BF C8 63 C1 7F E2 20 0C 22 69 23 A1 A3 0.+..c... ."i#..
0020: F7 D7 F9 A0 56 70 47 FA D0 8D 47 7C 9E 62 6F 72 ....VpG...G..bor
0030: 64 EA BC 3E 7C 4D 91 38 BD BE 7E 20 13 8C 3F FA d..>.M.8... ..?.
0040: C4
}
},
}
]
}
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.197 CEST|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.198 CEST|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|ServerNameExtension.java:528|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|MaxFragExtension.java:471|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|AlpnExtension.java:363|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.200 CEST|EncryptedExtensions.java:137|Produced EncryptedExtensions message (
"EncryptedExtensions": [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
}
]
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.201 CEST|CertificateRequest.java:882|Produced CertificateRequest message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
}
]
}
)
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.201 CEST|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.201 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.201 CEST|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.201 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.202 CEST|X509Authentication.java:264|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.202 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.202 CEST|SunX509KeyManagerImpl.java:392|matching alias: server
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.202 CEST|StatusResponseManager.java:763|Staping disabled or is a resumed session
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.202 CEST|CertStatusExtension.java:1117|Stapling is disabled for this connection
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.203 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: status_request
javax.net.ssl|ALL|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.203 CEST|CertStatusExtension.java:1117|Stapling is disabled for this connection
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.203 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: status_request
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.204 CEST|CertificateMessage.java:1002|Produced server Certificate message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "56 32 EA 97",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:46.000 CEST",
"not after" : "2031-09-03 23:07:46.000 CEST",
"subject" : "CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
Key_Agreement
]
},
{
ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
DNSName: localhost
DNSName: raspberrypi.local
IPAddress: 127.0.0.1
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 6C 04 A2 6A ED D9 09 A8 72 89 F2 7B 63 D7 C0 .l..j....r...c..
0010: 0E 02 1E B0 ....
]
]
}
]}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.230 CEST|CertificateVerify.java:1113|Produced server CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
0000: 42 70 94 9E FD BC 0B D1 7D 8A 0C 02 96 8B 80 4E Bp.............N
0010: 28 A3 94 19 27 59 CC 95 76 20 6A 95 EC 99 A5 8B (...'Y..v j.....
0020: 87 26 F4 5E 91 DE E6 D8 C8 51 2B 36 05 54 78 7A .&.^.....Q+6.Txz
0030: E9 1C 81 B6 09 5B 55 C0 8E 8E 66 CE 1B 9C 59 8B .....[U...f...Y.
0040: 47 6E 8B C5 F1 CC 5B EB CD A1 8B B6 3D 1D F8 0A Gn....[.....=...
0050: 3E 95 E4 F1 6F 7F 16 AD 27 C3 FC D6 0A B8 A1 D9 >...o...'.......
0060: A9 A3 7B 03 31 BE F6 49 28 B1 0A 99 44 EB 90 9E ....1..I(...D...
0070: 29 44 4D E8 46 69 25 7A 0D 91 78 46 FA 60 D7 D9 )DM.Fi%z..xF.`..
0080: EA 97 8D 77 90 CD 6B B1 1D A7 A9 3E 36 B9 D3 4A ...w..k....>6..J
0090: 0C AA 45 B2 26 B7 D0 00 3E 50 2A 5F 53 37 C2 22 ..E.&...>P*_S7."
00A0: 7D 0E 75 B8 02 F6 5D 61 39 87 84 5D 3F 4C 6B 21 ..u...]a9..]?Lk!
00B0: 22 9A 0A FC A5 E2 8C 89 19 82 3A E0 D4 92 13 42 ".........:....B
00C0: 8C 03 B3 DA D8 9F 44 18 07 73 A8 B8 E8 E6 5D 1F ......D..s....].
00D0: 4C D0 CC F4 CD B8 C9 E3 0E 41 8A 96 25 2F D9 C1 L........A..%/..
00E0: 8A 85 9C AB 09 9A C0 C0 EF F2 52 F4 C9 06 0C D0 ..........R.....
