SSL
keystore

SSLPokeを利用したSSL handshakeの確認

More than 1 year has passed since last update.

はじめに

SSL接続がうまく行かないときなど、細かいhandshakeの内容を知りたい場合があります。
ここではAtlassianが提供している診断用のJavaクラス「SSLPoke」を利用した接続検証方法を紹介します。

ここでは、例としてgoogle.comへの接続を検証します。
また、成功例と失敗例の検証の為にgoogle.comとyahoo.comの両方の証明書を取得して接続検証を行います。

SSLPokeの取得

以下のサイトからSSLPoke.classを事前に入手しておきます。

アトラシアン ナレッジベース - PKIX パスの構築の失敗により SSL サービスに接続できない

証明書の取得

ここでは、証明書(.crt)ファイルをChromeブラウザを利用して取得します。

なお、以下のようにOpenSSLコマンドを利用して取得しても問題ありません。

OpenSSLコマンドでの取得
$ openssl s_client -connect google.com:443 -showcerts

google.com

1.まずはChromeでwww.google.comへアクセスします。

2.「Ctrl+Shift+J」で「デベロッパーツール」を開き、「Security」タブに移動します。
Security

3.「View certificate」ボタンをクリックして証明書を表示し、「詳細」タブを開きます。
詳細

4.「ファイルにコピー(C)...」をクリックして、Base64形式で証明書を保存します。

証明書エクスポート1

証明書エクスポート2

証明書エクスポート3

証明書エクスポート4

また、同様にして中間証明書とルート証明書も取得します。
例えば中間証明書であれば「証明のパス」から中間証明書を選択して「証明書の表示」で表示できます。

証明書エクスポート5

それぞれ、以下の名前で保存しました。
ルート証明書:google.root.crt
中間証明書:google.intermediate.crt
証明書:google.crt

yahoo.com

google.comの場合と同じなので、省略します。

JKSの作成

証明書が取得できたら、今度はJKS(Java KeyStore)を作成します。
キーストアの生成はJREに付属しているkeytoolを利用して生成します。

通常JKSはデフォルトのキーストアとして「[JAVA_HOME]\lib\security\cacerts」が存在していますが、
ここではデフォルトのキーストアは利用せずに新規にキーストアを作成します。

google.com

google.com用のキーストアとして以下のように「google.jks」を作成します。

google.jksの作成
$ keytool -import -file certfiles/google.cer -alias google -keystore keystores/google.jks
キーストアのパスワードを入力してください:  google
新規パスワードを再入力してください: google
所有者: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
発行者: CN=Google Internet Authority G2, O=Google Inc, C=US
シリアル番号: 4fca07b959375f08
有効期間の開始日: Wed Apr 12 22:37:30 JST 2017終了日: Wed Jul 05 22:28:00 JST 2017
証明書のフィンガプリント:
         MD5:  6C:42:45:D7:EE:2A:28:67:3E:0E:F5:8C:9F:E2:86:6E
         SHA1: 89:87:DA:CB:CE:3F:DF:4B:BB:EB:E4:01:29:6D:DF:F8:F5:49:5C:71
         SHA256: 6C:FC:1B:39:23:C0:65:3C:4F:6F:2D:4F:73:0A:57:DE:9B:22:6A:9E:94:91:C5:AE:CB:10:79:01:F2:93:9F:DC
         署名アルゴリズム名: SHA256withRSA
         バージョン: 3

