Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Fri Aug 26 17:08:39 EDT 2016


Thanks a lot, Jonathan! Your suggestion really helped with Tomcat debugging. I believe the following SSL related error indicates the riak server was not able to validate the certificate sent by client. There was no useful error description from the riak logs other than throwing the same error “certificate_unknown”. I am still not able to figure out what went wrong since both client and riak server certificates were signed by the same CA (GetACert) and the client code was able to verify it.

Some debug output with my dev certificates:

Aug 26, 2016 1:51:11 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 5355 ms
adding as trusted cert:
  Subject: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Issuer:  O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Algorithm: RSA; Serial number: 0x7b2
  Valid from Tue Jan 06 14:14:55 PST 2004 until Wed May 07 15:14:55 PDT 2031

***
found key for : kyle
chain [0] = [
[
  Version: V3
  Subject: CN=kyle
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2204919627045054461870195032032895252635052455489474519600546291706920528173152336490304351899971237518524507135332089995347380211875595325
522086693569720342031449593613586317687575631650683468485522838909471231197714605841616598066946550435086027125398144164894205073402202894369794803383
799482419802858029259441063439987628937318416877886642870668064983998735504107947068330942632554921992334392523915970266409652736111572221680661250506
632685758352942242306864012836288830119592146994735536778985817669369871400698678341354549554839463159944557994344636502611751624240635193724889770806
6479354470830559901438864391
  public exponent: 65537
  Validity: [From: Mon Aug 22 15:36:32 PDT 2016,
               To: Fri Oct 21 15:36:32 PDT 2016]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    1376]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
   S/MIME
   Object Signing
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 14 66 51 B6 60 76 65 72   E2 00 89 AC 1A 52 2B 80  .fQ.`ver.....R+.
0010: 4A A8 1B D6 DB 54 29 50   59 14 9B 5B 5C 67 D6 F5  J....T)PY..[\g..
0020: 9E AD 57 35 06 84 5E 39   79 6F 36 06 EF 58 B8 7B  ..W5..^9yo6..X..
0030: E7 02 A6 89 34 D3 72 55   42 17 11 AA F2 9D 8C F4  ....4.rUB.......
0040: 42 65 E2 B7 DD 2F 57 51   7C C2 1E 85 D3 F6 DA C6  Be.../WQ........
0050: 2A 97 06 5B 15 88 F3 1F   B4 C9 0C 4F A5 C5 42 B3  *..[.......O..B.
0060: 7A E9 EC EE DA C4 A8 F9   DE 10 4E 1E 79 54 11 80  z.........N.yT..
0070: 22 E5 10 E0 36 F6 96 1A   38 98 62 8C D5 56 C5 C3  "...6...8.b..V..
0080: 1C 40 2B 0C 51 C3 6C 31   36 56 DE 97 3C 6A 48 92  . at +.Q.l16V..<jH.
0090: D9 B4 4E 92 7F 9D 54 BA   85 88 7B 26 A3 2C 0E 47  ..N...T....&.,.G
00A0: 98 7E 06 39 CE 12 AB 61   25 9F FA 31 65 13 1A A2  ...9...a%..1e...
00B0: 15 D9 49 AD 06 9D 03 13   01 24 E4 E8 04 E5 4B 4B  ..I......$....KK
00C0: 67 CC BA A8 D8 1C D4 5D   34 1A 75 5F 32 96 B5 30  g......]4.u_2..0
00D0: 9E 6F 03 F8 2A 08 4A 67   B7 23 5E A6 3C 1A C6 EE  .o..*.Jg.#^.<...
00E0: BD F9 B1 50 EC A1 49 64   8D B9 0B 52 2E 4A 0F 1E  ...P..Id...R.J..
00F0: 1D 09 E4 C6 56 89 A0 91   DE 53 3C FC 09 D5 7B 23  ....V....S<....#