00F0: 6C B7 37 C2 C8 DB 49 79 18 03 21 FD EC EC 35 45 l.7...Iy..!...5E
}
}
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.231 CEST|Finished.java:773|Produced server Finished handshake message (
"Finished": {
"verify data": {
0000: 3A D9 8F CE C7 E7 AE 33 A1 74 E9 6B 7E 49 98 27 :......3.t.k.I.'
0010: 4E 37 52 13 BC D8 4C 0B BC 20 A5 A7 24 C3 AF C8 N7R...L.. ..$...
}'}
)
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.231 CEST|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|27|https-jsse-nio-8443-exec-4|2021-09-08 23:19:23.251 CEST|ChangeCipherSpec.java:250|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.376 CEST|CertificateMessage.java:1158|Consuming client Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "14 2C FB 97",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:46.000 CEST",
"not after" : "2031-09-03 23:07:46.000 CEST",
"subject" : "CN=black-hole, OU=Altindag, O=Altindag, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
Key_Agreement
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A4 FD 24 A4 C3 BF 41 82 B6 48 A5 47 0F 62 1A C5 ..$...A..H.G.b..
0010: 17 DF 93 7B ....
]
]
}
]}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.390 CEST|X509TrustManagerImpl.java:292|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
)
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.392 CEST|CertificateVerify.java:1165|Consuming CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
0000: 81 09 12 D4 02 FB A5 F7 0D 29 B3 6B F3 6B 1C 8F .........).k.k..
0010: 64 B7 0D 47 87 DB 8D D3 5B 8C 94 8D B8 D5 2E BB d..G....[.......
0020: D3 DB 52 EF 34 9B 09 88 A1 FF EA 1E 2B B7 86 E7 ..R.4.......+...
0030: 2A 05 F4 0B 94 D8 A1 C4 EC 66 4C 70 60 0C DC EC *........fLp`...
0040: F6 35 E2 6E C9 EF 8A 91 EE 47 F0 18 54 87 CA C9 .5.n.....G..T...
0050: 95 77 A1 AE 3E EE 97 E3 88 16 8B 4D 8A 54 B7 E3 .w..>......M.T..
0060: AA AD C4 4E 52 BF 58 E0 70 21 BD 7F 8F 81 37 30 ...NR.X.p!....70
0070: 62 62 12 50 2C 2A 2A 32 70 3D 96 C7 38 DF C7 76 bb.P,**2p=..8..v
0080: B5 BC C6 40 7B 0B 34 EC 9F 2F FA 58 FD E8 59 22 ...@..4../.X..Y"
0090: 48 F8 66 6C 2A 1E 5F 02 5A 2B 8E 1B BD 70 7A 6D H.fl*._.Z+...pzm
00A0: B6 3E 69 76 A9 84 42 6C AB F8 44 B9 14 7F 68 A8 .>iv..Bl..D...h.
00B0: 72 54 08 7A CD 93 E7 ED 54 6E 29 B6 DD 40 85 1E rT.z....Tn)..@..
00C0: 77 06 FE 6C 98 44 8F 75 36 4E F6 7A 63 BE 93 5A w..l.D.u6N.zc..Z
00D0: 30 54 33 EB 27 2E F5 7B E8 2F 9E 1E 0F 48 F7 81 0T3.'..../...H..
00E0: 34 B7 3A 53 E1 16 61 AD 65 7F 12 3F 2B E7 12 ED 4.:S..a.e..?+...
00F0: 68 0D E8 A3 AC 08 4E 52 27 66 92 3B 2E 4A C7 2E h.....NR'f.;.J..
}
}
)
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.392 CEST|Finished.java:1044|Consuming client Finished handshake message (
"Finished": {
"verify data": {
0000: 1E C2 3C 3F 28 6E 86 09 2B 36 E4 07 0C EC BB 22 ..<?(n..+6....."
0010: 7A 50 05 37 36 4E 61 6E 94 55 B4 2F 63 CC A5 F1 zP.76Nan.U./c...
