Bekzot Asimov Bekzot Asimov - 1 month ago 12
Java Question

Java ssl handshake failure (SSLPoke)

I have the cert already imported to the truststore, but still cannot
connect successfully to this url. I have tried all the ways, can
anyone see the output and help out what is going on?

java -Djavax.net.debug=all SSLPoke services.americanexpress.com 443

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/java/jdk1.8.0_60/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
......
adding as trusted cert:
Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x35f39c9233cdc61333b1d58614e578b2
Valid from Wed Jun 26 00:00:00 UTC 2013 until Fri Sep 01 23:59:59 UTC 2017
....

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1464494977 bytes = { 253, 148, 218, 101, 153, 160, 57, 246, 36, 129, 111, 62, 106, 226, 141, 140, 102, 47, 123, 244, 108, 192, 12, 140, 187, 249, 208, 106 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 28_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=services.americanexpress.com]
***
[write] MD5 and SHA1 hashes: len = 232

00B0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................
00C0: 02 01 01 00 00 00 21 00 1F 00 00 1C 73 65 72 76 ......!.....serv
00D0: 69 63 65 73 2E 61 6D 65 72 69 63 61 6E 65 78 70 ices.americanexp
00E0: 72 65 73 73 2E 63 6F 6D ress.com
main, WRITE: TLSv1.2 Handshake, length = 232
[Raw write]: length = 237
0000: 16 03 03 00 E8 01 00 00 E4 03 03 57 4A 6C 81 FD ...........WJl..
0010: 94 DA 65 99 A0 39 F6 24 81 6F 3E 6A E2 8D 8C 66 ..e..9.$.o>j...f
0020: 2F 7B F4 6C C0 0C 8C BB F9 D0 6A 00 00 3A C0 23 /..l......j..:.#
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..

00D0: 1C 73 65 72 76 69 63 65 73 2E 61 6D 65 72 69 63 .services.americ
00E0: 61 6E 65 78 70 72 65 73 73 2E 63 6F 6D anexpress.com
[Raw read]: length = 5
0000: 16 03 03 00 51 ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 90 E6 BB 39 B7 B1 8E 67 DA 71 ...M.....9...g.q
0010: 65 74 25 D1 B7 CF ED D4 1A 6C 2B 0B 06 8C 0E 5E et%......l+....^
0020: 25 07 3F 8D E3 6F 20 49 AD 22 CA E7 8B 8A E5 41 %.?..o I.".....A
0030: BE 9A B5 25 E0 70 D8 F9 73 A0 E0 5D 2F F3 3C AD ...%.p..s..]/.<.
0040: DE 1E 88 98 3B 65 B1 00 3C 00 00 05 FF 01 00 01 ....;e..<.......
0050: 00 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1880769735 bytes = { 183, 177, 142, 103, 218, 113, 101, 116, 37, 209, 183, 207, 237, 212, 26, 108, 43, 11, 6, 140, 14, 94, 37, 7, 63, 141, 227, 111 }
Session ID: {73, 173, 34, 202, 231, 139, 138, 229, 65, 190, 154, 181, 37, 224, 112, 216, 249, 115, 160, 224, 93, 47, 243, 60, 173, 222, 30, 136, 152, 59, 101, 177}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
** TLS_RSA_WITH_AES_128_CBC_SHA256
[read] MD5 and SHA1 hashes: len = 81
0000: 02 00 00 4D 03 03 90 E6 BB 39 B7 B1 8E 67 DA 71 ...M.....9...g.q
0010: 65 74 25 D1 B7 CF ED D4 1A 6C 2B 0B 06 8C 0E 5E et%......l+....^
0020: 25 07 3F 8D E3 6F 20 49 AD 22 CA E7 8B 8A E5 41 %.?..o I.".....A
0030: BE 9A B5 25 E0 70 D8 F9 73 A0 E0 5D 2F F3 3C AD ...%.p..s..]/.<.
0040: DE 1E 88 98 3B 65 B1 00 3C 00 00 05 FF 01 00 01 ....;e..<.......
0050: 00 .
[Raw read]: length = 5
0000: 16 03 03 10 8E .....
[Raw read]: length = 4238

0310: 03 55 1D 0F 01 01 FF 04 04 03 02 05 A0 30 34 06 .U...........04.
0320: 03 55 1D 25 04 2D 30 2B 06 08 2B 06 01 05 05 07 .U.%.-0+..+.....