]
***
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455401704 bytes = { 254, 226, 202, 194, 39, 200, 67, 57, 243, 241, 153, 228, 215, 227, 49, 245, 194, 26, 81, 157, 255, 205, 184,
207, 240, 80, 215, 213 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_A
ES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WIT
H_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CB
C_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA
256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA25
6, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS
_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY
_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1,
sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect23
9k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 193
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 74
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1455401704 bytes = { 108, 38, 133, 152, 10, 118, 18, 227, 56, 97, 248, 60, 199, 38, 119, 21, 179, 202, 28, 202, 211, 181, 160, 20,
175, 167, 138, 3 }
Session ID:  {126, 30, 93, 45, 104, 93, 5, 182, 204, 223, 92, 214, 166, 238, 202, 210, 1, 1, 249, 252, 78, 126, 195, 149, 201, 203, 223, 24, 186, 183,
185, 182}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
** TLS_RSA_WITH_AES_128_CBC_SHA256
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 1816
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=riak at 127.0.0.1
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 1734252456709196905769264546268208807287639741993557874243686426336093048338342023359115620350020191882188762688713501564828147831012353246
762225728227598688752022229892534631596588364226023610031558527625250809188880211776863144390327460072296072345869234628650032243720984370649487016050
304324122705424265548376020919129252626224222193583717567721998128590650836474440323105170317450343775811931265966483915475330928631408977058069232916
319259305328777053109869192310465569515987399033447858641378107591803299672522120403683503268017306287972065517512675185750970892518260400211908689310
4761654254412818796780352013
  public exponent: 65537
  Validity: [From: Mon Aug 22 15:42:40 PDT 2016,
               To: Fri Oct 21 15:42:40 PDT 2016]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    1377]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
   S/MIME
   Object Signing
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 68 7A 98 CB C4 DD 08 B3   C0 D4 06 C8 BE 5F E3 29  hz..........._.)
0010: DE 80 B6 91 EE 11 3E 4D   DD 8F 68 4B AD CB FD AD  ......>M..hK....
0020: 23 6C B8 68 29 0A 57 E4   7F 4D 36 43 90 5A 59 F8  #l.h).W..M6C.ZY.
0030: CB F7 65 9C 9F CC 40 AB   11 D7 86 99 23 2A 45 B6  ..e... at .....#*E.
0040: 0C 0F FB 87 4E 23 19 18   18 EA 72 BB 15 A6 9E 54  ....N#....r....T
0050: 06 D7 6B 21 64 64 27 89   0C 87 25 54 63 F8 29 EA  ..k!dd'...%Tc.).
0060: B6 13 A2 6A 89 59 CA F4   DF 0D 24 23 D8 41 25 46  ...j.Y....$#.A%F
0070: 29 27 B4 E8 DB 57 99 18   BD 16 AB 3F 1D 68 54 43  )'...W.....?.hTC
0080: 41 AA 07 C0 F2 45 7B 6A   80 69 CA 3E 94 9A 8C 73  A....E.j.i.>...s
0090: FF 21 C0 0B 95 30 9D 7E   4E 7D F8 7D 65 3A B5 46  .!...0..N...e:.F
00A0: 0F 48 1A 2C BF 36 73 31   1F 74 8D F5 4A EC 01 85  .H.,.6s1.t..J...
00B0: 19 8F F9 72 EF 87 6C 3C   19 94 00 87 4E 9F 57 0C  ...r..l<....N.W.
00C0: 9A D1 DB 1B 4B 03 CC 42   D5 9B 54 50 B0 46 D0 22  ....K..B..TP.F."
00D0: 10 52 9B 79 7E 2C 63 74   8E 20 E2 73 91 02 E3 9D  .R.y.,ct. .s....
00E0: DE F5 53 77 EB D1 0E 29   58 72 91 62 51 F8 19 D9  ..Sw...)Xr.bQ...
00F0: 39 33 27 36 35 84 49 4D   04 53 36 5C DC 19 4F 0D  93'65.IM.S6\..O.