}'}
)
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.393 CEST|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.393 CEST|Finished.java:1148|Sending new session ticket
javax.net.ssl|DEBUG|28|https-jsse-nio-8443-exec-5|2021-09-08 23:19:23.393 CEST|NewSessionTicket.java:256|Produced NewSessionTicket handshake message (
"NewSessionTicket": {
"ticket_lifetime" : "86,400",
"ticket_age_add" : "<omitted>",
"ticket_nonce" : "01",
"ticket" : "59 A8 54 72 9F B0 27 F6 47 FC 5A 11 E9 F2 11 7C 7D E7 CD 05 C2 66 CE FF 12 70 DC 77 C6 BE 40 F6",
"extensions" : [
<no extension>
]
}
)
See here for the full handshake log of the client:
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.080 CEST|ServerNameExtension.java:261|Unable to indicate server name
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.080 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: server_name
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.084 CEST|SignatureScheme.java:294|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.084 CEST|SignatureScheme.java:294|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|68|finagle/netty4-4-1|2021-09-08 23:19:23.088 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.088 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.089 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.104 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.105 CEST|PreSharedKeyExtension.java:634|No session to resume.
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.105 CEST|SSLExtensions.java:256|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.106 CEST|ClientHello.java:651|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "26 B6 B0 B3 2D D3 F9 DF 2B DB F7 0B 1F 18 F6 E4 87 FE 38 5D 8E 53 C7 DA 3F FD 96 ED 55 D0 E6 C5",
"session id" : "33 53 03 B6 2D 1F C4 FC 4F B8 51 59 DB E4 00 0D E2 8B F9 89 4C 3D C6 4D E8 6A 8C 87 1C 85 96 1C",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 1D 0A B8 A3 E8 C5 C6 33 C7 FA CA DF 21 BE DB ........3....!..
0010: 37 39 A7 E8 BF FF B5 F1 87 11 10 09 13 22 C1 EC 79..........."..
0020: 61 2E 22 9F 58 E8 26 79 45 85 39 51 01 3F 8D 96 a.".X.&yE.9Q.?..
0030: 0A EF A0 E0 18 EE 9B 06 31 53 35 24 FD 48 74 F2 ........1S5$.Ht.
0040: D9
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.238 CEST|ServerHello.java:884|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "82 9A E4 A6 27 EC 5F BC 7A 58 DC B7 E4 F5 C9 CE 59 8D C9 FC 6A 2D 67 A9 34 91 FC C4 EB 64 C4 A1",
"session id" : "33 53 03 B6 2D 1F C4 FC 4F B8 51 59 DB E4 00 0D E2 8B F9 89 4C 3D C6 4D E8 6A 8C 87 1C 85 96 1C",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": secp256r1
"key_exchange": {
0000: 04 C2 10 CD 41 4A 36 C5 65 2E A4 A0 AC 3D 4A 91 ....AJ6.e....=J.
0010: 30 BC 2B BF C8 63 C1 7F E2 20 0C 22 69 23 A1 A3 0.+..c... ."i#..
0020: F7 D7 F9 A0 56 70 47 FA D0 8D 47 7C 9E 62 6F 72 ....VpG...G..bor
0030: 64 EA BC 3E 7C 4D 91 38 BD BE 7E 20 13 8C 3F FA d..>.M.8... ..?.
0040: C4
}
},
}
]
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.238 CEST|SSLExtensions.java:188|Consumed extension: supported_versions
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.238 CEST|ServerHello.java:980|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:188|Consumed extension: supported_versions
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:188|Consumed extension: key_share
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.239 CEST|SSLExtensions.java:159|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|PreSharedKeyExtension.java:867|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: extended_master_secret
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.240 CEST|SSLExtensions.java:203|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.249 CEST|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.250 CEST|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.251 CEST|ChangeCipherSpec.java:250|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.261 CEST|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
}
]
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.261 CEST|SSLExtensions.java:169|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.261 CEST|SSLExtensions.java:169|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.261 CEST|SSLExtensions.java:188|Consumed extension: supported_groups
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:203|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:203|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:211|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:203|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|CertificateRequest.java:925|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
}
]
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:188|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.262 CEST|SSLExtensions.java:188|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.263 CEST|SSLExtensions.java:220|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.263 CEST|SSLExtensions.java:220|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.266 CEST|CertificateMessage.java:1152|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "56 32 EA 97",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:46.000 CEST",
"not after" : "2031-09-03 23:07:46.000 CEST",
"subject" : "CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
Key_Agreement
]
},
{
ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
DNSName: localhost
DNSName: raspberrypi.local
IPAddress: 127.0.0.1
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 6C 04 A2 6A ED D9 09 A8 72 89 F2 7B 63 D7 C0 .l..j....r...c..