拡張:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://pki.google.com/GIAG2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.google.com
  DNSName: *.android.com
  DNSName: *.appengine.google.com
  DNSName: *.cloud.google.com
  DNSName: *.gcp.gvt2.com
  DNSName: *.google-analytics.com
  DNSName: *.google.ca
  DNSName: *.google.cl
  DNSName: *.google.co.in
  DNSName: *.google.co.jp
  DNSName: *.google.co.uk
  DNSName: *.google.com.ar
  DNSName: *.google.com.au
  DNSName: *.google.com.br
  DNSName: *.google.com.co
  DNSName: *.google.com.mx
  DNSName: *.google.com.tr
  DNSName: *.google.com.vn
  DNSName: *.google.de
  DNSName: *.google.es
  DNSName: *.google.fr
  DNSName: *.google.hu
  DNSName: *.google.it
  DNSName: *.google.nl
  DNSName: *.google.pl
  DNSName: *.google.pt
  DNSName: *.googleadapis.com
  DNSName: *.googleapis.cn
  DNSName: *.googlecommerce.com
  DNSName: *.googlevideo.com
  DNSName: *.gstatic.cn
  DNSName: *.gstatic.com
  DNSName: *.gvt1.com
  DNSName: *.gvt2.com
  DNSName: *.metric.gstatic.com
  DNSName: *.urchin.com
  DNSName: *.url.google.com
  DNSName: *.youtube-nocookie.com
  DNSName: *.youtube.com
  DNSName: *.youtubeeducation.com
  DNSName: *.ytimg.com
  DNSName: android.clients.google.com
  DNSName: android.com
  DNSName: developer.android.google.cn
  DNSName: developers.android.google.cn
  DNSName: g.co
  DNSName: goo.gl
  DNSName: google-analytics.com
  DNSName: google.com
  DNSName: googlecommerce.com
  DNSName: source.android.google.cn
  DNSName: urchin.com
  DNSName: www.goo.gl
  DNSName: youtu.be
  DNSName: youtube.com
  DNSName: youtubeeducation.com
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E   DE 59 7F 98 31 7D C0 8B  ..>....N.Y..1...
0010: 88 C5 1D 9A                                        ....
]
]

この証明書を信頼しますか。 [いいえ]:  y
証明書がキーストアに追加されました

同様にして同じキーストアに「中間証明書」、「ルート証明書」もインポートします。
注意点として、alias名はそれぞれ違う名前を指定する必要があります。

google.jks(中間証明書)
$ keytool -import -file certfiles/google.intermediate.cer -alias intermediate -keystore keystores/google.jks
google.jks(ルート証明書)
$ keytool -import -file certfiles/google.root.cer -alias root -keystore keystores/google.jks

yahoo.com

google.comと同様に「yahoo.jks」を作成します。
※キーストアのパスワードは最低6文字が必要なので"yahooo"にしています。

yahoo.jksの作成
$ keytool -import -file certfiles/yahoo.cer -alias yahoo -keystore keystores/yahoo.jks
キーストアのパスワードを入力してください:  yahooo
新規パスワードを再入力してください: yahooo
所有者: CN=www.yahoo.com, OU=Information Technology, O=Yahoo Inc., L=Sunnyvale, ST=California, C=US
発行者: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
シリアル番号: 1c25430ed0a602e8cc3a977b0539cce5
有効期間の開始日: Sat Oct 31 09:00:00 JST 2015終了日: Tue Oct 31 08:59:59 JST 2017
証明書のフィンガプリント:
         MD5:  58:49:71:94:C6:6F:68:3E:5B:F1:A2:29:37:CC:AA:8C
         SHA1: 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32
         SHA256: FE:37:33:E2:40:84:5F:69:C9:51:5D:3C:8B:A0:26:6B:51:FB:C7:07:A7:42:7A:43:E3:1D:E5:24:EE:C7:C3:1C
         署名アルゴリズム名: SHA256withRSA
         バージョン: 3

拡張:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ss.symcd.com
,
   accessMethod: caIssuers
   accessLocation: URIName: http://ss.symcb.com/ss.crt
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5F 60 CF 61 90 55 DF 84   43 14 8A 60 2A B2 F5 7A  _`.a.U..C..`*..z
0010: F4 43 18 EF                                        .C..
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ss.symcb.com/ss.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 17 68 74 74 70 73 3A   2F 2F 64 2E 73 79 6D 63  ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70   73                       b.com/cps

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 19 1A 17 68 74 74 70   73 3A 2F 2F 64 2E 73 79  0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F   72 70 61                 mcb.com/rpa