]
chain [1] = [
[
  Version: V3
  Subject: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 2048 bits
  modulus: 2064799190013863832237497384456747048251973951176858414375153927799138759221940377373663769360014631765243443414759628050513692379289235182
936946552961722501636881455166620516223594970461447332100562616959982581458611860448138976476896350579615950051925977583892448793441263022740062639429
917178490720071530078452548249977085583147798068928091675033763531656048682188135817700332044003822966987847706066728697378190942831516294222763832839
406097321651801274944907268850456458906950212434927181309186154676093900606460368006070589568036839728568802141690824672089370835535165033516054933124
6225990765857663834015961513
  public exponent: 65537
  Validity: [From: Tue Jan 06 14:14:55 PST 2004,
               To: Wed May 07 15:14:55 PDT 2031]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    07b2]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
[O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US]
SerialNumber: [    07b2]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D 92 1A 4A 3C 5F 06 52   74 33 55 6F FB FA A1 8A  m..J<_.Rt3Uo....
0010: 3B 36 DC 14 EA 8E FA 75   AB 44 FA EE 59 03 B0 22  ;6.....u.D..Y.."
0020: C9 73 2B C4 AD E4 B1 FE   38 4C E9 9B 06 CA CC 6E  .s+.....8L.....n
0030: BC FE 61 9E 37 AA 10 BF   F2 26 72 9F 06 5E F0 4F  ..a.7....&r..^.O
0040: A3 C8 88 11 98 9A 7A 5A   58 85 B6 C7 96 F9 D5 2F  ......zZX....../
0050: F9 BA 09 3C 5E 5B 83 7D   D9 B0 79 A5 AD DC 36 1E  ...<^[....y...6.
0060: 25 68 52 BA E6 CE 92 8A   4B E9 80 4F 86 EB 0A 57  %hR.....K..O...W
0070: 6E 82 BD 98 65 D2 9F CA   E2 E3 77 C9 1F 5E A5 98  n...e.....w..^..
0080: 87 E9 D3 60 C4 1F 54 F2   17 CA 9A BA 23 8B 2E 3B  ...`..T.....#..;
0090: 97 38 C0 23 7F E8 93 7C   AD B9 D3 B2 00 00 DF 53  .8.#...........S
00A0: F2 2D A7 F7 5C BD 8D A4   35 57 83 F6 B3 CC 8A B1  .-..\...5W......
00B0: 24 4F E1 C1 F5 F6 1D A8   85 5D 06 0C 44 AA ED 96  $O.......]..D...
00C0: 11 43 5E AB E0 D7 A9 9C   8A FE 64 2F 6C 6F 26 E9  .C^.......d/lo&.
00D0: 73 53 2C 1C 58 6E B4 EF   5D 44 1E 40 BD 36 DA 32  sS,.Xn..]D. at .6.2
00E0: 53 31 41 29 58 96 5B 11   ED 92 20 38 59 F3 56 98  S1A)X.[... 8Y.V.
00F0: 1E D5 BF 9D C4 45 13 D3   88 D6 15 81 E1 44 57 26  .....E.......DW&

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 2048 bits
  modulus: 2064799190013863832237497384456747048251973951176858414375153927799138759221940377373663769360014631765243443414759628050513692379289235182
936946552961722501636881455166620516223594970461447332100562616959982581458611860448138976476896350579615950051925977583892448793441263022740062639429
917178490720071530078452548249977085583147798068928091675033763531656048682188135817700332044003822966987847706066728697378190942831516294222763832839
406097321651801274944907268850456458906950212434927181309186154676093900606460368006070589568036839728568802141690824672089370835535165033516054933124
6225990765857663834015961513
  public exponent: 65537
  Validity: [From: Tue Jan 06 14:14:55 PST 2004,
               To: Wed May 07 15:14:55 PDT 2031]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    07b2]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
[O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US]
SerialNumber: [    07b2]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD DF 18 20 8A 6D 74 4F   37 DC B2 E0 89 A2 A9 0B  ... .mtO7.......
0010: 95 88 CB 0B                                        ....
]
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D 92 1A 4A 3C 5F 06 52   74 33 55 6F FB FA A1 8A  m..J<_.Rt3Uo....
0010: 3B 36 DC 14 EA 8E FA 75   AB 44 FA EE 59 03 B0 22  ;6.....u.D..Y.."
0020: C9 73 2B C4 AD E4 B1 FE   38 4C E9 9B 06 CA CC 6E  .s+.....8L.....n
0030: BC FE 61 9E 37 AA 10 BF   F2 26 72 9F 06 5E F0 4F  ..a.7....&r..^.O
0040: A3 C8 88 11 98 9A 7A 5A   58 85 B6 C7 96 F9 D5 2F  ......zZX....../
0050: F9 BA 09 3C 5E 5B 83 7D   D9 B0 79 A5 AD DC 36 1E  ...<^[....y...6.
0060: 25 68 52 BA E6 CE 92 8A   4B E9 80 4F 86 EB 0A 57  %hR.....K..O...W
0070: 6E 82 BD 98 65 D2 9F CA   E2 E3 77 C9 1F 5E A5 98  n...e.....w..^..
0080: 87 E9 D3 60 C4 1F 54 F2   17 CA 9A BA 23 8B 2E 3B  ...`..T.....#..;
0090: 97 38 C0 23 7F E8 93 7C   AD B9 D3 B2 00 00 DF 53  .8.#...........S
00A0: F2 2D A7 F7 5C BD 8D A4   35 57 83 F6 B3 CC 8A B1  .-..\...5W......
00B0: 24 4F E1 C1 F5 F6 1D A8   85 5D 06 0C 44 AA ED 96  $O.......]..D...
00C0: 11 43 5E AB E0 D7 A9 9C   8A FE 64 2F 6C 6F 26 E9  .C^.......d/lo&.
00D0: 73 53 2C 1C 58 6E B4 EF   5D 44 1E 40 BD 36 DA 32  sS,.Xn..]D. at .6.2
00E0: 53 31 41 29 58 96 5B 11   ED 92 20 38 59 F3 56 98  S1A)X.[... 8Y.V.
00F0: 1E D5 BF 9D C4 45 13 D3   88 D6 15 81 E1 44 57 26  .....E.......DW&

