はじめに
SSL接続がうまく行かないときなど、細かいhandshakeの内容を知りたい場合があります。
ここではAtlassianが提供している診断用のJavaクラス「SSLPoke」を利用した接続検証方法を紹介します。
ここでは、例としてgoogle.comへの接続を検証します。
また、成功例と失敗例の検証の為にgoogle.comとyahoo.comの両方の証明書を取得して接続検証を行います。
SSLPokeの取得
以下のサイトからSSLPoke.classを事前に入手しておきます。
アトラシアン ナレッジベース - PKIX パスの構築の失敗により SSL サービスに接続できない
証明書の取得
ここでは、証明書(.crt)ファイルをChromeブラウザを利用して取得します。
なお、以下のようにOpenSSLコマンドを利用して取得しても問題ありません。
OpenSSLコマンドでの取得
$ openssl s_client -connect google.com:443 -showcerts
google.com
1.まずはChromeでwww.google.comへアクセスします。
2.「Ctrl+Shift+J」で「デベロッパーツール」を開き、「Security」タブに移動します。
3.「View certificate」ボタンをクリックして証明書を表示し、「詳細」タブを開きます。
4.「ファイルにコピー(C)...」をクリックして、Base64形式で証明書を保存します。
また、同様にして中間証明書とルート証明書も取得します。
例えば中間証明書であれば「証明のパス」から中間証明書を選択して「証明書の表示」で表示できます。
それぞれ、以下の名前で保存しました。
ルート証明書:google.root.crt
中間証明書:google.intermediate.crt
証明書:google.crt
yahoo.com
google.comの場合と同じなので、省略します。
JKSの作成
証明書が取得できたら、今度はJKS(Java KeyStore)を作成します。
キーストアの生成はJREに付属しているkeytoolを利用して生成します。
通常JKSはデフォルトのキーストアとして「[JAVA_HOME]\lib\security\cacerts」が存在していますが、
ここではデフォルトのキーストアは利用せずに新規にキーストアを作成します。
google.com
google.com用のキーストアとして以下のように「google.jks」を作成します。
google.jksの作成
$ keytool -import -file certfiles/google.cer -alias google -keystore keystores/google.jks
キーストアのパスワードを入力してください: google
新規パスワードを再入力してください: google
所有者: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
発行者: CN=Google Internet Authority G2, O=Google Inc, C=US
シリアル番号: 4fca07b959375f08
有効期間の開始日: Wed Apr 12 22:37:30 JST 2017終了日: Wed Jul 05 22:28:00 JST 2017
証明書のフィンガプリント:
MD5: 6C:42:45:D7:EE:2A:28:67:3E:0E:F5:8C:9F:E2:86:6E
SHA1: 89:87:DA:CB:CE:3F:DF:4B:BB:EB:E4:01:29:6D:DF:F8:F5:49:5C:71
SHA256: 6C:FC:1B:39:23:C0:65:3C:4F:6F:2D:4F:73:0A:57:DE:9B:22:6A:9E:94:91:C5:AE:CB:10:79:01:F2:93:9F:DC
署名アルゴリズム名: SHA256withRSA
バージョン: 3
拡張:
# 1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://clients1.google.com/ocsp
]
]
# 2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
# 3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
# 4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
# 5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
# 6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
# 7: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
]
# 8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.google.com
DNSName: *.android.com
DNSName: *.appengine.google.com
DNSName: *.cloud.google.com
DNSName: *.gcp.gvt2.com
DNSName: *.google-analytics.com
DNSName: *.google.ca
DNSName: *.google.cl
DNSName: *.google.co.in
DNSName: *.google.co.jp
DNSName: *.google.co.uk
DNSName: *.google.com.ar
DNSName: *.google.com.au
DNSName: *.google.com.br
DNSName: *.google.com.co
DNSName: *.google.com.mx
DNSName: *.google.com.tr
DNSName: *.google.com.vn
DNSName: *.google.de
DNSName: *.google.es
DNSName: *.google.fr
DNSName: *.google.hu
DNSName: *.google.it
DNSName: *.google.nl
DNSName: *.google.pl
DNSName: *.google.pt
DNSName: *.googleadapis.com
DNSName: *.googleapis.cn
DNSName: *.googlecommerce.com
DNSName: *.googlevideo.com
DNSName: *.gstatic.cn
DNSName: *.gstatic.com
DNSName: *.gvt1.com
DNSName: *.gvt2.com
DNSName: *.metric.gstatic.com
DNSName: *.urchin.com
DNSName: *.url.google.com
DNSName: *.youtube-nocookie.com
DNSName: *.youtube.com
DNSName: *.youtubeeducation.com
DNSName: *.ytimg.com
DNSName: android.clients.google.com
DNSName: android.com
DNSName: developer.android.google.cn
DNSName: developers.android.google.cn
DNSName: g.co
DNSName: goo.gl
DNSName: google-analytics.com
DNSName: google.com
DNSName: googlecommerce.com
DNSName: source.android.google.cn
DNSName: urchin.com
DNSName: www.goo.gl
DNSName: youtu.be
DNSName: youtube.com
DNSName: youtubeeducation.com
]
