IcedTea-Web 2-way SSL Authentication using CAC card as client certificate handshake failure
Issue
- IcedTea-Web connecting to an F5 LB requiring 2 way/Mutual TLS fails with the following exception:
Thread# 48834e0c, name itwpool-1-itwthread-1
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1488)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1487)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
at net.sourceforge.jnlp.cache.ResourceDownloader.getUrlResponseCodeWithRedirectonResult(ResourceDownloader.java:78)
at net.sourceforge.jnlp.cache.ResourceDownloader.findBestUrl(ResourceDownloader.java:298)
at net.sourceforge.jnlp.cache.ResourceDownloader.initializeOnlineResource(ResourceDownloader.java:132)
at net.sourceforge.jnlp.cache.ResourceDownloader.initializeResource(ResourceDownloader.java:124)
at net.sourceforge.jnlp.cache.ResourceDownloader.run(ResourceDownloader.java:113)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Environment
- IcedTea-Web
- Windows
- Client certificate stored in hardware on a smartcard/CAC.
- Private key cannot be exported to the filesystem.
- Certificate is accessible through the Windows certificate store.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.