Rest Services , Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain, bad_certificate

Question

I'm trying set up ssl between api and applications. I have problem when I'm calling from my application to api, I'm getting error like :

SEVERE: Servlet.service() for servlet [spring] in context with path [/panel] threw exception [Request processing failed; nested exception is org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost:8442/acquirer/list":Remote host closed connection during handshake; nested exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] with root cause java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:482) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)

Im deploying this two applications on two TomcatServers, and i set up server.xml like :

"Connector SSLEnabled="true" clientAuth="true" keystoreFile="/home/user/foobar.jks" keystorePass="foobarpwd" maxThreads="200" port="8442" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="/home/user/cacerts.jks" truststorePass="cacertspassword" />"

This is my rest client configuration:

@Configuration
@PropertySource("classpath:config/local/general.properties")
public class RestClientConfig {

    @Bean
    public RestOperations restOperations(
            ClientHttpRequestFactory clientHttpRequestFactory) throws Exception {
        return new RestTemplate(clientHttpRequestFactory);
    }

    @Bean
    public ClientHttpRequestFactory clientHttpRequestFactory(
            HttpClient httpClient) {
        return new HttpComponentsClientHttpRequestFactory(httpClient);
    }

    @Bean
    public HttpClient httpClient(@Value("${general.file}") String file,
            @Value("${general.pass}") String password) throws Exception {
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        FileInputStream instream = new FileInputStream(new File(file));
        try {
            trustStore.load(instream, password.toCharArray());
        } finally {
            instream.close();
        }

        SSLContext sslcontext = SSLContexts.custom()
                .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
                .build();
        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                sslcontext, new String[] { "TLSv1.2" }, null,
                BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
        return HttpClients.custom().setSSLSocketFactory(sslsf).build();
    }

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
        return new PropertySourcesPlaceholderConfigurer();
    }
}

And my application controller:

@Autowired
private RestOperations rest;

@PostAuthorize("hasRole('aml_list')")
@RequestMapping(value = "/stoplist/list", method = RequestMethod.GET)
public String list(Model model, RedirectAttributes redirectAttributes) {

/*  RestTemplate restTemplate = new RestTemplate();*/
    ResponseEntity<StopList[]> responseStopList = rest
            .getForEntity(url+GET_STOPLISTS, StopList[].class);
    List<StopList> stopLists = Arrays.asList(responseStopList.getBody());
    model.addAttribute("stopLists", stopLists);
    model.addAttribute("statuses", stopListStatusService.getStatuses());
    return "stoplist/list";
}

EDIT

this is error from ssl debug :

%% Initialized:  [Session-9, SSL_NULL_WITH_NULL_NULL]
%% Negotiating:  [Session-9, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1408468126 bytes = { 213, 173, 54, 198, 230, 202, 88, 97, 42, 79, 55, 119, 27, 142, 36, 43, 5, 57, 253, 199, 137, 16, 164, 33, 194, 23, 252, 3 }
Session ID:  {84, 244, 133, 158, 1, 1, 80, 172, 43, 10, 200, 86, 210, 114, 88, 27, 242, 234, 134, 225, 250, 214, 117, 123, 89, 40, 52, 19, 31, 91, 230, 129}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=foobar.local.fr, OU=, O=Foobar, L=Paris, ST=IDF, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 17873551704376252621337066011438935731124982380679074888239258718242577693980084871866038232161226183921086977872807171065830795558330050407051853909732539234554754775108738484107242320735591123804732670161140517056979030086644607856320823576544389615077121469346683515875104747974711156392280172179419943495119552151583926507974150548314632573554027715990421707711488843523976072146829151024198771388277399530062433472768889300935152050876683397212438756572717739782391714122195446777117318453876489612393844963820051354739631536150436678179552902391707261272184131867669573522118129274210625207071457186558022151991
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:26:20 CET 2015,
               To: Tue Feb 23 12:26:20 CET 2016]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    01]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
0020: 65                                                 e