# 9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E DE 59 7F 98 31 7D C0 8B ..>....N.Y..1...
0010: 88 C5 1D 9A ....
]
]
この証明書を信頼しますか。 [いいえ]: y
証明書がキーストアに追加されました
同様にして同じキーストアに「中間証明書」、「ルート証明書」もインポートします。
注意点として、alias名はそれぞれ違う名前を指定する必要があります。
google.jks(中間証明書)
$ keytool -import -file certfiles/google.intermediate.cer -alias intermediate -keystore keystores/google.jks
google.jks(ルート証明書)
$ keytool -import -file certfiles/google.root.cer -alias root -keystore keystores/google.jks
yahoo.com
google.comと同様に「yahoo.jks」を作成します。
※キーストアのパスワードは最低6文字が必要なので"yahooo"にしています。
yahoo.jksの作成
$ keytool -import -file certfiles/yahoo.cer -alias yahoo -keystore keystores/yahoo.jks
キーストアのパスワードを入力してください: yahooo
新規パスワードを再入力してください: yahooo
所有者: CN=www.yahoo.com, OU=Information Technology, O=Yahoo Inc., L=Sunnyvale, ST=California, C=US
発行者: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
シリアル番号: 1c25430ed0a602e8cc3a977b0539cce5
有効期間の開始日: Sat Oct 31 09:00:00 JST 2015終了日: Tue Oct 31 08:59:59 JST 2017
証明書のフィンガプリント:
MD5: 58:49:71:94:C6:6F:68:3E:5B:F1:A2:29:37:CC:AA:8C
SHA1: 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32
SHA256: FE:37:33:E2:40:84:5F:69:C9:51:5D:3C:8B:A0:26:6B:51:FB:C7:07:A7:42:7A:43:E3:1D:E5:24:EE:C7:C3:1C
署名アルゴリズム名: SHA256withRSA
バージョン: 3
拡張:
# 1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ss.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://ss.symcb.com/ss.crt
]
]
# 2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 5F 60 CF 61 90 55 DF 84 43 14 8A 60 2A B2 F5 7A _`.a.U..C..`*..z
0010: F4 43 18 EF .C..