0450: 33 2D 61 69 61 2E 76 65 72 69 73 69 67 6E 2E 63 3-aia.verisign.c
0460: 6F 6D 2F 53 56 52 49 6E 74 6C 47 33 2E 63 65 72 om/SVRIntlG3.cer

main, READ: TLSv1.2 Handshake, length = 4238
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773
public exponent: 65537
Validity: [From: Wed Jun 26 00:00:00 UTC 2013,
To: Fri Sep 01 23:59:59 UTC 2017]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 35f39c92 33cdc613 33b1d586 14e578b2]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
,
accessMethod: caIssuers
accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X.
0010: BC 46 00 B5 .F..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps

]] ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
1.3.6.1.4.1.311.10.3.3
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: services.americanexpress.com
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D E6 45 41 B1 52 D9 55 57 04 45 DC 07 51 E5 8E -.EA.R.UW.E..Q..
0010: 5C 00 41 5F AB D5 84 A4 64 4D 55 CC 38 88 18 4E \.A_....dMU.8..N

00D0: FD E9 93 D2 6A 55 24 F3 62 BE BD 99 EE 24 53 F5 ....jU$.b....$S.
00E0: 96 E7 2E DE 3E D2 7B 1C 77 9A 45 C7 FA 68 A1 76 ....>...w.E..h.v
00F0: 67 BA EC 81 83 FF 54 E2 A4 7E 47 AD 2C 39 62 F2 g.....T...G.,9b.

]
chain [1] = [
[
Version: V3
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 19420289231323388569960227299938029487260953720447310437792509462236918786001726710037662040142546936643383523519471181931421354900828966157275086870493679916429749573
public exponent: 65537
Validity: [From: Mon Feb 08 00:00:00 UTC 2010,
To: Fri Feb 07 23:59:59 UTC 2020]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 641be820 ce020813 f32d4d2d 95d67e67]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+..............
0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.#
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo.
0060: 67 69 66 gif


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9..
0010: AF 33 31 33 .313
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3-g5.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps

], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www.
0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa

]] ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=VeriSignMPKI-2-7
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X.
0010: BC 46 00 B5 .F..
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 71 B5 7D 73 52 4A DD D7 4D 34 2B 2E AF 94 46 A5 q..sRJ..M4+...F.
0010: 49 50 02 4F F8 2F 17 70 F2 13 DC 1F 21 86 AA C2 IP.O./.p....!...
0020: 4F 7C 37 3C D4 46 78 AE 5D 78 6F D1 BA 5A BC 10 O.7<.Fx.]xo..Z..
0030: AB 58 36 C5 8C 62 15 45 60 17 21 E2 D5 42 A8 77 .X6..b.E`.!..B.w
0040: A1 55 D8 43 04 51 F6 6E BA 48 E6 5D 4C B7 44 D3 .U.C.Q.n.H.]L.D.
0050: 3E A4 D5 D6 33 9A 9F 0D E6 D7 4E 96 44 95 5A 6C >...3.....N.D.Zl
0060: D6 A3 16 53 0E 98 43 CE A4 B8 C3 66 7A 05 5C 62 ...S..C....fz.\b
0070: 10 E8 1B 12 DB 7D 2E 76 50 FF DF D7 6B 1B CC 8A .......vP...k...
0080: CC 71 FA B3 40 56 7C 33 7A 77 94 5B F5 0B 53 FB .q..@V.3zw.[..S.
0090: 0E 5F BC 68 FB AF 2A EE 30 37 79 16 93 25 7F 4D ._.h..*.07y..%.M
00A0: 10 FF 57 FB BF 6E 3B 33 21 DE 79 DC 86 17 59 2D ..W..n;3!.y...Y-
00B0: 43 64 B7 A6 66 87 EA BC 96 46 19 1A 86 8B 6F D7 Cd..f....F....o.
00C0: B7 49 00 5B DB A3 BF 29 9A EE F7 D3 33 AE A3 F4 .I.[...)....3...
00D0: 9E 4C CA 5E 69 D4 1B AD B7 90 77 6A D8 59 6F 79 .L.^i.....wj.Yoy
00E0: AB 01 FA 55 F0 8A 21 66 E5 65 6E FD 7C D3 DF 1E ...U..!f.en.....
00F0: EB 7E 3F 06 90 FB 19 0B D3 06 02 1B 78 43 99 A8 ..?.........xC..

