IcedTea-Web 2-way SSL Authentication using CAC card as client certificate handshake failure

Solution In Progress - Updated -

Issue

  • IcedTea-Web connecting to an F5 LB requiring 2 way/Mutual TLS fails with the following exception:
Thread# 48834e0c, name itwpool-1-itwthread-1
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1488)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1487)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
        at net.sourceforge.jnlp.cache.ResourceDownloader.getUrlResponseCodeWithRedirectonResult(ResourceDownloader.java:78)
        at net.sourceforge.jnlp.cache.ResourceDownloader.findBestUrl(ResourceDownloader.java:298)
        at net.sourceforge.jnlp.cache.ResourceDownloader.initializeOnlineResource(ResourceDownloader.java:132)
        at net.sourceforge.jnlp.cache.ResourceDownloader.initializeResource(ResourceDownloader.java:124)
        at net.sourceforge.jnlp.cache.ResourceDownloader.run(ResourceDownloader.java:113)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

Environment

  • IcedTea-Web
  • Windows
  • Client certificate stored in hardware on a smartcard/CAC.
  • Private key cannot be exported to the filesystem.
  • Certificate is accessible through the Windows certificate store.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content