]]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: www.yahoo.com
  DNSName: yahoo.com
  DNSName: hsrd.yahoo.com
  DNSName: us.yahoo.com
  DNSName: fr.yahoo.com
  DNSName: uk.yahoo.com
  DNSName: za.yahoo.com
  DNSName: ie.yahoo.com
  DNSName: it.yahoo.com
  DNSName: es.yahoo.com
  DNSName: de.yahoo.com
  DNSName: ca.yahoo.com
  DNSName: qc.yahoo.com
  DNSName: br.yahoo.com
  DNSName: ro.yahoo.com
  DNSName: se.yahoo.com
  DNSName: be.yahoo.com
  DNSName: fr-be.yahoo.com
  DNSName: ar.yahoo.com
  DNSName: mx.yahoo.com
  DNSName: cl.yahoo.com
  DNSName: co.yahoo.com
  DNSName: ve.yahoo.com
  DNSName: espanol.yahoo.com
  DNSName: pe.yahoo.com
  DNSName: in.yahoo.com
  DNSName: sg.yahoo.com
  DNSName: id.yahoo.com
  DNSName: malaysia.yahoo.com
  DNSName: ph.yahoo.com
  DNSName: vn.yahoo.com
  DNSName: maktoob.yahoo.com
  DNSName: en-maktoob.yahoo.com
  DNSName: ca.my.yahoo.com
  DNSName: gr.yahoo.com
  DNSName: att.yahoo.com
  DNSName: au.yahoo.com
  DNSName: nz.yahoo.com
  DNSName: tw.yahoo.com
  DNSName: hk.yahoo.com
  DNSName: brb.yahoo.com
  DNSName: my.yahoo.com
  DNSName: add.my.yahoo.com
  DNSName: frontier.yahoo.com
  DNSName: verizon.yahoo.com
  DNSName: ca.rogers.yahoo.com
  DNSName: fr-ca.rogers.yahoo.com
  DNSName: tatadocomo.yahoo.com
  DNSName: tikona.yahoo.com
  DNSName: ideanetsetter.yahoo.com
  DNSName: mtsindia.yahoo.com
  DNSName: smartfren.yahoo.com
  DNSName: *.att.yahoo.com
  DNSName: *.people.yahoo.com
  DNSName: *.celebrity.yahoo.com
  DNSName: *.vida-estilo.yahoo.com
  DNSName: *.style.yahoo.com
  DNSName: *.movies.yahoo.com
  DNSName: *.stars.yahoo.com
  DNSName: *.kino.yahoo.com
  DNSName: *.cine.yahoo.com
  DNSName: *.cinema.yahoo.com
  DNSName: *.celebridades.yahoo.com
  DNSName: *.live.yahoo.com
  DNSName: *.beauty.yahoo.com
]

この証明書を信頼しますか。 [いいえ]:  y
証明書がキーストアに追加されました

中間証明書、ルート証明書も同様にインポートしてください。

SSLPokeを利用したSSL接続検証

ここまでで準備ができたので、SSLPokeを利用してSSL接続検証を行います。

SSLPokeは以下のコマンドで接続検証ができますが、ここでは細かいハンドシェイクを見るために
オプションとして「Djavax.net.debug=ssl,handshake」を指定しています。

また、キーストアは何も指定しないと前述したデフォルトのキーストアを参照するので
「-Djavax.net.ssl.trustStore」オプションと「-Djavax.net.ssl.trustStorePassword」オプションを利用して明示的に指定しています。

yahoo.jksでgoogle.comへ接続

これは失敗するパターンです。
トラストストアとしてyahoo.comの証明書しかないキーストアを利用してgoogle.comへ接続しようとしています。

yahoo.jksでgoogle.comへ接続
java -Djavax.net.ssl.trustStore=keystores/yahoo.jks -Djavax.net.ssl.trustStorePassword=yahooo -Djavax.net.debug=ssl,handshake SSLPoke google.com 443
trustStore is: keystores\yahoo.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x513fb9743870b73440418d30930699ff
  Valid from Thu Oct 31 09:00:00 JST 2013 until Tue Oct 31 08:59:59 JST 2023

adding as trusted cert:
  Subject: CN=www.yahoo.com, OU=Information Technology, O=Yahoo Inc., L=Sunnyvale, ST=California, C=US
  Issuer:  CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Algorithm: RSA; Serial number: 0x1c25430ed0a602e8cc3a977b0539cce5
  Valid from Sat Oct 31 09:00:00 JST 2015 until Tue Oct 31 08:59:59 JST 2017

adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer:  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
  Valid from Wed Nov 08 09:00:00 JST 2006 until Thu Jul 17 08:59:59 JST 2036