]
chain [2] = [
[
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 22109471102059671383796642714942393631149792360856487955190294587841800871022486252652612163196360832938367608763978013876844944237576704237206902072810376180366897841695320192789360300658269712766474225042097261456189264772686300705672328691871464945536513831768596383894122798581104077921511815271705394605095257256954381366139644740877956016759414080557948459417160074173313082409422023967584984099389949088073277478112907997447136173994433125025479812790590943737038696590266840534396683337181295383175344548120097700121250428676269067140626584500149856482388498317203907790209503513966223821253856296202557465877
public exponent: 65537
Validity: [From: Wed Nov 08 00:00:00 UTC 2006,
To: Wed Jul 16 23:59:59 UTC 2036]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 18dad19e 267de8bb 4a2158cd cc6b3b4a]

Certificate Extensions: 4
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 61 30 5F A1 5D A0 5B 30 59 30 57 30 55 16 09 .a0_.].[0Y0W0U..
0010: 69 6D 61 67 65 2F 67 69 66 30 21 30 1F 30 07 06 image/gif0!0.0..
0020: 05 2B 0E 03 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E .+..............
0030: 6B C3 CF 80 6A D4 48 18 2C 7B 19 2E 30 25 16 23 k...j.H.,...0%.#
0040: 68 74 74 70 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 http://logo.veri
0050: 73 69 67 6E 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E sign.com/vslogo.
0060: 67 69 66 gif


[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7F D3 65 A7 C2 DD EC BB F0 30 09 F3 43 39 FA 02 ..e......0..C9..
0010: AF 33 31 33 .313
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 93 24 4A 30 5F 62 CF D8 1A 98 2F 3D EA DC 99 2D .$J0_b..../=...-

00C0: EF A5 7D 45 40 72 8E B7 0E 6B 0E 06 FB 33 35 48 ...E@r...k...35H
00D0: 71 B8 9D 27 8B C4 65 5F 0D 86 76 9C 44 7A F6 95 q..'..e_..v.Dz..
00E0: 5C F6 5D 32 08 33 A4 54 B6 18 3F 68 5C F2 42 4A \.]2.3.T..?h\.BJ
00F0: 85 38 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED 63 6A .8T._..,......cj

]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=services.americanexpress.com, OU=Web Hosting, O=American Express Company, L=Phoenix, ST=Arizona, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 2048 bits
modulus: 30229676159696194917135440681975777728948709702479449945212097279930911021756291412408692828743836980749310830284879195994844527811837445892117218165863252223136982773
public exponent: 65537
Validity: [From: Wed Jun 26 00:00:00 UTC 2013,
To: Fri Sep 01 23:59:59 UTC 2017]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ 35f39c92 33cdc613 33b1d586 14e578b2]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
,
accessMethod: caIssuers
accessLocation: URIName: http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D7 9B 7C D8 22 A0 15 F7 DD AD 5F CE 29 9B 58 C3 ...."....._.).X.
0010: BC 46 00 B5 .F..
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps

]] ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
1.3.6.1.4.1.311.10.3.3
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: services.americanexpress.com
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 2D E6 45 41 B1 52 D9 55 57 04 45 DC 07 51 E5 8E -.EA.R.UW.E..Q..
0010: 5C 00 41 5F AB D5 84 A4 64 4D 55 CC 38 88 18 4E \.A_....dMU.8..N
0020: 1D CB 0D 88 D5 02 A5 E2 73 72 62 B3 51 49 6F 20 ........srb.QIo

00C0: B7 1E 87 B7 AE D8 AB 29 83 A5 69 00 D3 07 BE 45 .......)..i....E
00D0: FD E9 93 D2 6A 55 24 F3 62 BE BD 99 EE 24 53 F5 ....jU$.b....$S.
00E0: 96 E7 2E DE 3E D2 7B 1C 77 9A 45 C7 FA 68 A1 76 ....>...w.E..h.v
00F0: 67 BA EC 81 83 FF 54 E2 A4 7E 47 AD 2C 39 62 F2 g.....T...G.,9b.

]
[read] MD5 and SHA1 hashes: len = 4238
0000: 0B 00 10 8A 00 10 87 00 05 7A 30 82 05 76 30 82 .........z0..v0.
0010: 04 5E A0 03 02 01 02 02 10 35 F3 9C 92 33 CD C6 .^.......5...3..
0020: 13 33 B1 D5 86 14 E5 78 B2 30 0D 06 09 2A 86 48 .3.....x.0...*.H
0030: 86 F7 0D 01 01 05 05 00 30 81 BC 31 0B 30 09 06 ........0..1.0..
0040: 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 .U....US1.0...U.
0050: 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 ...VeriSign, Inc
0060: 2E 31 1F 30 1D 06 03 55 04 0B 13 16 56 65 72 69 .1.0...U....Veri
0070: 53 69 67 6E 20 54 72 75 73 74 20 4E 65 74 77 6F Sign Trust Netwo

07A0: C4 28 C6 E3 AD 79 1F 27 10 98 B8 BB 20 97 C1 28 .(...y.'.... ..(
07B0: 44 41 0F EA A9 A8 52 CF 4D 4E 1B 8B BB B5 C4 76 DA....R.MN.....v
07C0: D9 CC 56 06 EE B3 55 20 2A DE 15 8D 71 CB 54 C8 ..V...U *...q.T.
07D0: 6F 17 CD 89 00 E4 DC FF E1 C0 1F 68 71 E9 C7 29 o..........hq..)
07E0: 2E 7E BC 3B FC E5 BB AB 26 54 8B 66 90 CD F6 92 ...;....&T.f....
07F0: B9 31 24 80 BC 9E 6C D5 FC 7E D2 E1 4B 8C DC 42 .1$...l.....K..B

1080: 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED 63 6A T._..,......cj
[Raw read]: length = 5
0000: 16 03 03 00 2E .....
[Raw read]: length = 46
0000: 0D 00 00 26 03 01 02 40 00 1E 06 01 06 02 06 03 ...&...@........
0010: 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 ................
0020: 03 03 02 01 02 02 02 03 00 00 0E 00 00 00 ..............
main, READ: TLSv1.2 Handshake, length = 46
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
[read] MD5 and SHA1 hashes: len = 42
0000: 0D 00 00 26 03 01 02 40 00 1E 06 01 06 02 06 03 ...&...@........
0010: 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 ................
0020: 03 03 02 01 02 02 02 03 00 00 ..........
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
[write] MD5 and SHA1 hashes: len = 269
0000: 0B 00 00 03 00 00 00 10 00 01 02 01 00 BE 4B B7 ..............K.