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 5A 11 D4 98 CC F4 55   27 B9 E1 9A C9 14 71 C3  .Z.....U'.....q.
0010: DC 9F 89 BA                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 01 1A 67 6A 0D D7 EF 9A   60 67 69 C7 50 93 25 31  ..gj....`gi.P.%1
0010: 66 F8 D1 7D 66 75 83 3D   29 DD 1B E9 E1 DF 48 D8  f...fu.=).....H.
0020: A5 D4 17 A7 4F 69 EE 39   07 01 0B 35 DF 4E 74 D7  ....Oi.9...5.Nt.
0030: E0 4D 9E F3 7D C4 5C D5   DA 65 69 1D 3F 79 4B 74  .M....\..ei.?yKt
0040: F5 2E 08 60 19 49 FB 34   FC B0 9F 7A FE D9 90 B2  ...`.I.4...z....
0050: 23 54 BA 72 56 BF EF 9A   0A 12 AC 86 0C B5 33 59  #T.rV.........3Y
0060: 45 4B 83 18 AA 35 C2 57   9D 0E 5B A7 CC F2 96 C6  EK...5.W..[.....
0070: DC 31 90 48 AC F8 F7 A5   E3 7E 8F 3E 20 D8 FD D6  .1.H.......> ...

]
chain [1] = [
[
  Version: V3
  Subject: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: 132055603310135333411301099149735722826599739048731080337866687250103025949282308877267022109690660707037152463921069014922135852771504050695844341544688717938327356933934545820945319090747289855270772215356209398740817770957350808711390501453687472411397460457910637293666746671504077301555960094739796556333
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:23:13 CET 2015,
               To: Thu Feb 20 12:23:13 CET 2025]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    f9a84ec8 f01a7af8]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 4D DF D0 84 62 3A A5 99   F0 7D 23 2E D8 32 E1 44  M...b:....#..2.D
0010: 6A 3C 1B 24 AF B2 E6 0D   2B E1 3B 90 FC 4B 0D 06  j<.$....+.;..K..
0020: AA B1 BD ED 34 70 4C 29   DA 3A 76 FF 3B 85 25 41  ....4pL).:v.;.%A
0030: D9 CE D8 49 29 92 8A 36   FE DB 38 90 D7 63 41 FF  ...I)..6..8..cA.
0040: 8D CC AF D1 D8 B0 66 6E   16 47 56 2B 4B 5E F4 2B  ......fn.GV+K^.+
0050: 5B 8B 29 29 01 DA 66 9B   6E 8C 4B 9B D7 1E 75 9E  [.))..f.n.K...u.
0060: B2 6D CC 6D AD CD 86 07   3A DF B3 A9 F6 C6 90 BC  .m.m....:.......
0070: 1A 56 E3 3E 54 C5 8F 73   F1 84 0A E2 AA 96 4C 6E  .V.>T..s......Ln