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1493373611 bytes = { 74, 79, 25, 73, 94, 244, 238, 98, 59, 99, 58, 149, 85, 164, 25, 89, 188, 129, 239, 77, 113, 178, 53, 122, 161, 251, 246, 141 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=google.com]
***
main, WRITE: TLSv1.2 Handshake, length = 222
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1493373610 bytes = { 8, 14, 157, 199, 79, 230, 132, 127, 193, 13, 186, 62, 120, 46, 184, 133, 203, 240, 47, 208, 179, 15, 147, 194, 84, 166, 177, 251 }
Session ID:  {65, 22, 118, 24, 34, 177, 101, 173, 207, 106, 149, 43, 178, 26, 22, 115, 187, 61, 241, 194, 96, 109, 132, 37, 4, 120, 236, 153, 26, 62, 255, 89}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 3813
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun EC public key, 256 bits
  public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
  public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Wed Apr 12 22:37:30 JST 2017,
               To: Wed Jul 05 22:28:00 JST 2017]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    4fca07b9 59375f08]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://pki.google.com/GIAG2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.google.com
  DNSName: *.android.com
  DNSName: *.appengine.google.com
  DNSName: *.cloud.google.com
  DNSName: *.gcp.gvt2.com
  DNSName: *.google-analytics.com
  DNSName: *.google.ca
  DNSName: *.google.cl
  DNSName: *.google.co.in
  DNSName: *.google.co.jp
  DNSName: *.google.co.uk
  DNSName: *.google.com.ar
  DNSName: *.google.com.au
  DNSName: *.google.com.br
  DNSName: *.google.com.co
  DNSName: *.google.com.mx
  DNSName: *.google.com.tr
  DNSName: *.google.com.vn
  DNSName: *.google.de
  DNSName: *.google.es
  DNSName: *.google.fr
  DNSName: *.google.hu
  DNSName: *.google.it
  DNSName: *.google.nl
  DNSName: *.google.pl
  DNSName: *.google.pt
  DNSName: *.googleadapis.com
  DNSName: *.googleapis.cn
  DNSName: *.googlecommerce.com
  DNSName: *.googlevideo.com
  DNSName: *.gstatic.cn
  DNSName: *.gstatic.com
  DNSName: *.gvt1.com
  DNSName: *.gvt2.com
  DNSName: *.metric.gstatic.com
  DNSName: *.urchin.com
  DNSName: *.url.google.com
  DNSName: *.youtube-nocookie.com
  DNSName: *.youtube.com
  DNSName: *.youtubeeducation.com
  DNSName: *.ytimg.com
  DNSName: android.clients.google.com
  DNSName: android.com
  DNSName: developer.android.google.cn
  DNSName: developers.android.google.cn
  DNSName: g.co
  DNSName: goo.gl
  DNSName: google-analytics.com
  DNSName: google.com
  DNSName: googlecommerce.com
  DNSName: source.android.google.cn
  DNSName: urchin.com
  DNSName: www.goo.gl
  DNSName: youtu.be
  DNSName: youtube.com
  DNSName: youtubeeducation.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E   DE 59 7F 98 31 7D C0 8B  ..>....N.Y..1...
0010: 88 C5 1D 9A                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 61 F7 94 99 58 C7 7A AD   99 45 F7 C9 43 0C 6E 8C  a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8   01 1B 2D FB C4 E8 AB BA  .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81   67 3C 3D 74 0D 0B E5 0D  ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E   BD 9A 24 43 99 AB 33 B7  ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E   F3 2E 44 58 2B 2F EE B3  .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC   42 13 53 18 4D EB 57 29  .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3   30 36 DF C0 A2 59 CB 4D  q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0   B5 55 22 B2 80 3E 2F 4A  it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26   C6 3A F6 67 38 BE F1 49  %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3   D6 9E D8 2A 15 FD EA E5  5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F   6C CD 7A 60 1E 28 E3 E8  .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43   0C F9 2A C1 61 9F 80 DA  .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC   F0 C1 3C 01 E5 83 A8 89  ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C   08 0E E1 1E 51 5F F1 C5  yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30   E6 8B 26 CE F9 55 83 C8  .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6   E6 D5 F8 B2 F8 C3 23 61  .....NS.......#a