]
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 166
*** CertificateRequest
Cert Types: RSA
Supported Signature Algorithms: SHA512withRSA, SHA384withRSA, SHA256withRSA, SHA224withRSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US>
<CN=riak at 127.0.0.1>
<CN=kyle>
nioEventLoopGroup-2-1, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
matching alias: kyle
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=kyle
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2204919627045054461870195032032895252635052455489474519600546291706920528173152336490304351899971237518524507135332089995347380211875595325
522086693569720342031449593613586317687575631650683468485522838909471231197714605841616598066946550435086027125398144164894205073402202894369794803383
799482419802858029259441063439987628937318416877886642870668064983998735504107947068330942632554921992334392523915970266409652736111572221680661250506
632685758352942242306864012836288830119592146994735536778985817669369871400698678341354549554839463159944557994344636502611751624240635193724889770806
6479354470830559901438864391
  public exponent: 65537
  Validity: [From: Mon Aug 22 15:36:32 PDT 2016,
               To: Fri Oct 21 15:36:32 PDT 2016]
  Issuer: O=getaCert - www.getacert.com, L=Seattle, ST=Washington, C=US
  SerialNumber: [    1376]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
]

[3]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
   S/MIME
   Object Signing
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 14 66 51 B6 60 76 65 72   E2 00 89 AC 1A 52 2B 80  .fQ.`ver.....R+.
0010: 4A A8 1B D6 DB 54 29 50   59 14 9B 5B 5C 67 D6 F5  J....T)PY..[\g..
0020: 9E AD 57 35 06 84 5E 39   79 6F 36 06 EF 58 B8 7B  ..W5..^9yo6..X..
0030: E7 02 A6 89 34 D3 72 55   42 17 11 AA F2 9D 8C F4  ....4.rUB.......
0040: 42 65 E2 B7 DD 2F 57 51   7C C2 1E 85 D3 F6 DA C6  Be.../WQ........
0050: 2A 97 06 5B 15 88 F3 1F   B4 C9 0C 4F A5 C5 42 B3  *..[.......O..B.
0060: 7A E9 EC EE DA C4 A8 F9   DE 10 4E 1E 79 54 11 80  z.........N.yT..
0070: 22 E5 10 E0 36 F6 96 1A   38 98 62 8C D5 56 C5 C3  "...6...8.b..V..
0080: 1C 40 2B 0C 51 C3 6C 31   36 56 DE 97 3C 6A 48 92  . at +.Q.l16V..<jH.
0090: D9 B4 4E 92 7F 9D 54 BA   85 88 7B 26 A3 2C 0E 47  ..N...T....&.,.G
00A0: 98 7E 06 39 CE 12 AB 61   25 9F FA 31 65 13 1A A2  ...9...a%..1e...
00B0: 15 D9 49 AD 06 9D 03 13   01 24 E4 E8 04 E5 4B 4B  ..I......$....KK
00C0: 67 CC BA A8 D8 1C D4 5D   34 1A 75 5F 32 96 B5 30  g......]4.u_2..0
00D0: 9E 6F 03 F8 2A 08 4A 67   B7 23 5E A6 3C 1A C6 EE  .o..*.Jg.#^.<...
00E0: BD F9 B1 50 EC A1 49 64   8D B9 0B 52 2E 4A 0F 1E  ...P..Id...R.J..
00F0: 1D 09 E4 C6 56 89 A0 91   DE 53 3C FC 09 D5 7B 23  ....V....S<....#

