SSL Handshake ending with javax.net.ssl.SSLException: readHandshakeRecord

We are trying to have client-server auth. The client and the server have 2 machines certificates signed by the same CA and Intermidiate CA. When tryng to initiate the handshake with javax.net.debug=ssl:handshake these are the logs after printing out the varoius certificates. The used protocol is TLS v.1.2 and the java is an OpenJDK 11

javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message ( "CertificateRequest": { "certificate types": [rsa_sign, dss_sign, ecdsa_sign] "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] "certificate authorities": [VARIOUS CAs] } ) javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1 javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1 javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message ( <empty> ) javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message ( "Certificates": <empty list> ) javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message ( "ECDH ClientKeyExchange": { "ecdh public": { 0000: 04 11 88 67 1F E4 73 35 2B 1A 81 23 BF D7 40 57 ...g..s5+..#..@W .....AND MORE k }, } ) javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking ( "throwable" : { javax.net.ssl.SSLException: readHandshakeRecord at (SSLSocketImpl.java:1320) at (SSLSocketImpl.java:440) at (SSLSocketImpl.java:411) 

Update: it seems that in the JKS the certificate wit the correct algorithm cannot be found, used a piece of code to check if it can be found manually and it is working fine. Is there any other way to check the certificates availble that are not matching?

Update 2: Full debug masked

javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message ( "ClientHello": { "client version" : "TLSv1.2", "random" : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6", "session id" : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]", "compression methods" : "00", "extensions" : [ "server_name (0)": { type=host_name (0), value=clienthostname.dmz.test-group.net }, "status_request (5)": { "certificate status type": ocsp "OCSP status request": { "responder_id": <empty> "request extensions": { <empty> } } }, "supported_groups (10)": { "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192] }, "ec_point_formats (11)": { "formats": [uncompressed] }, "signature_algorithms (13)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "signature_algorithms_cert (50)": { "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] }, "status_request_v2 (17)": { "cert status request": { "certificate status type": ocsp_multi "OCSP status request": { "responder_id": <empty> "request extensions": { <empty> } } } }, "extended_master_secret (23)": { <empty> }, "supported_versions (43)": { "versions": [TLSv1.3, TLSv1.2] }, "psk_key_exchange_modes (45)": { "ke_modes": [psk_dhe_ke] }, "key_share (51)": { "client_shares": [ { "named group": x25519 "key_exchange": { 0000: 79 10 30 AA 4A 56 70 8B 51 26 11 78 9 ..AND MORE } }, ] } ] } ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409 12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message ( "ServerHello": { "server version" : "TLSv1.2", "random" : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50", "session id" : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiated connection>] } ] } ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized: Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message ( "Certificates": [ "certificate" : { "version" : "v3", "serial number" : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94", "signature algorithm": "SHA256withRSA", "issuer" : "CN=TEST Corporate System CA, O=TEST Group", "not before" : "2019-02-06 11:52:50.000 CET", "not after" : "2022-02-06 11:52:50.000 CET", "subject" : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: A8 E2 82 6A BA CD 96 8E 7C ..AND MORE ] }, { ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth timeStamping ] }, { ObjectId: 2.5.29.18 Criticality=false IssuerAlternativeName [ CN=TEST Corporate System CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: prestest.sis.dom ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 1F B0 29 8F 09 13 12 A2 ..AND MORE ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59", "signature algorithm": "SHA256withRSA", "issuer" : "CN=TEST Corporate Root CA, O=TEST Group", "not before" : "2017-10-20 15:23:27.000 CEST", "not after" : "2027-10-19 15:23:27.000 CEST", "subject" : "CN=TEST Corporate System CA, O=TEST Group", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] }, { ObjectId: 2.5.29.18 Criticality=false IssuerAlternativeName [ CN=TEST Corporate Root CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=TEST Corporate System CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A8 E2 82 6A BA CD 96 8E 7C CE 36 F9 2E A9 DC ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3", "signature algorithm": "SHA256withRSA", "issuer" : "CN=TEST Corporate Root CA, O=TEST Group", "not before" : "2017-10-20 14:12:46.000 CEST", "not after" : "2027-10-20 14:12:46.000 CEST", "subject" : "CN=TEST Corporate Root CA, O=TEST Group", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=TEST Corporate Root CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A ..AND MORE ] ] } ]} ] ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate ( "certificate" : { "version" : "v3", "serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59", "signature algorithm": "SHA256withRSA", "issuer" : "CN=TEST Corporate Root CA, O=TEST Group", "not before" : "2017-10-20 15:23:27.000 CEST", "not after" : "2027-10-19 15:23:27.000 CEST", "subject" : "CN=TEST Corporate System CA, O=TEST Group", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: D0 69 ..AND MORE ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] }, { ObjectId: 2.5.29.18 Criticality=false IssuerAlternativeName [ CN=TEST Corporate Root CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=TEST Corporate System CA, O=TEST Group RFC822Name: ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A8 E2 8 ] ] } ]} ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message ( "ECDH ServerKeyExchange": { "parameters": { "named group": "secp256r1" "ecdh public": { 0000: 04 25 ..AND MORE }, }, "digital signature": { "signature algorithm": "rsa_pkcs1_sha256" "signature": { 0000: 13 FA 5 ..AND MORE }, } } ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message ( "CertificateRequest": { "certificate types": [rsa_sign, dss_sign, ecdsa_sign] "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1] "certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG] } ) javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1 javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1 javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message ( <empty> ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message ( "Certificates": <empty list> ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7 javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write ( 0000: 16 03 03 00 07 0B 00 00 03 00 00 00 ............ ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message ( "ECDH ClientKeyExchange": { "ecdh public": { 0000: 04 88 CE ..AND MORE . }, } ) javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70 

Update 3: it seems to me that the keystore is not being loaded, from custom code it gets corrected loaded.

6

1 Answer

The issue was with the Axis client calling the Server. Axis was loading the configuration from the client-config.wsdd from a product library am-client.jar that was setting as default the following property:

 <parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" /> 

The IMSSecureSocketFactory is NOT reading the property from the system for the keystore (javax.net.ssl.keyStore). So the X509Authentication was reading from a KeyManager with no entry resulting in no certificate matching.

Adding the following propetiy to the AxisProperties solved the issue:

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory"); 

I hope this can help someone else, it was really challenging to debug.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like