]
chain [1] = [
[
  Version: V3
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329
  public exponent: 65537
  Validity: [From: Wed Apr 01 09:00:00 JST 2015,
               To: Mon Jan 01 08:59:59 JST 2018]
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  SerialNumber: [    023a92]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://g.symcd.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://g.symcb.com/crls/gtglobal.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 08 4E 04 A7 80 7F 10 16   43 5E 02 AD D7 42 80 F4  .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D   90 84 18 7D E7 90 15 FB  ................
0020: 49 7F A8 99 05 91 BB 7A   C9 D6 3C 37 18 09 9A B6  I......z..<7....
0030: C7 92 20 07 35 33 09 E4   28 63 72 0D B4 E0 32 9C  .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1   50 58 B0 13 AA 13 1A 1B  ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48   63 49 E9 99 5D 20 37 CC  2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9   DE 49 82 C0 10 70 F4 2C  .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC   A5 D9 5E 1E 6D 92 C1 A7  ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C   65 69 CD 87 A4 41 50 3F  .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E   8C 09 A1 AC 7A A4 12 A5  .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03   06 F7 66 58 5F 5F 64 E1  '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98   4C 29 5A 3A 8D D3 2B CA  .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5   80 AC 26 ED 17 89 A6 93  .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E   64 E3 7D 9A E2 00 B3 49  l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7   70 90 46 4E BE D0 DB 59  .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71   CC 01 C2 12 C1 21 C6 16  .l...6.q.....!..

]
chain [2] = [
[
  Version: V3
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953
  public exponent: 65537
  Validity: [From: Tue May 21 13:00:00 JST 2002,
               To: Tue Aug 21 13:00:00 JST 2018]
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  SerialNumber: [    12bbe6]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95   D7 47 D8 23 20 10 4F 33  H.h.+....G.# .O3
0010: 98 90 9F D4                                        ....
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.geotrust.com/crls/secureca.crl]
]]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2D 68 74 74 70 73 3A   2F 2F 77 77 77 2E 67 65  .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63   6F 6D 2F 72 65 73 6F 75  otrust.com/resou
0020: 72 63 65 73 2F 72 65 70   6F 73 69 74 6F 72 79     rces/repository

]]  ]
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 76 E1 12 6E 4E 4B 16 12   86 30 06 B2 81 08 CF F0  v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2   ED D4 3B 1F FF F0 F0 C8  ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D   18 D0 55 83 A2 6A CB 36  N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F   B8 13 D4 47 FE 8B 5A 5C  ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38   AB 97 34 14 AA 96 D2 EB  s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5   91 EF 83 36 EB 1D 56 6F  ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F   7B 3E 22 CB 3D 07 ED 5F  ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1   AF 98 EE 61 F2 84 3F 12  8t...PN....a..?.

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
        at sun.security.ssl.AppOutputStream.write(Unknown Source)
        at sun.security.ssl.AppOutputStream.write(Unknown Source)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 16 more

main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
と出ていますね。

google.jksでgoogle.comへ接続

これは成功するパターンです。
トラストストアとしてgoogle.comの証明書しかないキーストアを利用してgoogle.comへ接続しようとしています。

jksでgoogle.jksでgoogle.comへ接続
$ java -Djavax.net.ssl.trustStore=keystores/google.jks -Djavax.net.ssl.trustStorePassword=google -Djavax.net.debug=ssl,handshake SSLPoke google.com 443
trustStore is: keystores\google.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23a92
  Valid from Wed Apr 01 09:00:00 JST 2015 until Mon Jan 01 08:59:59 JST 2018

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 13:00:00 JST 2002 until Sat May 21 13:00:00 JST 2022

adding as trusted cert:
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Issuer:  CN=Google Internet Authority G2, O=Google Inc, C=US
  Algorithm: EC; Serial number: 0x4fca07b959375f08
  Valid from Wed Apr 12 22:37:30 JST 2017 until Wed Jul 05 22:28:00 JST 2017