0010: 0E 02 1E B0 ....
]
]
}
]}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.266 CEST|SSLExtensions.java:169|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.266 CEST|SSLExtensions.java:169|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.285 CEST|X509TrustManagerImpl.java:292|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.287 CEST|CertificateVerify.java:1165|Consuming CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
0000: 42 70 94 9E FD BC 0B D1 7D 8A 0C 02 96 8B 80 4E Bp.............N
0010: 28 A3 94 19 27 59 CC 95 76 20 6A 95 EC 99 A5 8B (...'Y..v j.....
0020: 87 26 F4 5E 91 DE E6 D8 C8 51 2B 36 05 54 78 7A .&.^.....Q+6.Txz
0030: E9 1C 81 B6 09 5B 55 C0 8E 8E 66 CE 1B 9C 59 8B .....[U...f...Y.
0040: 47 6E 8B C5 F1 CC 5B EB CD A1 8B B6 3D 1D F8 0A Gn....[.....=...
0050: 3E 95 E4 F1 6F 7F 16 AD 27 C3 FC D6 0A B8 A1 D9 >...o...'.......
0060: A9 A3 7B 03 31 BE F6 49 28 B1 0A 99 44 EB 90 9E ....1..I(...D...
0070: 29 44 4D E8 46 69 25 7A 0D 91 78 46 FA 60 D7 D9 )DM.Fi%z..xF.`..
0080: EA 97 8D 77 90 CD 6B B1 1D A7 A9 3E 36 B9 D3 4A ...w..k....>6..J
0090: 0C AA 45 B2 26 B7 D0 00 3E 50 2A 5F 53 37 C2 22 ..E.&...>P*_S7."
00A0: 7D 0E 75 B8 02 F6 5D 61 39 87 84 5D 3F 4C 6B 21 ..u...]a9..]?Lk!
00B0: 22 9A 0A FC A5 E2 8C 89 19 82 3A E0 D4 92 13 42 ".........:....B
00C0: 8C 03 B3 DA D8 9F 44 18 07 73 A8 B8 E8 E6 5D 1F ......D..s....].
00D0: 4C D0 CC F4 CD B8 C9 E3 0E 41 8A 96 25 2F D9 C1 L........A..%/..
00E0: 8A 85 9C AB 09 9A C0 C0 EF F2 52 F4 C9 06 0C D0 ..........R.....
00F0: 6C B7 37 C2 C8 DB 49 79 18 03 21 FD EC EC 35 45 l.7...Iy..!...5E
}
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.288 CEST|Finished.java:907|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 3A D9 8F CE C7 E7 AE 33 A1 74 E9 6B 7E 49 98 27 :......3.t.k.I.'
0010: 4E 37 52 13 BC D8 4C 0B BC 20 A5 A7 24 C3 AF C8 N7R...L.. ..$...
}'}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|68|finagle/netty4-4-1|2021-09-08 23:19:23.289 CEST|CertificateMessage.java:1063|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.290 CEST|SunX509KeyManagerImpl.java:392|matching alias: client
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.291 CEST|CertificateMessage.java:1120|Produced client Certificate message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "14 2C FB 97",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:46.000 CEST",
"not after" : "2031-09-03 23:07:46.000 CEST",
"subject" : "CN=black-hole, OU=Altindag, O=Altindag, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Data_Encipherment
Key_Agreement
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A4 FD 24 A4 C3 BF 41 82 B6 48 A5 47 0F 62 1A C5 ..$...A..H.G.b..
0010: 17 DF 93 7B ....
]
]
}
]}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"serial number" : "73 4A C7 B4",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"not before" : "2021-09-05 23:07:41.000 CEST",
"not after" : "2031-09-03 23:07:41.000 CEST",
"subject" : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:3
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 3A D2 CB 92 FD 43 D8 2D EB DA 13 CF 1E 19 FB ):....C.-.......
0010: FD 71 1B B3 .q..
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.324 CEST|CertificateVerify.java:1130|Produced client CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
0000: 81 09 12 D4 02 FB A5 F7 0D 29 B3 6B F3 6B 1C 8F .........).k.k..