]
***
*** ECDH ServerKeyExchange
Server key: SunPKCS11-NSS EC public key, 256 bits (id 29, session object)
  public x coord: 88435682761360727668194059877849397390548163708826164579762901608773423450627
  public y coord: 66727023089976500019857755203147735124035589358912185715028197516428368367793
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR>
*** ServerHelloDone
http-nio-8442-exec-8, WRITE: TLSv1 Handshake, length = 1971
http-nio-8442-exec-9, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
http-nio-8442-exec-9, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-9, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
http-nio-8442-exec-9, SEND TLSv1 ALERT:  fatal, description = bad_certificate
http-nio-8442-exec-9, WRITE: TLSv1 Alert, length = 2
http-nio-8442-exec-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8442-exec-9, called closeOutbound()
http-nio-8442-exec-9, closeOutboundInternal()
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
http-nio-8442-exec-10, READ: TLSv1 Handshake, length = 119
*** ClientHello, TLSv1
RandomCookie:  GMT: 1408468126 bytes = { 140, 238, 242, 169, 199, 232, 110, 52, 67, 214, 225, 196, 198, 99, 236, 1, 68, 152, 109, 110, 113, 6, 233, 2, 69, 240, 208, 221 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-10, SSL_NULL_WITH_NULL_NULL]
%% Negotiating:  [Session-10, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1408468126 bytes = { 205, 178, 45, 169, 223, 69, 94, 152, 51, 114, 181, 108, 18, 137, 103, 55, 100, 39, 58, 8, 134, 98, 112, 102, 169, 126, 76, 194 }
Session ID:  {84, 244, 133, 158, 69, 174, 112, 189, 82, 122, 239, 129, 39, 38, 254, 129, 167, 192, 98, 131, 238, 149, 190, 202, 133, 156, 118, 178, 254, 72, 149, 195}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=foobar.local.fr, OU=, O=Foobar, L=Paris, ST=IDF, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 17873551704376252621337066011438935731124982380679074888239258718242577693980084871866038232161226183921086977872807171065830795558330050407051853909732539234554754775108738484107242320735591123804732670161140517056979030086644607856320823576544389615077121469346683515875104747974711156392280172179419943495119552151583926507974150548314632573554027715990421707711488843523976072146829151024198771388277399530062433472768889300935152050876683397212438756572717739782391714122195446777117318453876489612393844963820051354739631536150436678179552902391707261272184131867669573522118129274210625207071457186558022151991
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:26:20 CET 2015,
               To: Tue Feb 23 12:26:20 CET 2016]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    01]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
0020: 65                                                 e


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CD 5A 11 D4 98 CC F4 55   27 B9 E1 9A C9 14 71 C3  .Z.....U'.....q.
0010: DC 9F 89 BA                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 01 1A 67 6A 0D D7 EF 9A   60 67 69 C7 50 93 25 31  ..gj....`gi.P.%1
0010: 66 F8 D1 7D 66 75 83 3D   29 DD 1B E9 E1 DF 48 D8  f...fu.=).....H.
0020: A5 D4 17 A7 4F 69 EE 39   07 01 0B 35 DF 4E 74 D7  ....Oi.9...5.Nt.
0030: E0 4D 9E F3 7D C4 5C D5   DA 65 69 1D 3F 79 4B 74  .M....\..ei.?yKt
0040: F5 2E 08 60 19 49 FB 34   FC B0 9F 7A FE D9 90 B2  ...`.I.4...z....
0050: 23 54 BA 72 56 BF EF 9A   0A 12 AC 86 0C B5 33 59  #T.rV.........3Y
0060: 45 4B 83 18 AA 35 C2 57   9D 0E 5B A7 CC F2 96 C6  EK...5.W..[.....
0070: DC 31 90 48 AC F8 F7 A5   E3 7E 8F 3E 20 D8 FD D6  .1.H.......> ...

]
chain [1] = [
[
  Version: V3
  Subject: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: 132055603310135333411301099149735722826599739048731080337866687250103025949282308877267022109690660707037152463921069014922135852771504050695844341544688717938327356933934545820945319090747289855270772215356209398740817770957350808711390501453687472411397460457910637293666746671504077301555960094739796556333
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:23:13 CET 2015,
               To: Thu Feb 20 12:23:13 CET 2025]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    f9a84ec8 f01a7af8]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 4D DF D0 84 62 3A A5 99   F0 7D 23 2E D8 32 E1 44  M...b:....#..2.D
0010: 6A 3C 1B 24 AF B2 E6 0D   2B E1 3B 90 FC 4B 0D 06  j<.$....+.;..K..
0020: AA B1 BD ED 34 70 4C 29   DA 3A 76 FF 3B 85 25 41  ....4pL).:v.;.%A
0030: D9 CE D8 49 29 92 8A 36   FE DB 38 90 D7 63 41 FF  ...I)..6..8..cA.
0040: 8D CC AF D1 D8 B0 66 6E   16 47 56 2B 4B 5E F4 2B  ......fn.GV+K^.+
0050: 5B 8B 29 29 01 DA 66 9B   6E 8C 4B 9B D7 1E 75 9E  [.))..f.n.K...u.
0060: B2 6D CC 6D AD CD 86 07   3A DF B3 A9 F6 C6 90 BC  .m.m....:.......
0070: 1A 56 E3 3E 54 C5 8F 73   F1 84 0A E2 AA 96 4C 6E  .V.>T..s......Ln