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1493373667 bytes = { 211, 165, 121, 86, 252, 7, 118, 68, 9, 16, 158, 80, 244, 116, 50, 132, 235, 3, 124, 174, 182, 254, 206, 181, 73, 78, 152, 136 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=google.com]
***
main, WRITE: TLSv1.2 Handshake, length = 222
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1493373666 bytes = { 68, 62, 71, 118, 84, 161, 72, 22, 187, 65, 171, 73, 117, 199, 49, 63, 110, 111, 166, 227, 204, 226, 126, 51, 208, 35, 189, 219 }
Session ID:  {141, 9, 13, 140, 215, 84, 61, 114, 50, 35, 232, 75, 135, 15, 200, 152, 230, 8, 26, 30, 44, 8, 147, 22, 133, 34, 128, 236, 3, 157, 131, 185}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 3813
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun EC public key, 256 bits
  public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
  public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Wed Apr 12 22:37:30 JST 2017,
               To: Wed Jul 05 22:28:00 JST 2017]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    4fca07b9 59375f08]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://pki.google.com/GIAG2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.google.com
  DNSName: *.android.com
  DNSName: *.appengine.google.com
  DNSName: *.cloud.google.com
  DNSName: *.gcp.gvt2.com
  DNSName: *.google-analytics.com
  DNSName: *.google.ca
  DNSName: *.google.cl
  DNSName: *.google.co.in
  DNSName: *.google.co.jp
  DNSName: *.google.co.uk
  DNSName: *.google.com.ar
  DNSName: *.google.com.au
  DNSName: *.google.com.br
  DNSName: *.google.com.co
  DNSName: *.google.com.mx
  DNSName: *.google.com.tr
  DNSName: *.google.com.vn
  DNSName: *.google.de
  DNSName: *.google.es
  DNSName: *.google.fr
  DNSName: *.google.hu
  DNSName: *.google.it
  DNSName: *.google.nl
  DNSName: *.google.pl
  DNSName: *.google.pt
  DNSName: *.googleadapis.com
  DNSName: *.googleapis.cn
  DNSName: *.googlecommerce.com
  DNSName: *.googlevideo.com
  DNSName: *.gstatic.cn
  DNSName: *.gstatic.com
  DNSName: *.gvt1.com
  DNSName: *.gvt2.com
  DNSName: *.metric.gstatic.com
  DNSName: *.urchin.com
  DNSName: *.url.google.com
  DNSName: *.youtube-nocookie.com
  DNSName: *.youtube.com
  DNSName: *.youtubeeducation.com
  DNSName: *.ytimg.com
  DNSName: android.clients.google.com
  DNSName: android.com
  DNSName: developer.android.google.cn
  DNSName: developers.android.google.cn
  DNSName: g.co
  DNSName: goo.gl
  DNSName: google-analytics.com
  DNSName: google.com
  DNSName: googlecommerce.com
  DNSName: source.android.google.cn
  DNSName: urchin.com
  DNSName: www.goo.gl
  DNSName: youtu.be
  DNSName: youtube.com
  DNSName: youtubeeducation.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E   DE 59 7F 98 31 7D C0 8B  ..>....N.Y..1...
0010: 88 C5 1D 9A                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 61 F7 94 99 58 C7 7A AD   99 45 F7 C9 43 0C 6E 8C  a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8   01 1B 2D FB C4 E8 AB BA  .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81   67 3C 3D 74 0D 0B E5 0D  ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E   BD 9A 24 43 99 AB 33 B7  ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E   F3 2E 44 58 2B 2F EE B3  .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC   42 13 53 18 4D EB 57 29  .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3   30 36 DF C0 A2 59 CB 4D  q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0   B5 55 22 B2 80 3E 2F 4A  it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26   C6 3A F6 67 38 BE F1 49  %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3   D6 9E D8 2A 15 FD EA E5  5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F   6C CD 7A 60 1E 28 E3 E8  .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43   0C F9 2A C1 61 9F 80 DA  .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC   F0 C1 3C 01 E5 83 A8 89  ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C   08 0E E1 1E 51 5F F1 C5  yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30   E6 8B 26 CE F9 55 83 C8  .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6   E6 D5 F8 B2 F8 C3 23 61  .....NS.......#a

]
chain [1] = [
[
  Version: V3
  Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329
  public exponent: 65537
  Validity: [From: Wed Apr 01 09:00:00 JST 2015,
               To: Mon Jan 01 08:59:59 JST 2018]
  Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  SerialNumber: [    023a92]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://g.symcd.com
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://g.symcb.com/crls/gtglobal.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 08 4E 04 A7 80 7F 10 16   43 5E 02 AD D7 42 80 F4  .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D   90 84 18 7D E7 90 15 FB  ................
0020: 49 7F A8 99 05 91 BB 7A   C9 D6 3C 37 18 09 9A B6  I......z..<7....
0030: C7 92 20 07 35 33 09 E4   28 63 72 0D B4 E0 32 9C  .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1   50 58 B0 13 AA 13 1A 1B  ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48   63 49 E9 99 5D 20 37 CC  2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9   DE 49 82 C0 10 70 F4 2C  .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC   A5 D9 5E 1E 6D 92 C1 A7  ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C   65 69 CD 87 A4 41 50 3F  .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E   8C 09 A1 AC 7A A4 12 A5  .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03   06 F7 66 58 5F 5F 64 E1  '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98   4C 29 5A 3A 8D D3 2B CA  .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5   80 AC 26 ED 17 89 A6 93  .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E   64 E3 7D 9A E2 00 B3 49  l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7   70 90 46 4E BE D0 DB 59  .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71   CC 01 C2 12 C1 21 C6 16  .l...6.q.....!..

