It is often helpful to turn on detailed SSL handshake debugging in Integration Server when troubleshooting HTTPS connection issues related to X509 certificates.
Setting the JVM parameter -Djavax.net.debug=all will not work and using packet capture tools such as Ethreal or Packetyzer are helpful only if you are enough of a network geek to read the output of those tools.
Tim Bond tipped me off to these IS server settings that enable the low-level SSL handshake debugging output. This output will be sent to stderr, so it is necessary to start IS from the command line to view this or to pipe stderr to
a file.
For outbound SSL debug, set
watt.ssl.iaik.debug=true
For inbound SSL debug, set
watt.net.ssl.debug=true
The output will look something like the following when the partner’s certificate is not yet trusted by IS:
ssl_debug(4): Sending server_hello handshake message.
ssl_debug(4): Selecting CipherSuite: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(4): Selecting CompressionMethod: NULL
ssl_debug(4): Sending certificate handshake message with server certificate...
ssl_debug(4): Sending certificate_request handshake message...
ssl_debug(4): Sending server_hello_done handshake message...
ssl_debug(4): Received certificate handshake message with client certificate.
ssl_debug(4): Client sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(4): Received client_key_exchange handshake message.
ssl_debug(4): Received certificate_verify handshake message.
ssl_debug(4): ChainVerifier: No trusted certificate found, rejected.
ssl_debug(4): Sending alert: Alert Fatal: bad certificate
ssl_debug(4): Shutting down SSL layer...
ssl_debug(4): SSLException while handshaking: Client certificate rejected by ChainVerifier.
This was very good advise, and we were very happy to find it, as we are investigating SSL issue and would require detailed SSL handshake debug information. We have tried to activate the SSL debugger as advised here, but haven’t been able to get any output with it. Could someone please help here?
We have added these two lines to server.cnf. watt.ssl.iaik.debug=true watt.net.ssl.debug=true
And to get the stderr, we have added >> $MYLOG 2>&1 to server.sh at the end of line below. ${JAVA_RUN} -DWM_HOME=${WM_HOME} -Djavax.net.debug=all -classpath ${CLASSPATH} ${IS_PROXY_MAIN} ${IS_DIR}/bin/ini.cnf $ ${PREPENDCLASSES_SWITCH} ${PREPENDCLASSE
S} ${APPENDCLASSES_SWITCH} ${APPENDCLASSES} ${ENV_CLASSPATH_SWITCH} ${SAVED_CP}: $* >> $MYLOG 2>&1
However, there is nothing coming for ssl to the log file given in MYLOG. In fact, there’s only two errors (about /usr/lib/dld.sl) coming to mylog when ever IS is started, nothing else. Even grepping for ssl_debug in doesn’t find anything in any file in any folder.
Could someone please comment if there is another way we could try to get the debug information? Or can you see what we are doing wrong?
You would need to define an environment variable called $MYLOG or just replace it in the server.sh with a hardcoded filename such as “ssldebug.log”. You might need to get some assistance from your Unix sysadmin.
Also from openssl, I gave ‘openssl s_client -connect localhost:443’, but it errored out depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Se
rver CA - Class 3/OU=Verisign is a global provider of domain name registry services and internet infrastructure - Verisign Incorp.by Ref. LIABILITY LTD.(c)97 Ver
iSign verify error:num=20:unable to get local issuer certificate verify return:024524:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:.\ssl\s3_pkt.c:1060:SSL alert number 2024524:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_li b.c:188: I dont know about ssl stuff much. But has anyone faced similar issue? Please help
The certificate “O=Verisign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign” is valid from Thursday, April 17, 1997 to Wednesday, January 7, 2004.