]
]
# 3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
# 4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://ss.symcb.com/ss.crl]
]]
# 5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 1A 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
]
# 6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
# 7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
# 8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: www.yahoo.com
DNSName: yahoo.com
DNSName: hsrd.yahoo.com
DNSName: us.yahoo.com
DNSName: fr.yahoo.com
DNSName: uk.yahoo.com
DNSName: za.yahoo.com
DNSName: ie.yahoo.com
DNSName: it.yahoo.com
DNSName: es.yahoo.com
DNSName: de.yahoo.com
DNSName: ca.yahoo.com
DNSName: qc.yahoo.com
DNSName: br.yahoo.com
DNSName: ro.yahoo.com
DNSName: se.yahoo.com
DNSName: be.yahoo.com
DNSName: fr-be.yahoo.com
DNSName: ar.yahoo.com
DNSName: mx.yahoo.com
DNSName: cl.yahoo.com
DNSName: co.yahoo.com
DNSName: ve.yahoo.com
DNSName: espanol.yahoo.com
DNSName: pe.yahoo.com
DNSName: in.yahoo.com
DNSName: sg.yahoo.com
DNSName: id.yahoo.com
DNSName: malaysia.yahoo.com
DNSName: ph.yahoo.com
DNSName: vn.yahoo.com
DNSName: maktoob.yahoo.com
DNSName: en-maktoob.yahoo.com
DNSName: ca.my.yahoo.com
DNSName: gr.yahoo.com
DNSName: att.yahoo.com
DNSName: au.yahoo.com
DNSName: nz.yahoo.com
DNSName: tw.yahoo.com
DNSName: hk.yahoo.com
DNSName: brb.yahoo.com
DNSName: my.yahoo.com
DNSName: add.my.yahoo.com
DNSName: frontier.yahoo.com
DNSName: verizon.yahoo.com
DNSName: ca.rogers.yahoo.com
DNSName: fr-ca.rogers.yahoo.com
DNSName: tatadocomo.yahoo.com
DNSName: tikona.yahoo.com
DNSName: ideanetsetter.yahoo.com
DNSName: mtsindia.yahoo.com
DNSName: smartfren.yahoo.com
DNSName: *.att.yahoo.com
DNSName: *.people.yahoo.com
DNSName: *.celebrity.yahoo.com
DNSName: *.vida-estilo.yahoo.com
DNSName: *.style.yahoo.com
DNSName: *.movies.yahoo.com
DNSName: *.stars.yahoo.com
DNSName: *.kino.yahoo.com
DNSName: *.cine.yahoo.com
DNSName: *.cinema.yahoo.com
DNSName: *.celebridades.yahoo.com
DNSName: *.live.yahoo.com
DNSName: *.beauty.yahoo.com
]
この証明書を信頼しますか。 [いいえ]: y
証明書がキーストアに追加されました
中間証明書、ルート証明書も同様にインポートしてください。
SSLPokeを利用したSSL接続検証
ここまでで準備ができたので、SSLPokeを利用してSSL接続検証を行います。
SSLPokeは以下のコマンドで接続検証ができますが、ここでは細かいハンドシェイクを見るために
オプションとして「Djavax.net.debug=ssl,handshake」を指定しています。
また、キーストアは何も指定しないと前述したデフォルトのキーストアを参照するので
「-Djavax.net.ssl.trustStore」オプションと「-Djavax.net.ssl.trustStorePassword」オプションを利用して明示的に指定しています。
yahoo.jksでgoogle.comへ接続
これは失敗するパターンです。
トラストストアとしてyahoo.comの証明書しかないキーストアを利用してgoogle.comへ接続しようとしています。
yahoo.jksでgoogle.comへ接続
java -Djavax.net.ssl.trustStore=keystores/yahoo.jks -Djavax.net.ssl.trustStorePassword=yahooo -Djavax.net.debug=ssl,handshake SSLPoke google.com 443
trustStore is: keystores\yahoo.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x513fb9743870b73440418d30930699ff
Valid from Thu Oct 31 09:00:00 JST 2013 until Tue Oct 31 08:59:59 JST 2023
adding as trusted cert:
Subject: CN=www.yahoo.com, OU=Information Technology, O=Yahoo Inc., L=Sunnyvale, ST=California, C=US
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Algorithm: RSA; Serial number: 0x1c25430ed0a602e8cc3a977b0539cce5
Valid from Sat Oct 31 09:00:00 JST 2015 until Tue Oct 31 08:59:59 JST 2017
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
Valid from Wed Nov 08 09:00:00 JST 2006 until Thu Jul 17 08:59:59 JST 2036
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1493373611 bytes = { 74, 79, 25, 73, 94, 244, 238, 98, 59, 99, 58, 149, 85, 164, 25, 89, 188, 129, 239, 77, 113, 178, 53, 122, 161, 251, 246, 141 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=google.com]
***
main, WRITE: TLSv1.2 Handshake, length = 222
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1493373610 bytes = { 8, 14, 157, 199, 79, 230, 132, 127, 193, 13, 186, 62, 120, 46, 184, 133, 203, 240, 47, 208, 179, 15, 147, 194, 84, 166, 177, 251 }