]
chain [2] = [
[
  Version: V3
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953
  public exponent: 65537
  Validity: [From: Tue May 21 13:00:00 JST 2002,
               To: Tue Aug 21 13:00:00 JST 2018]
  Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  SerialNumber: [    12bbe6]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95   D7 47 D8 23 20 10 4F 33  H.h.+....G.# .O3
0010: 98 90 9F D4                                        ....
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.geotrust.com/crls/secureca.crl]
]]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2D 68 74 74 70 73 3A   2F 2F 77 77 77 2E 67 65  .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63   6F 6D 2F 72 65 73 6F 75  otrust.com/resou
0020: 72 63 65 73 2F 72 65 70   6F 73 69 74 6F 72 79     rces/repository

]]  ]
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB   05 64 0C 11 7D AA 7D 65  .z.h.....d.....e
0010: B8 CA CC 4E                                        ...N
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 76 E1 12 6E 4E 4B 16 12   86 30 06 B2 81 08 CF F0  v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2   ED D4 3B 1F FF F0 F0 C8  ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D   18 D0 55 83 A2 6A CB 36  N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F   B8 13 D4 47 FE 8B 5A 5C  ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38   AB 97 34 14 AA 96 D2 EB  s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5   91 EF 83 36 EB 1D 56 6F  ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F   7B 3E 22 CB 3D 07 ED 5F  ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1   AF 98 EE 61 F2 84 3F 12  8t...PN....a..?.

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun EC public key, 256 bits
  public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
  public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
  Validity: [From: Wed Apr 12 22:37:30 JST 2017,
               To: Wed Jul 05 22:28:00 JST 2017]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    4fca07b9 59375f08]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68   B5 76 F5 81 B6 BB 62 1A  J......h.v....b.
0010: BA 5A 81 2F                                        .Z./
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://pki.google.com/GIAG2.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.google.com
  DNSName: *.android.com
  DNSName: *.appengine.google.com
  DNSName: *.cloud.google.com
  DNSName: *.gcp.gvt2.com
  DNSName: *.google-analytics.com
  DNSName: *.google.ca
  DNSName: *.google.cl
  DNSName: *.google.co.in
  DNSName: *.google.co.jp
  DNSName: *.google.co.uk
  DNSName: *.google.com.ar
  DNSName: *.google.com.au
  DNSName: *.google.com.br
  DNSName: *.google.com.co
  DNSName: *.google.com.mx
  DNSName: *.google.com.tr
  DNSName: *.google.com.vn
  DNSName: *.google.de
  DNSName: *.google.es
  DNSName: *.google.fr
  DNSName: *.google.hu
  DNSName: *.google.it
  DNSName: *.google.nl
  DNSName: *.google.pl
  DNSName: *.google.pt
  DNSName: *.googleadapis.com
  DNSName: *.googleapis.cn
  DNSName: *.googlecommerce.com
  DNSName: *.googlevideo.com
  DNSName: *.gstatic.cn
  DNSName: *.gstatic.com
  DNSName: *.gvt1.com
  DNSName: *.gvt2.com
  DNSName: *.metric.gstatic.com
  DNSName: *.urchin.com
  DNSName: *.url.google.com
  DNSName: *.youtube-nocookie.com
  DNSName: *.youtube.com
  DNSName: *.youtubeeducation.com
  DNSName: *.ytimg.com
  DNSName: android.clients.google.com
  DNSName: android.com
  DNSName: developer.android.google.cn
  DNSName: developers.android.google.cn
  DNSName: g.co
  DNSName: goo.gl
  DNSName: google-analytics.com
  DNSName: google.com
  DNSName: googlecommerce.com
  DNSName: source.android.google.cn
  DNSName: urchin.com
  DNSName: www.goo.gl
  DNSName: youtu.be
  DNSName: youtube.com
  DNSName: youtubeeducation.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E   DE 59 7F 98 31 7D C0 8B  ..>....N.Y..1...
0010: 88 C5 1D 9A                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 61 F7 94 99 58 C7 7A AD   99 45 F7 C9 43 0C 6E 8C  a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8   01 1B 2D FB C4 E8 AB BA  .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81   67 3C 3D 74 0D 0B E5 0D  ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E   BD 9A 24 43 99 AB 33 B7  ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E   F3 2E 44 58 2B 2F EE B3  .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC   42 13 53 18 4D EB 57 29  .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3   30 36 DF C0 A2 59 CB 4D  q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0   B5 55 22 B2 80 3E 2F 4A  it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26   C6 3A F6 67 38 BE F1 49  %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3   D6 9E D8 2A 15 FD EA E5  5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F   6C CD 7A 60 1E 28 E3 E8  .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43   0C F9 2A C1 61 9F 80 DA  .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC   F0 C1 3C 01 E5 83 A8 89  ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C   08 0E E1 1E 51 5F F1 C5  yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30   E6 8B 26 CE F9 55 83 C8  .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6   E6 D5 F8 B2 F8 C3 23 61  .....NS.......#a