0110: 8F 98 ..
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 8D 61 C0 F9 AC 11 FA 20 C4 6D 78 C0 2E 3F ...a..... .mx..?
0010: 0A 60 C6 BA 36 C2 E6 28 AE B3 12 38 EC F0 52 E0 .`..6..(...8..R.
0020: 72 BC 31 16 34 B5 88 3C 4E BB C8 E2 50 EA 20 00 r.1.4..<N...P. .
CONNECTION KEYGEN:
Client Nonce:
0000: 57 4A 6C 81 FD 94 DA 65 99 A0 39 F6 24 81 6F 3E WJl....e..9.$.o>
0010: 6A E2 8D 8C 66 2F 7B F4 6C C0 0C 8C BB F9 D0 6A j...f/..l......j
Server Nonce:
0000: 90 E6 BB 39 B7 B1 8E 67 DA 71 65 74 25 D1 B7 CF ...9...g.qet%...
0010: ED D4 1A 6C 2B 0B 06 8C 0E 5E 25 07 3F 8D E3 6F ...l+....^%.?..o
Master Secret:
0000: 38 C7 96 B8 C2 C3 51 55 49 E2 95 C2 D8 23 28 E9 8.....QUI....#(.
0010: 9D 08 40 21 3F C6 85 E9 3E 3B B7 67 6A 76 26 7E ..@!?...>;.gjv&.
0020: 97 E6 2C 80 FF 81 C4 33 D1 9F BF 42 35 2D AB 73 ..,....3...B5-.s
Client MAC write Secret:
0000: 67 7E 5C C7 7B 2B 5F 5E 38 42 A1 21 2C FE F1 F2 g.\..+_^8B.!,...
0010: DD E4 BB 46 7D 35 BF C6 29 40 A8 8B B5 D6 DE 11 ...F.5..)@......
Server MAC write Secret:
0000: AD 34 13 00 5F 27 F1 21 AA 3B 63 75 76 1A 1A 89 .4.._'.!.;cuv...
0010: 9A CD 4D E3 1B DB 7F 83 65 1A 6A EE 0A 6F 33 86 ..M.....e.j..o3.
Client write key:
0000: E7 8D 41 0F FB 52 FF BF A1 D4 DB E8 BB 25 91 96 ..A..R.......%..
Server write key:
0000: 3E 09 29 43 AF F4 AB 98 2A C3 4D 53 B1 9D 33 5D >.)C....*.MS..3]
... no IV derived for this protocol
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01 ......
*** Finished
verify_data: { 82, 58, 56, 177, 242, 110, 34, 212, 168, 243, 94, 249 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 52 3A 38 B1 F2 6E 22 D4 A8 F3 5E F9 ....R:8..n"...^.
Padded plaintext before ENCRYPTION: len = 80
0000: 8C E5 C6 F2 8F A1 37 D2 7B 43 6A 26 FD 9F 23 48 ......7..Cj&..#H
0010: 14 00 00 0C 52 3A 38 B1 F2 6E 22 D4 A8 F3 5E F9 ....R:8..n"...^.
0020: EE EF 79 2B C0 62 2A 7B C9 63 A3 71 41 F3 CE E2 ..y+.b*..c.qA...
0030: C2 6D EA 72 78 3C B5 10 FE BF D1 10 E8 A8 C1 BA .m.rx<..........
0040: 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F ................
main, WRITE: TLSv1.2 Handshake, length = 80
[Raw write]: length = 85
0000: 16 03 03 00 50 A5 DE 9B 39 37 C5 1F 81 3E E4 00 ....P...97...>..
0010: 18 C8 89 6B F3 46 9B 89 73 4A 64 20 52 0E BD 93 ...k.F..sJd R...
0020: 4D F3 AF D8 6B 90 56 60 4F 9E DE 96 06 EE 05 F3 M...k.V`O.......
0030: 32 CC 7A A6 85 C9 22 72 59 A9 05 B3 D4 A5 A9 E2 2.z..."rY.......
0040: A9 6A B5 51 49 B8 E9 DC CC 56 DB EF DB DB 06 8E .j.QI....V......
0050: 37 BB F4 48 7F 7..H.
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


Cannot figure out what this is, application was working with java1.6 but SSLPoke cannot pass both scenarios

Answer

I have found out that client also had verification. So it was 2 way authentication. Client also had to import my public cert into their keystore.