]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 1062
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 F2 9D 83 B4 3A FB   E9 1E E5 8D 6B 49 BF 78  ......:.....kI.x
0010: 33 79 34 63 C9 F1 59 58   86 C5 BF D7 39 83 03 68  3y4c..YX....9..h
0020: 13 74 8A C2 6A A8 A6 0F   02 01 18 49 CB 5E 46 8A  .t..j......I.^F.
CONNECTION KEYGEN:
Client Nonce:
0000: 57 C0 AB E8 FE E2 CA C2   27 C8 43 39 F3 F1 99 E4  W.......'.C9....
0010: D7 E3 31 F5 C2 1A 51 9D   FF CD B8 CF F0 50 D7 D5  ..1...Q......P..
Server Nonce:
0000: 57 C0 AB E8 6C 26 85 98   0A 76 12 E3 38 61 F8 3C  W...l&...v..8a.<
0010: C7 26 77 15 B3 CA 1C CA   D3 B5 A0 14 AF A7 8A 03  .&w.............
Master Secret:
0000: C8 59 A5 CD 81 89 F0 0A   8C 43 08 1F EA 07 23 4C  .Y.......C....#L
0010: 6D 75 A3 84 0F 94 BD 54   33 C6 E7 2F 80 E6 C8 4F  mu.....T3../...O
0020: 5F 55 A5 59 70 6D 81 1C   86 BA 62 7B B1 D0 3D BD  _U.Ypm....b...=.
Client MAC write Secret:
0000: F7 3C 4F 34 DD 4C 86 B1   EF B9 9C 08 BA CF BA 18  .<O4.L..........
0010: 6C 82 FB 3C 77 BC 7B 02   AE EF A7 6A EA DC A0 5B  l..<w......j...[
Server MAC write Secret:
0000: 5A F0 12 9A B0 CF 1B 05   C5 ED 3B 97 2F FC 17 38  Z.........;./..8
0010: 2D B8 89 3F 32 92 EA AA   A4 59 4B 2B 18 DC F9 E1  -..?2....YK+....
Client write key:
0000: 67 32 79 43 C2 DD B2 64   C8 B8 ED CD 64 16 55 0A  g2yC...d....d.U.
Server write key:
0000: 67 47 86 66 10 D6 AC 3B   88 AE 35 9E F9 81 D1 49  gG.f...;..5....I
... no IV derived for this protocol
*** CertificateVerify
Signature Algorithm SHA512withRSA
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 264
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 23, 30, 181, 161, 22, 248, 149, 212, 46, 12, 21, 154 }
***
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 80
nioEventLoopGroup-2-1, READ: TLSv1.2 Alert, length = 2
nioEventLoopGroup-2-1, RECV TLSv1.2 ALERT:  fatal, certificate_unknown
nioEventLoopGroup-2-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
nioEventLoopGroup-2-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
nioEventLoopGroup-2-1, called closeOutbound()
nioEventLoopGroup-2-1, closeOutboundInternal()
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT:  warning, description = close_notify
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 64
nioEventLoopGroup-2-1, called closeInbound()
nioEventLoopGroup-2-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: poss
ible truncation attack?
nioEventLoopGroup-2-1, called closeOutbound()
nioEventLoopGroup-2-1, closeOutboundInternal()
nioEventLoopGroup-2-1, called closeInbound()
nioEventLoopGroup-2-1, closeInboundInternal()
nioEventLoopGroup-2-1, closeOutboundInternal()

Thanks

-Kyle-

From: Jonathan Joseph [mailto:jonbjoseph at gmail.com]
Sent: Thursday, August 25, 2016 5:53 PM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Try adding the following Java property setting when launching your java client in order to see SSL Handshake related debug information:

-Djavax.net.debug=ssl:handshake
Or to see all ssl related debug output:

-Djavax.net.debug=ssl


On Thu, Aug 25, 2016 at 4:24 PM, Nguyen, Kyle <kyle.nguyen at philips.com<mailto:kyle.nguyen at philips.com>> wrote:
Hi all,

I was trying to implement client certificate based authentication following http://docs.basho.com/riak/kv/2.1.4/using/security/basics/ but kept getting the following SSL Handshake exception. I believe I have the client keystore, truststore and riak server cert/key setup properly. Both client cert and riak server cert are signed with the same CA. Any advice and suggestions will be greatly appreciated!