]
***
*** ECDH ServerKeyExchange
Server key: SunPKCS11-NSS EC public key, 256 bits (id 31, session object)
  public x coord: 82317176627777400080969427008122698876038266920719544030054872275465766936879
  public y coord: 102586726315109152054956448913654086854678931679594542226797455269716243817047
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR>
*** ServerHelloDone
http-nio-8442-exec-10, WRITE: TLSv1 Handshake, length = 1971
http-nio-8442-exec-1, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
http-nio-8442-exec-1, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-10, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
http-nio-8442-exec-1, SEND TLSv1 ALERT:  fatal, description = bad_certificate
http-nio-8442-exec-1, WRITE: TLSv1 Alert, length = 2
http-nio-8442-exec-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8442-exec-1, called closeOutbound()
http-nio-8442-exec-1, closeOutboundInternal()
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
http-nio-8442-exec-2, READ: TLSv1 Handshake, length = 119
*** ClientHello, TLSv1
RandomCookie:  GMT: 1408468135 bytes = { 215, 211, 227, 248, 124, 218, 223, 106, 143, 229, 116, 69, 89, 6, 97, 37, 100, 254, 95, 156, 211, 212, 75, 221, 198, 218, 194, 133 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-11, SSL_NULL_WITH_NULL_NULL]
%% Negotiating:  [Session-11, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1408468135 bytes = { 235, 122, 54, 29, 155, 253, 113, 171, 1, 157, 182, 247, 112, 3, 136, 0, 154, 235, 43, 179, 46, 105, 46, 102, 69, 245, 132, 137 }
Session ID:  {84, 244, 133, 167, 21, 195, 55, 72, 178, 78, 129, 190, 51, 97, 203, 61, 138, 53, 77, 62, 19, 63, 47, 128, 36, 243, 139, 163, 51, 138, 105, 103}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=foobar.local.fr, OU=, O=Foobar, L=Paris, ST=IDF, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 17873551704376252621337066011438935731124982380679074888239258718242577693980084871866038232161226183921086977872807171065830795558330050407051853909732539234554754775108738484107242320735591123804732670161140517056979030086644607856320823576544389615077121469346683515875104747974711156392280172179419943495119552151583926507974150548314632573554027715990421707711488843523976072146829151024198771388277399530062433472768889300935152050876683397212438756572717739782391714122195446777117318453876489612393844963820051354739631536150436678179552902391707261272184131867669573522118129274210625207071457186558022151991
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:26:20 CET 2015,
               To: Tue Feb 23 12:26:20 CET 2016]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    01]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
0020: 65                                                 e


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  
  public exponent: 65537
  Validity: [From: Mon Feb 23 12:23:13 CET 2015,
               To: Thu Feb 20 12:23:13 CET 2025]
  Issuer: CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR
  SerialNumber: [    f9a84ec8 f01a7af8]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7B 92 19 78 54 BF C0 91   76 18 4F CC A9 7B D0 1A  ...xT...v.O.....
0010: 9C 48 F0 81                                        .H..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 4D DF D0 84 62 3A A5 99   F0 7D 23 2E D8 32 E1 44  M...b:....#..2.D
0010: 6A 3C 1B 24 AF B2 E6 0D   2B E1 3B 90 FC 4B 0D 06  j<.$....+.;..K..
0020: AA B1 BD ED 34 70 4C 29   DA 3A 76 FF 3B 85 25 41  ....4pL).:v.;.%A
0030: D9 CE D8 49 29 92 8A 36   FE DB 38 90 D7 63 41 FF  ...I)..6..8..cA.
0040: 8D CC AF D1 D8 B0 66 6E   16 47 56 2B 4B 5E F4 2B  ......fn.GV+K^.+
0050: 5B 8B 29 29 01 DA 66 9B   6E 8C 4B 9B D7 1E 75 9E  [.))..f.n.K...u.
0060: B2 6D CC 6D AD CD 86 07   3A DF B3 A9 F6 C6 90 BC  .m.m....:.......
0070: 1A 56 E3 3E 54 C5 8F 73   F1 84 0A E2 AA 96 4C 6E  .V.>T..s......Ln