Session ID: {65, 22, 118, 24, 34, 177, 101, 173, 207, 106, 149, 43, 178, 26, 22, 115, 187, 61, 241, 194, 96, 109, 132, 37, 4, 120, 236, 153, 26, 62, 255, 89}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 3813
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun EC public key, 256 bits
public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Wed Apr 12 22:37:30 JST 2017,
To: Wed Jul 05 22:28:00 JST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 4fca07b9 59375f08]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://clients1.google.com/ocsp
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.google.com
DNSName: *.android.com
DNSName: *.appengine.google.com
DNSName: *.cloud.google.com
DNSName: *.gcp.gvt2.com
DNSName: *.google-analytics.com
DNSName: *.google.ca
DNSName: *.google.cl
DNSName: *.google.co.in
DNSName: *.google.co.jp
DNSName: *.google.co.uk
DNSName: *.google.com.ar
DNSName: *.google.com.au
DNSName: *.google.com.br
DNSName: *.google.com.co
DNSName: *.google.com.mx
DNSName: *.google.com.tr
DNSName: *.google.com.vn
DNSName: *.google.de
DNSName: *.google.es
DNSName: *.google.fr
DNSName: *.google.hu
DNSName: *.google.it
DNSName: *.google.nl
DNSName: *.google.pl
DNSName: *.google.pt
DNSName: *.googleadapis.com
DNSName: *.googleapis.cn
DNSName: *.googlecommerce.com
DNSName: *.googlevideo.com
DNSName: *.gstatic.cn
DNSName: *.gstatic.com
DNSName: *.gvt1.com
DNSName: *.gvt2.com
DNSName: *.metric.gstatic.com
DNSName: *.urchin.com
DNSName: *.url.google.com
DNSName: *.youtube-nocookie.com
DNSName: *.youtube.com
DNSName: *.youtubeeducation.com
DNSName: *.ytimg.com
DNSName: android.clients.google.com
DNSName: android.com
DNSName: developer.android.google.cn
DNSName: developers.android.google.cn
DNSName: g.co
DNSName: goo.gl
DNSName: google-analytics.com
DNSName: google.com
DNSName: googlecommerce.com
DNSName: source.android.google.cn
DNSName: urchin.com
DNSName: www.goo.gl
DNSName: youtu.be
DNSName: youtube.com
DNSName: youtubeeducation.com
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E DE 59 7F 98 31 7D C0 8B ..>....N.Y..1...
0010: 88 C5 1D 9A ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 61 F7 94 99 58 C7 7A AD 99 45 F7 C9 43 0C 6E 8C a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8 01 1B 2D FB C4 E8 AB BA .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81 67 3C 3D 74 0D 0B E5 0D ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E BD 9A 24 43 99 AB 33 B7 ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E F3 2E 44 58 2B 2F EE B3 .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC 42 13 53 18 4D EB 57 29 .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3 30 36 DF C0 A2 59 CB 4D q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0 B5 55 22 B2 80 3E 2F 4A it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26 C6 3A F6 67 38 BE F1 49 %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3 D6 9E D8 2A 15 FD EA E5 5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F 6C CD 7A 60 1E 28 E3 E8 .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43 0C F9 2A C1 61 9F 80 DA .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC F0 C1 3C 01 E5 83 A8 89 ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C 08 0E E1 1E 51 5F F1 C5 yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30 E6 8B 26 CE F9 55 83 C8 .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6 E6 D5 F8 B2 F8 C3 23 61 .....NS.......#a
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329
public exponent: 65537
Validity: [From: Wed Apr 01 09:00:00 JST 2015,
To: Mon Jan 01 08:59:59 JST 2018]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://g.symcd.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953