]
main, READ: TLSv1.2 Handshake, length = 148
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withECDSA
Server key: Sun EC public key, 256 bits
  public x coord: 115756770858964201123508282005285098276280732187879456334366788861687300357561
  public y coord: 110353450491050068374662283797391955503928196866475776828795242660392251194224
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 102, 16, 232, 95, 167, 218, 53, 177, 237, 93, 245, 96, 45, 22, 128, 103, 51, 27, 241, 225, 92, 68, 168, 164, 61, 229, 90, 224, 170, 94, 68, 26, 134, 158, 1, 78, 48, 106, 73, 192, 50, 212, 221, 185, 2, 236, 60, 27, 155, 31, 97, 14, 172, 185, 8, 39, 226, 197, 109, 10, 88, 187, 197, 78 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 32 88 BD EA 48 29 4F D3   29 4D A5 3E E9 C8 92 9C  2...H)O.)M.>....
0010: E5 C9 FC 2D B7 8B 6C 74   60 0B F3 BB 2A 91 FD 08  ...-..lt`...*...
CONNECTION KEYGEN:
Client Nonce:
0000: 59 03 13 E3 D3 A5 79 56   FC 07 76 44 09 10 9E 50  Y.....yV..vD...P
0010: F4 74 32 84 EB 03 7C AE   B6 FE CE B5 49 4E 98 88  .t2.........IN..
Server Nonce:
0000: 59 03 13 E2 44 3E 47 76   54 A1 48 16 BB 41 AB 49  Y...D>GvT.H..A.I
0010: 75 C7 31 3F 6E 6F A6 E3   CC E2 7E 33 D0 23 BD DB  u.1?no.....3.#..
Master Secret:
0000: D5 66 F7 91 0F 75 F3 1E   2E 08 F6 14 8F 44 27 6F  .f...u.......D'o
0010: 2C C1 A2 72 10 10 72 64   E6 9C E0 1A E4 57 EB 4A  ,..r..rd.....W.J
0020: 2C AF 60 A9 8D A8 C4 A8   75 7D 87 77 5A 22 AB 23  ,.`.....u..wZ".#
... no MAC keys used for this cipher
Client write key:
0000: D7 F8 D2 DC FD 2A F5 9B   1B B8 47 68 63 E1 41 75  .....*....Ghc.Au
Server write key:
0000: 59 80 39 DA 17 09 04 69   0A 80 C3 4C 50 2A AF 8C  Y.9....i...LP*..
Client write IV:
0000: 79 2D 4F 89                                        y-O.
Server write IV:
0000: E0 94 B0 12                                        ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 107, 89, 71, 14, 131, 49, 61, 251, 37, 136, 64, 119 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 46, 135, 143, 56, 123, 58, 143, 124, 90, 252, 201, 121 }
***
%% Cached client session: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 25
Successfully connected

無事接続できました。

まとめ

JKSを利用したSSL接続では意外とハマることが多いので、
ハンドシェイクまで見ていくと問題解決の道筋が見えてきます。