]
***
*** ECDH ServerKeyExchange
Server key: SunPKCS11-NSS EC public key, 256 bits (id 33, session object)
  public x coord: 5547972569743189789375895400251466149348298431651377498612140625475720275323
  public y coord: 68697457441334072138138225562240897704355234359447787660082646450870248690425
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=*.local.fr, O=FoobarCA, L=Paris, ST=IDF, C=FR>
*** ServerHelloDone
http-nio-8442-exec-2, WRITE: TLSv1 Handshake, length = 1971
http-nio-8442-exec-4, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
http-nio-8442-exec-4, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-11, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
http-nio-8442-exec-4, SEND TLSv1 ALERT:  fatal, description = bad_certificate
http-nio-8442-exec-4, WRITE: TLSv1 Alert, length = 2
http-nio-8442-exec-4, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8442-exec-4, called closeOutbound()
http-nio-8442-exec-4, closeOutboundInternal()
http-nio-8442-ClientPoller-0, called closeOutbound()
http-nio-8442-ClientPoller-0, closeOutboundInternal()
http-nio-8442-ClientPoller-0, SEND TLSv1.2 ALERT:  warning, description = close_notify
http-nio-8442-ClientPoller-0, WRITE: TLSv1.2 Alert, length = 48

Someone can help me ? How to fix it ? and How can I send certificate with http request?

EDIT

I have solution for my problem , I changed my rest client config like this.

@Configuration
@PropertySource("classpath:config/local/general.properties")
public class RestClientConfig {

    @Bean
    public RestOperations restOperations(
            ClientHttpRequestFactory clientHttpRequestFactory) throws Exception {
        return new RestTemplate(clientHttpRequestFactory);
    }

    @Bean
    public ClientHttpRequestFactory clientHttpRequestFactory(
            HttpClient httpClient) {
        return new HttpComponentsClientHttpRequestFactory(httpClient);
    }

    @Bean
    public HttpClient httpClient(@Value("${general.truststoreFile}") String truststoreFile,
            @Value("${general.truststorePass}") String truststorePass, @Value("${general.keystoreFile}") String keystoreFile, @Value("${general.keystorePass}") String keystorePass) throws Exception {
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        FileInputStream instream = new FileInputStream(new File(truststoreFile));
        try {
            trustStore.load(instream, truststorePass.toCharArray());
        } finally {
            instream.close();
        }
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        FileInputStream stream = new FileInputStream(keystoreFile);
        try {
            keystore.load(stream, keystorePass.toCharArray());
        } finally {
            instream.close();
        }

        SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keystore, keystorePass.toCharArray())
                .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
                .build();
        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                sslcontext, new String[] {"TLSv1"}, null,
                ALLOW_ALL_HOSTNAME_VERIFIER);
        return HttpClients.custom().setSSLSocketFactory(sslsf).build();
    }

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
        return new PropertySourcesPlaceholderConfigurer();
    }
}

Zielu Zielu · Accepted Answer · 2015-02-26T15:12:36

You remembered to import your your certificates to the the store? Is the password correct (default is changeit)?

But, I believe the problem comes from the fact that the truststore on connector is used only by the tomcat connector not by the "system" conneciton. Try to add to tomcat JAVA_OPTS the:

-Djavax.net.ssl.trustStore=/home/user/cacerts.jks -Djavax.net.ssl.trustStorePassword=cacertspassword

Rest Services , Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain, bad_certificate

1 Answers