public exponent: 65537
Validity: [From: Tue May 21 13:00:00 JST 2002,
To: Tue Aug 21 13:00:00 JST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
%% Invalidated: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 16 more
main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
と出ていますね。
google.jksでgoogle.comへ接続
これは成功するパターンです。
トラストストアとしてgoogle.comの証明書しかないキーストアを利用してgoogle.comへ接続しようとしています。
jksでgoogle.jksでgoogle.comへ接続
$ java -Djavax.net.ssl.trustStore=keystores/google.jks -Djavax.net.ssl.trustStorePassword=google -Djavax.net.debug=ssl,handshake SSLPoke google.com 443
trustStore is: keystores\google.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23a92
Valid from Wed Apr 01 09:00:00 JST 2015 until Mon Jan 01 08:59:59 JST 2018
adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 13:00:00 JST 2002 until Sat May 21 13:00:00 JST 2022
adding as trusted cert:
Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
Algorithm: EC; Serial number: 0x4fca07b959375f08
Valid from Wed Apr 12 22:37:30 JST 2017 until Wed Jul 05 22:28:00 JST 2017
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1493373667 bytes = { 211, 165, 121, 86, 252, 7, 118, 68, 9, 16, 158, 80, 244, 116, 50, 132, 235, 3, 124, 174, 182, 254, 206, 181, 73, 78, 152, 136 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=google.com]
***
main, WRITE: TLSv1.2 Handshake, length = 222
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1493373666 bytes = { 68, 62, 71, 118, 84, 161, 72, 22, 187, 65, 171, 73, 117, 199, 49, 63, 110, 111, 166, 227, 204, 226, 126, 51, 208, 35, 189, 219 }
Session ID: {141, 9, 13, 140, 215, 84, 61, 114, 50, 35, 232, 75, 135, 15, 200, 152, 230, 8, 26, 30, 44, 8, 147, 22, 133, 34, 128, 236, 3, 157, 131, 185}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 3813
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun EC public key, 256 bits
public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Wed Apr 12 22:37:30 JST 2017,
To: Wed Jul 05 22:28:00 JST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 4fca07b9 59375f08]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://clients1.google.com/ocsp
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.google.com
DNSName: *.android.com
DNSName: *.appengine.google.com
DNSName: *.cloud.google.com
DNSName: *.gcp.gvt2.com
DNSName: *.google-analytics.com
DNSName: *.google.ca
DNSName: *.google.cl
DNSName: *.google.co.in
DNSName: *.google.co.jp
DNSName: *.google.co.uk
DNSName: *.google.com.ar
DNSName: *.google.com.au
DNSName: *.google.com.br
DNSName: *.google.com.co
DNSName: *.google.com.mx
DNSName: *.google.com.tr
DNSName: *.google.com.vn
DNSName: *.google.de
DNSName: *.google.es
DNSName: *.google.fr
DNSName: *.google.hu
DNSName: *.google.it
DNSName: *.google.nl
DNSName: *.google.pl
DNSName: *.google.pt
DNSName: *.googleadapis.com
DNSName: *.googleapis.cn
DNSName: *.googlecommerce.com
DNSName: *.googlevideo.com
DNSName: *.gstatic.cn
DNSName: *.gstatic.com
DNSName: *.gvt1.com
DNSName: *.gvt2.com
DNSName: *.metric.gstatic.com
DNSName: *.urchin.com
DNSName: *.url.google.com
DNSName: *.youtube-nocookie.com
DNSName: *.youtube.com
DNSName: *.youtubeeducation.com
DNSName: *.ytimg.com
DNSName: android.clients.google.com
DNSName: android.com
DNSName: developer.android.google.cn
DNSName: developers.android.google.cn
DNSName: g.co
DNSName: goo.gl
DNSName: google-analytics.com
DNSName: google.com
DNSName: googlecommerce.com
DNSName: source.android.google.cn
DNSName: urchin.com
DNSName: www.goo.gl
DNSName: youtu.be
DNSName: youtube.com
DNSName: youtubeeducation.com
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E DE 59 7F 98 31 7D C0 8B ..>....N.Y..1...
