Received fatal alert bad_certificate during client certificate request after server side update to OpenJDK 8u272 or later
Issue
Client side error:
...
[11/19/20 13:40:36:161 EET] 00000304 SystemOut O *** CertificateRequest
[11/19/20 13:40:36:161 EET] 00000304 SystemOut O Cert Types: ECDSA, RSA, DSS
...
[11/19/20 13:40:36:162 EET] 00000304 SystemOut O *** ServerHelloDone
...
[11/19/20 13:40:36:162 EET] 00000304 SystemOut O ClientHandshaker: KeyManager com.ibm.ws.ssl.core.WSX509KeyManager
...
[11/19/20 13:40:36:162 EET] 00000304 WSX509KeyMana > chooseClientAlias Entry
[Ljava.lang.String;@d2ad63ed
[Ljavax.security.auth.x500.X500Principal;@d7faa12b
[11/19/20 13:40:36:162 EET] 00000304 WSX509KeyMana 3 keyType[0]=EC
[11/19/20 13:40:36:162 EET] 00000304 WSX509KeyMana 3 keyType[1]=RSA
[11/19/20 13:40:36:162 EET] 00000304 WSX509KeyMana 3 keyType[2]=DSA
[11/19/20 13:40:36:162 EET] 00000304 ThreadManager > getOutboundConnectionInfoInternal Entry
...
[11/19/20 13:40:36:162 EET] 00000304 KeyManagerHel > normalizeAliasName Entry
<null>
[11/19/20 13:40:36:162 EET] 00000304 KeyManagerHel < normalizeAliasName Exit
<null>
[11/19/20 13:40:36:162 EET] 00000304 WSX509KeyMana < chooseClientAlias (from JSSE) Exit
<null>
[11/19/20 13:40:36:162 EET] 00000304 SystemOut O Warning: no suitable certificate found - continuing without client authentication
[11/19/20 13:40:36:162 EET] 00000304 SystemOut O *** Certificate chain
[11/19/20 13:40:36:162 EET] 00000304 SystemOut O ***
...
11/19/20 13:40:36:175 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, READ: TLSv1.2 Alert, length = 2
[11/19/20 13:40:36:175 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, RECV TLSv1.2 ALERT: fatal, bad_certificate
[11/19/20 13:40:36:175 EET] 00000304 SystemOut O %% Invalidated: [Session-945, SSL_NULL_WITH_NULL_NULL]
[11/19/20 13:40:36:175 EET] 00000304 SystemOut O %% Invalidated: [Session-946, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384]
[11/19/20 13:40:36:175 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, called closeSocket()
[11/19/20 13:40:36:176 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
[11/19/20 13:40:36:176 EET] 00000304 SystemOut O %% Invalidated: [Session-945, SSL_NULL_WITH_NULL_NULL]
[11/19/20 13:40:36:176 EET] 00000304 SystemOut O %% Invalidated: [Session-946, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384]
[11/19/20 13:40:36:176 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, called closeSocket()
[11/19/20 13:40:36:176 EET] 00000304 SystemOut O SIBJMSRAThreadPool : 1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
...
Server side error:
...
javax.net.ssl|FINE|1E|https-jsse-nio-8081-exec-1|2020-11-19 13:40:36.161 EET|Logger.java:765|Produced CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]
...
}
)
javax.net.ssl|FINE|1E|https-jsse-nio-8081-exec-1|2020-11-19 13:40:36.161 EET|Logger.java:765|Produced ServerHelloDone handshake message (
<empty>
)
...
javax.net.ssl|FINE|1F|https-jsse-nio-8081-exec-2|2020-11-19 13:40:36.166 EET|Logger.java:765|Consuming client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|SEVERE|1F|https-jsse-nio-8081-exec-2|2020-11-19 13:40:36.168 EET|Logger.java:765|Fatal (BAD_CERTIFICATE): Empty server certificate chain (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Empty server certificate chain
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:443)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:507)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:238)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1568)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)}
)
...
Environment
- Red Hat Enterprise Linux (RHEL)
- 7
- Red Hat OpenJDK
- 8
- Upgrade from OpenJDK 8u265 to 8u272
- Server side application
- IBM Websphere Application Server (WAS)
- IBM Java version 1.8.0_261 (Java Runtime Version = 8.0.6.15)
- Client side application
- SSL Handshake with mutual authentication between Client and Server applications
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