0010: 64 B7 0D 47 87 DB 8D D3 5B 8C 94 8D B8 D5 2E BB d..G....[.......
0020: D3 DB 52 EF 34 9B 09 88 A1 FF EA 1E 2B B7 86 E7 ..R.4.......+...
0030: 2A 05 F4 0B 94 D8 A1 C4 EC 66 4C 70 60 0C DC EC *........fLp`...
0040: F6 35 E2 6E C9 EF 8A 91 EE 47 F0 18 54 87 CA C9 .5.n.....G..T...
0050: 95 77 A1 AE 3E EE 97 E3 88 16 8B 4D 8A 54 B7 E3 .w..>......M.T..
0060: AA AD C4 4E 52 BF 58 E0 70 21 BD 7F 8F 81 37 30 ...NR.X.p!....70
0070: 62 62 12 50 2C 2A 2A 32 70 3D 96 C7 38 DF C7 76 bb.P,**2p=..8..v
0080: B5 BC C6 40 7B 0B 34 EC 9F 2F FA 58 FD E8 59 22 ...@..4../.X..Y"
0090: 48 F8 66 6C 2A 1E 5F 02 5A 2B 8E 1B BD 70 7A 6D H.fl*._.Z+...pzm
00A0: B6 3E 69 76 A9 84 42 6C AB F8 44 B9 14 7F 68 A8 .>iv..Bl..D...h.
00B0: 72 54 08 7A CD 93 E7 ED 54 6E 29 B6 DD 40 85 1E rT.z....Tn)..@..
00C0: 77 06 FE 6C 98 44 8F 75 36 4E F6 7A 63 BE 93 5A w..l.D.u6N.zc..Z
00D0: 30 54 33 EB 27 2E F5 7B E8 2F 9E 1E 0F 48 F7 81 0T3.'..../...H..
00E0: 34 B7 3A 53 E1 16 61 AD 65 7F 12 3F 2B E7 12 ED 4.:S..a.e..?+...
00F0: 68 0D E8 A3 AC 08 4E 52 27 66 92 3B 2E 4A C7 2E h.....NR'f.;.J..
}
}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.324 CEST|Finished.java:674|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 1E C2 3C 3F 28 6E 86 09 2B 36 E4 07 0C EC BB 22 ..<?(n..+6....."
0010: 7A 50 05 37 36 4E 61 6E 94 55 B4 2F 63 CC A5 F1 zP.76Nan.U./c...
}'}
)
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.325 CEST|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|68|finagle/netty4-4-1|2021-09-08 23:19:23.396 CEST|NewSessionTicket.java:329|Consuming NewSessionTicket message (
"NewSessionTicket": {
"ticket_lifetime" : "86,400",
"ticket_age_add" : "<omitted>",
"ticket_nonce" : "01",
"ticket" : "59 A8 54 72 9F B0 27 F6 47 FC 5A 11 E9 F2 11 7C 7D E7 CD 05 C2 66 CE FF 12 70 DC 77 C6 BE 40 F6",
"extensions" : [
<no extension>
]
}
)
2. The stack trace indicates ApplicationProtocols.Supported is not supported. What ALPN protocols are you using?
The passing test shows gives the follow logs:
javax.net.ssl|DEBUG|24|https-jsse-nio-8443-exec-1|2021-09-08 23:19:23.199 CEST|AlpnExtension.java:363|Ignore unavailable extension: application_layer_protocol_negotiation
It looks like ALPN property is ignored as it is unavailable/not present. Could this be the cause of the issue?
Hi @Hakky54, I am looking into this issue, wanted to check with you which HTTP version you are using? Asking since we removed UseH2 toggles in 21.8.0, all clients and servers are defaulted to HTTP/2, I was wondering if that is related to the error you are seeing.
You could try verifying it by using c.t.finagle.Http.client.withNoHttp2 and c.t.finagle.Http.server.withNoHttp2 respectively to create a client and server.
Hi @jyanJing
My server is using Http 1 by default as some of the client within that repository does not support Http 2. I added the option withNoHttp2 to the client and now it works. So it looks like it was just the http version which was not compatible between the server and client and nothing related to ssl. Thank you for helping me with this issue.