0010: 88 C5 1D 9A ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 61 F7 94 99 58 C7 7A AD 99 45 F7 C9 43 0C 6E 8C a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8 01 1B 2D FB C4 E8 AB BA .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81 67 3C 3D 74 0D 0B E5 0D ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E BD 9A 24 43 99 AB 33 B7 ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E F3 2E 44 58 2B 2F EE B3 .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC 42 13 53 18 4D EB 57 29 .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3 30 36 DF C0 A2 59 CB 4D q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0 B5 55 22 B2 80 3E 2F 4A it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26 C6 3A F6 67 38 BE F1 49 %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3 D6 9E D8 2A 15 FD EA E5 5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F 6C CD 7A 60 1E 28 E3 E8 .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43 0C F9 2A C1 61 9F 80 DA .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC F0 C1 3C 01 E5 83 A8 89 ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C 08 0E E1 1E 51 5F F1 C5 yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30 E6 8B 26 CE F9 55 83 C8 .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6 E6 D5 F8 B2 F8 C3 23 61 .....NS.......#a
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329
public exponent: 65537
Validity: [From: Wed Apr 01 09:00:00 JST 2015,
To: Mon Jan 01 08:59:59 JST 2018]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://g.symcd.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953
public exponent: 65537
Validity: [From: Tue May 21 13:00:00 JST 2002,
To: Tue Aug 21 13:00:00 JST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun EC public key, 256 bits
public x coord: 15857649762105096772968051547638456909892305426137858367128632380206196964288
public y coord: 48779184071160655230510496126717706041261646117444654293733038245412446736917
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Wed Apr 12 22:37:30 JST 2017,
To: Wed Jul 05 22:28:00 JST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 4fca07b9 59375f08]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
accessMethod: ocsp
accessLocation: URIName: http://clients1.google.com/ocsp
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.google.com
DNSName: *.android.com
DNSName: *.appengine.google.com
DNSName: *.cloud.google.com
DNSName: *.gcp.gvt2.com
DNSName: *.google-analytics.com
DNSName: *.google.ca
DNSName: *.google.cl
DNSName: *.google.co.in
DNSName: *.google.co.jp
DNSName: *.google.co.uk
DNSName: *.google.com.ar
DNSName: *.google.com.au
DNSName: *.google.com.br
DNSName: *.google.com.co
DNSName: *.google.com.mx
DNSName: *.google.com.tr
DNSName: *.google.com.vn
DNSName: *.google.de
DNSName: *.google.es
DNSName: *.google.fr
DNSName: *.google.hu
DNSName: *.google.it
DNSName: *.google.nl
DNSName: *.google.pl
DNSName: *.google.pt
DNSName: *.googleadapis.com
DNSName: *.googleapis.cn
DNSName: *.googlecommerce.com
DNSName: *.googlevideo.com
DNSName: *.gstatic.cn
DNSName: *.gstatic.com
DNSName: *.gvt1.com
DNSName: *.gvt2.com
DNSName: *.metric.gstatic.com
DNSName: *.urchin.com
DNSName: *.url.google.com
DNSName: *.youtube-nocookie.com
DNSName: *.youtube.com
DNSName: *.youtubeeducation.com
DNSName: *.ytimg.com
DNSName: android.clients.google.com
DNSName: android.com
DNSName: developer.android.google.cn
DNSName: developers.android.google.cn
DNSName: g.co
DNSName: goo.gl
DNSName: google-analytics.com
DNSName: google.com
DNSName: googlecommerce.com
DNSName: source.android.google.cn
DNSName: urchin.com
DNSName: www.goo.gl
DNSName: youtu.be
DNSName: youtube.com
DNSName: youtubeeducation.com
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C7 C2 3E 01 A4 D3 F4 4E DE 59 7F 98 31 7D C0 8B ..>....N.Y..1...
0010: 88 C5 1D 9A ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 61 F7 94 99 58 C7 7A AD 99 45 F7 C9 43 0C 6E 8C a...X.z..E..C.n.
0010: 1A D8 0C 7C 96 51 29 B8 01 1B 2D FB C4 E8 AB BA .....Q)...-.....
0020: AC C0 B0 69 49 3A 8C 81 67 3C 3D 74 0D 0B E5 0D ...iI:..g<=t....
0030: 98 04 32 AB 52 CA D1 1E BD 9A 24 43 99 AB 33 B7 ..2.R.....$C..3.
0040: A3 77 1E 2B 4E FB 47 0E F3 2E 44 58 2B 2F EE B3 .w.+N.G...DX+/..