2016-08-25 12:53:24 DEBUG InternalLoggerFactory:71 - Using SLF4J as the default logging framework
2016-08-25 12:53:24 DEBUG MultithreadEventLoopGroup:76 - -Dio.netty.eventLoopThreads: 16
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Buffer.address: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - sun.misc.Unsafe.theUnsafe: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:71 - sun.misc.Unsafe.copyMemory: available
2016-08-25 12:53:24 DEBUG PlatformDependent0:76 - java.nio.Bits.unaligned: true
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Platform: Windows
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - Java version: 8
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noUnsafe: false
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - sun.misc.Unsafe: available
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noJavassist: false
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - Javassist: unavailable
2016-08-25 12:53:24 DEBUG PlatformDependent:71 - You don't have Javassist in your class path or you don't have enough permission to load dynamically generated classes.  Please check the configuration for better performance.
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.tmpdir: C:\apache-tomcat-7.0.54\temp (java.io.tmpdir)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.bitMode: 64 (sun.arch.data.model)
2016-08-25 12:53:24 DEBUG PlatformDependent:76 - -Dio.netty.noPreferDirect: false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.noKeySetOptimization: false
2016-08-25 12:53:24 DEBUG NioEventLoop:76 - -Dio.netty.selectorAutoRebuildThreshold: 512
2016-08-25 12:53:24 INFO  RiakJKSConnection:73 - initializeRiak Cluster is OK
2016-08-25 12:53:24 DEBUG ThreadLocalRandom:71 - -Dio.netty.initialSeedUniquifier: 0xac658e47a52a7794 (took 3 ms)
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.allocator.type: unpooled
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.threadLocalDirectBufferSize: 65536
2016-08-25 12:53:24 DEBUG ByteBufUtil:76 - -Dio.netty.maxThreadLocalCharBufferSize: 16384
2016-08-25 12:53:24 DEBUG RiakNode:762 - Using TLSv1.2
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:166 - Handler Added
2016-08-25 12:53:24 DEBUG RiakNode:777 - Waiting on SSL Promise
2016-08-25 12:53:24 DEBUG AbstractByteBuf:81 - -Dio.netty.buffer.bytebuf.checkAccessible: true
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.level: simple
2016-08-25 12:53:24 DEBUG ResourceLeakDetector:81 - -Dio.netty.leakDetection.maxRecords: 4
2016-08-25 12:53:24 DEBUG Recycler:76 - -Dio.netty.recycler.maxCapacity.default: 262144
2016-08-25 12:53:24 DEBUG Cleaner0:76 - java.nio.ByteBuffer.cleaner(): available
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:69 - RiakSecurityDecoder decode
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:93 - Received MSG_RpbStartTls reply
2016-08-25 12:53:24 ERROR RiakSecurityDecoder:230 - SSL Handshake failed:
java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 ERROR RiakNode:787 - Failure during Auth; 127.0.0.1:8087<http://127.0.0.1:8087> java.nio.channels.ClosedChannelException
2016-08-25 12:53:24 DEBUG RiakSecurityDecoder:181 - Channel Inactive

RiakNode builder setup:

public static RiakCluster getRiakCluster(String riakUserName, String userPassword, String storePath, String storePasswd, String keyPasswd) throws UnknownHostException{

       KeyStore keyStore = loadKeystore(storePath,storePasswd);
       //riak with one node
       RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
       builder.withAuth(riakUserName, userPassword, trustStore, keyStore, keyPasswd);
       builder.withConnectionTimeout(30000);
       RiakCluster cluster = cluster = new RiakCluster.Builder(builder.build()).build();
       cluster.start();
       return cluster;


    }

Thanks

-Kyle-

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

_______________________________________________
riak-users mailing list
riak-users at lists.basho.com<mailto:riak-users at lists.basho.com>
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20160826/539c3523/attachment-0002.html>


More information about the riak-users mailing list