1. ホーム
  2. java

[解決済み] SSL ハンドシェイクが javax.net.ssl.SSLException で終了: readHandshakeRecord

2022-02-02 17:40:32

質問

私たちは、クライアントサーバー認証を行おうとしています。クライアントとサーバーは、同じCAとIntermidiate CAによって署名された2つのマシン証明書を持っています。javax.net.debug=ssl:handshake でハンドシェイクを開始しようとすると、さまざまな証明書をプリントアウトした後のログが表示されます。使用したプロトコルはTLS v.1.2、JavaはOpenJDK 11です。

javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
  "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [VARIOUS CAs]
}
)
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 11 88 67 1F E4 73 35   2B 1A 81 23 BF D7 40 57  ...g..s5+..#..@W
    .....AND MORE                                                k
  },
}
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLException: readHandshakeRecord
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)

更新:JKSで正しいアルゴリズムの証明書を見つけることができないようです。 一致しない証明書を確認するための他の方法はありますか?

更新2: フルデバッグマスク

javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6",
  "session id"          : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=clienthostname.dmz.test-group.net
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": x25519
          "key_exchange": {
            0000: 79 10 30 AA 4A 56 70 8B   51 26 11 78 9
              ..AND MORE
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409
12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968

javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50",
  "session id"          : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized:  Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate System CA, O=TEST Group",
    "not before"         : "2019-02-06 11:52:50.000 CET",
    "not  after"         : "2022-02-06 11:52:50.000 CET",
    "subject"            : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 82 6A BA CD 96 8E   7C 
          ..AND MORE
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
          timeStamping
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: prestest.sis.dom
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 1F B0 29 8F 09 13 12 A2   
  ..AND MORE    
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 15:23:27.000 CEST",
    "not  after"         : "2027-10-19 15:23:27.000 CEST",
    "subject"            : "CN=TEST Corporate System CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: D0 69 0E 0C 2A B6 1F 4C   D4 B1 B4 7C 59 3A
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 82 6A BA CD 96 8E   7C CE 36 F9 2E A9 DC
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 14:12:46.000 CEST",
    "not  after"         : "2027-10-20 14:12:46.000 CEST",
    "subject"            : "CN=TEST Corporate Root CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: D0 69 0E 0C 2A B6 1F 4C   D4 B1 B4 7C 59 3A 
          ..AND MORE
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 15:23:27.000 CEST",
    "not  after"         : "2027-10-19 15:23:27.000 CEST",
    "subject"            : "CN=TEST Corporate System CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: D0 69
          ..AND MORE
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: [email protected]
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 8
        ]
        ]
      }
    ]}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "secp256r1"
    "ecdh public": {
      0000: 04 25 
  ..AND MORE
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pkcs1_sha256"
    "signature": {
      0000: 13 FA 5
   ..AND MORE
    },
  }
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
  "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG]
}
)
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write (
  0000: 16 03 03 00 07 0B 00 00   03 00 00 00              ............
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 88 CE
  ..AND MORE                                                 .
  },
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70

更新3: keystoreが読み込まれないようです、カスタムコードからは読み込まれるように修正されます。

解決方法は?

問題は、Axisクライアントがサーバーを呼び出すことにありました。 Axisは、設定を client-config.wsdd 製品ライブラリから am-client.jar が、以下のプロパティをデフォルトとして設定していました。

        <parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" />

IMSSecureSocketFactory は、鍵ストア (javax.net.ssl.keyStore) のシステムからのプロパティを読み込んでいません。 そのため、X509Authenticationは、エントリのないKeyManagerから読み取ることになり、証明書がマッチングしない結果となりました。

AxisPropertiesに以下のプロパティを追加することで解決しました。

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory"); 

これが誰かの役に立てばいいのですが、デバッグは本当に大変でした。