0050: AB 9F ED E4 D6 37 9B CC 42 13 53 18 4D EB 57 29 .....7..B.S.M.W)
0060: 71 FF 2E 3D 79 28 0A C3 30 36 DF C0 A2 59 CB 4D q..=y(..06...Y.M
0070: 69 74 A3 94 4E 64 A0 D0 B5 55 22 B2 80 3E 2F 4A it..Nd...U"..>/J
0080: 25 15 49 57 35 3D 84 26 C6 3A F6 67 38 BE F1 49 %.IW5=.&.:.g8..I
0090: 35 01 17 D4 A7 A2 35 A3 D6 9E D8 2A 15 FD EA E5 5.....5....*....
00A0: 88 34 69 C2 D9 F6 07 9F 6C CD 7A 60 1E 28 E3 E8 .4i.....l.z`.(..
00B0: E3 3B FA 7A 19 89 BA 43 0C F9 2A C1 61 9F 80 DA .;.z...C..*.a...
00C0: C2 0A 61 E9 C0 31 64 DC F0 C1 3C 01 E5 83 A8 89 ..a..1d...<.....
00D0: 79 43 23 48 88 FB E6 8C 08 0E E1 1E 51 5F F1 C5 yC#H........Q_..
00E0: 11 49 C0 E6 F3 E8 2D 30 E6 8B 26 CE F9 55 83 C8 .I....-0..&..U..
00F0: F2 B2 B6 C6 E8 4E 53 D6 E6 D5 F8 B2 F8 C3 23 61 .....NS.......#a
]
main, READ: TLSv1.2 Handshake, length = 148
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withECDSA
Server key: Sun EC public key, 256 bits
public x coord: 115756770858964201123508282005285098276280732187879456334366788861687300357561
public y coord: 110353450491050068374662283797391955503928196866475776828795242660392251194224
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 102, 16, 232, 95, 167, 218, 53, 177, 237, 93, 245, 96, 45, 22, 128, 103, 51, 27, 241, 225, 92, 68, 168, 164, 61, 229, 90, 224, 170, 94, 68, 26, 134, 158, 1, 78, 48, 106, 73, 192, 50, 212, 221, 185, 2, 236, 60, 27, 155, 31, 97, 14, 172, 185, 8, 39, 226, 197, 109, 10, 88, 187, 197, 78 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 32 88 BD EA 48 29 4F D3 29 4D A5 3E E9 C8 92 9C 2...H)O.)M.>....
0010: E5 C9 FC 2D B7 8B 6C 74 60 0B F3 BB 2A 91 FD 08 ...-..lt`...*...
CONNECTION KEYGEN:
Client Nonce:
0000: 59 03 13 E3 D3 A5 79 56 FC 07 76 44 09 10 9E 50 Y.....yV..vD...P
0010: F4 74 32 84 EB 03 7C AE B6 FE CE B5 49 4E 98 88 .t2.........IN..
Server Nonce:
0000: 59 03 13 E2 44 3E 47 76 54 A1 48 16 BB 41 AB 49 Y...D>GvT.H..A.I
0010: 75 C7 31 3F 6E 6F A6 E3 CC E2 7E 33 D0 23 BD DB u.1?no.....3.#..
Master Secret:
0000: D5 66 F7 91 0F 75 F3 1E 2E 08 F6 14 8F 44 27 6F .f...u.......D'o
0010: 2C C1 A2 72 10 10 72 64 E6 9C E0 1A E4 57 EB 4A ,..r..rd.....W.J
0020: 2C AF 60 A9 8D A8 C4 A8 75 7D 87 77 5A 22 AB 23 ,.`.....u..wZ".#
... no MAC keys used for this cipher
Client write key:
0000: D7 F8 D2 DC FD 2A F5 9B 1B B8 47 68 63 E1 41 75 .....*....Ghc.Au
Server write key:
0000: 59 80 39 DA 17 09 04 69 0A 80 C3 4C 50 2A AF 8C Y.9....i...LP*..
Client write IV:
0000: 79 2D 4F 89 y-O.
Server write IV:
0000: E0 94 B0 12 ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 107, 89, 71, 14, 131, 49, 61, 251, 37, 136, 64, 119 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 46, 135, 143, 56, 123, 58, 143, 124, 90, 252, 201, 121 }
***
%% Cached client session: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 25
Successfully connected
無事接続できました。
まとめ
JKSを利用したSSL接続では意外とハマることが多いので、
ハンドシェイクまで見ていくと問題解決の道筋が見えてきます。