javax.net.ssl.SSLHandshakeException: null cert chain

Hello~ everybody.

One of our partner requested client authentication and they said we didn’t present our certificate when they requested it.

I added some configuration commands in server.cnf for debugging like below.
watt.ssl.iaik.debug=true
watt.net.ssl.debug=true
watt.ignore.ignoreExpiredChains=true
watt.security.ssl.client.ignoreEmptyAuthoritiesList=true

and I got some log below.

ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
ssl_debug(1): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.1.
ssl_debug(1): Server created new session 46:C0:54:34:D5:B3:36:64…
ssl_debug(1): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server certificate.
ssl_debug(1): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(1): Received certificate_request handshake message.
ssl_debug(1): Accepted certificate types: RSA, DSS
ssl_debug(1): Accepted certificate authorities:
ssl_debug(1): cn=Prva Slovenska Certifikacna Autorita,o=Viasec s.r.o.,c=SK
ssl_debug(1): EMail=it@cargo.sk,cn=Base CA 4 App.,ou=IT - CT Cargo,o=CT Cargo s.r.o,l=Bratislava,st=Slovakia,c=SK
ssl_debug(1): Received server_hello_done handshake message.
ssl_debug(1): No client certificate available, sending empty certificate message…
ssl_debug(1): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(1): Sending change_cipher_spec message…
ssl_debug(1): Sending finished message…
ssl_debug(1): Received alert message: Alert Fatal: bad certificate
ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
ssl_debug(1): Shutting down SSL layer…

and this is a part of the log which they offered me. ( I omitted some of them with ….)
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, setSoTimeout(30000) called
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, READ: SSL v2, contentType = Handshake, translated length = 95
*** ClientHello, TLSv1
RandomCookie: GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 70, 119, 99, 129, 234, 41, 49, 237, 244, 67, 90, 139, 12, 204, 12, 71 }
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_WITH_DES_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_RSA_WITH_DES_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA]
Compression Methods: { 0 }
*** %% Created: [Session-6, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=cdim.cargo.sk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
Validity: [From: Fri Jun 08 15:35:53 CEST 2007,
To: Thu Apr 03 15:35:53 CEST 2008]
Issuer: EMAILADDRESS=it@cargo.sk, CN=Base CA 4 App., OU=IT - CT Cargo, O=CT Cargo s.r.o, L=Bratislava, ST=Slovakia, C=SK
SerialNumber: [ 01130b8c 59d8]
]
Algorithm: [SHA1withRSA]
……
]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=it@cargo.sk, CN=Base CA 4 App., OU=IT - CT Cargo, O=CT Cargo s.r.o, L=Bratislava, ST=Slovakia, C=SK
…
SerialNumber: [ 83cc176d 35e4edb6]
Certificate Extensions: 9
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [ RFC822Name: it@cargo.sk]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A6 A1 B0 93 49 AD B3 D8 14 79 A3 70 44 DC 45 2C …I…y.pD.E,
0010: 35 91 91 DC 5…]
[EMAILADDRESS=it@cargo.sk, CN=Base CA 4 App., OU=IT - CT Cargo, O=CT Cargo s.r.o, L=Bratislava, ST=Slovakia, C=SK]
SerialNumber: [ 83cc176d 35e4edb6]]
………
[9]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [ Key_CertSign Crl_Sign]
Algorithm: [SHA1withRSA]
……
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=Prva Slovenska Certifikacna Autorita, O=Viasec s.r.o., C=SK>
<EMAILADDRESS=it@cargo.sk, CN=Base CA 4 App., OU=IT - CT Cargo, O=CT Cargo s.r.o, L=Bratislava, ST=Slovakia, C=SK>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 3226
0000: 02 00 00 46 03 01 46 77 51 98 35 26 8A 98 20 BF …F…FwQ.5&… .
…
0C90: 72 67 6F 2E 73 6B 0E 00 00 00 rgo.sk…
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, WRITE: TLSv1 Handshake, length = 3226
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, READ: TLSv1 Handshake, length = 141
*** Certificate chain
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, SEND TLSv1 ALERT: fatal, description = bad_certificate
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
…
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, called closeSocket()
pool-1-thread-2 - Acceptor0 SslSocketConnector @ 0.0.0.0:10443, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
--------------------------------------------------------------------------------------------------

Did I miss anytihng?
I got suspicious "No client certificate available, sending empty certificate message…" in our log.
Then, how can I set a client certificate to send to server?

Please help me!!!

How have you configured the security certificates on your IS?

Mark

I set like below and every file exists where it should be located.

** Outbound SSL Certificates

• Server’s Signed Certificate COLOR=blue
• Signing CA’s Certificate COLOR=blue
• Server’s Private Key COLOR=blue

** Trusted Certificates

• CA Certificate Directory COLOR=blue

OK, and are you able to successfully enable an HTTPS port? Does your code clear the client cert or attempt to set it explicitly for any reason?

-MDC

Thanks for quick reply.
Yes, I’m able to enable HTTPS port without any problem.
and there isn’t any problem to communicate with other suppliers via HTTPS, but the others don’t request client authentication.

OK, it appears as if the certificate “chain” (the list of concatenated public certs in a certificate) contains some error or is not in the correct order. Perhaps someone from your network security team can review your cert or you can use a tool like OpenSSL to list the cert chain if you understand how to read and understand it.

-MDC

Hi Mark,

Unfortunately there is nobody who can perform certificate verification in our network security team.
I’ve googled and found some command how to verify certificate.
But, I’m not sure if I did well.

• ca_pscan.crt is a CA certificate.
• kmsdevedi.kia.sk.crt is a server certificate.
  I excuted like below
  $openssl verify -verbose -CAfile ./ca_pscan.crt -purpose any ca_pscan.crt kmsdevedi.kia.sk.crt
  I got below result.
  ca_pscan.crt: OK
  kmsdevedi.kia.sk.crt: OK

Does this result mean our certificate is okay???
Did I do what you mentioned?

That would seem to indicate that the cert is OK. You might share the output of the OpenSSL with your trading partner.

Has your trading partner given you a client certificate for you to trust? Have you done the same?

Mark

Thanks Mark,

I’ll try it again with their certificates.

I’ve tried to verify partner’s certificates and I got OK result as well.
If they don’t import our CA key in their trust store or if they imported wrong ca in their trust store, does this error happen as well?
Because the right CA doesn’t exist in the trust list, their system may not recognize our certificate. Am I right?