Tag mismatch SSL error when trying to connect to SMK
AlexandruCiobanu opened this issue · 4 comments
AlexandruCiobanu commented
Hi Phil, I am struggling with an odd error. I am on a linux machine using java 11.0.20 trying to signal to the SMK a new participant.
I have a small wrapper that handles parameters passed in as arguments and calls the ManageParticipantIdentifierServiceCaller .
I get an SSL exception saying tag mismatch and I cannot find out why.
On another machine the same code works when connecting to the SML. So production works but test does not. I tried the same code on a windows machine connecting to the SMK and it was able to successfully connect. I am at a loss as to what the problem may be. It is not a firewall issue as it can access the SMK's certificate chain. could it be a cipher issue?
Both linux machines use java 11.0.20 and openssl 1.0.2.
Thank you,
Alex
Please find below the redacted log of the failing call
2023-11-28T13:53:53,532 INFO com.helger.phoss.smp.security.SMPKeyManager._loadKeyStore(SMPKeyManager.java:122) - SMPKeyManager successfully initialized with keystore 'xxxxxxxxxx.p12' and alias 'smp'
2023-11-28T13:53:53,558 WARN com.helger.phoss.smp.security.SMPKeyManager.createSSLContext(SMPKeyManager.java:209) - No truststore is configured, so the build SSL/TLS connection will trust all hosts!
2023-11-28T13:53:53,628 INFO com.helger.peppol.smlclient.ManageParticipantIdentifierServiceCaller.create(ManageParticipantIdentifierServiceCaller.java:168) - Trying to create new participant iso6523-actorid-upis::0151:xxxxxxxxxxx in SMP 'xxxxxxxxxxx-TEST'
2023-11-28T13:53:55,775 INFO com.helger.commons.ws.TrustManagerTrustAll.checkServerTrusted(TrustManagerTrustAll.java:69) - checkServerTrusted ([[
[
Version: V3
Subject: CN=edelivery.tech.ec.europa.eu, O=European Commission, L=Brussels, ST=Brussels-Capital Region, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 29573442910608890274964506394851617461462393378201187129286486057826326808575306607460482297651358900494662491660451036494778967275793479943339837067783937955740256468001380007106539786871875262212501547687554170360231944769789462933576074572690125435911201460708058634618446519457761664119874304859959706084215564036747861036310004192706024115261012262202328800233820085694658524674081881473284733341242826184366735045229902947088301472155932091068193925933683345448250954405174617999193741854024221537646229720202039920840135694698302378527693190975919187973034272309163700274802755632374734929084066754295698607839
public exponent: 65537
Validity: [From: Mon Jul 24 07:41:20 UTC 2023,
To: Sat Aug 24 07:41:19 UTC 2024]
Issuer: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
SerialNumber: [ 37966eac 11cf207d 2805b7a9]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 77 00 EE CD D0 ...o...k.i.w....
0010: 64 D5 DB 1A CE C5 5C B7 9D B4 CD 13 A2 32 87 46 d.....\\......2.F
0020: 7C BC EC DE C3 51 48 59 46 71 1F B5 9B 00 00 01 .....QHYFq......
0030: 89 86 D8 93 4E 00 00 04 03 00 48 30 46 02 21 00 ....N.....H0F.!.
0040: D4 8C DC C8 CC 7C E4 16 B4 D0 4D 07 CE 5C 79 84 ..........M..\\y.
0050: 2E 01 95 F2 1B 15 E7 28 55 5C 7D 02 4F 8B 69 89 .......(U\\..O.i.
0060: 02 21 00 E5 33 6B 59 90 23 F7 BD EF 2A 8E 7C 4E .!..3kY.#...*..N
0070: D9 E9 BB 48 C4 1E 58 47 FE 37 F2 AA 1C C0 A0 D0 ...H..XG.7......
0080: 4E 02 60 00 77 00 48 B0 E3 6B DA A6 47 34 0F E5 N.`.w.H..k..G4..
0090: 6A 02 FA 9D 30 EB 1C 52 01 CB 56 DD 2C 81 D9 BB j...0..R..V.,...
00A0: BF AB 39 D8 84 73 00 00 01 89 86 D8 93 66 00 00 ..9..s.......f..
00B0: 04 03 00 48 30 46 02 21 00 FD C3 54 C9 4A E8 63 ...H0F.!...T.J.c
00C0: 7A 59 F4 E3 3C 68 C9 B8 C0 1B AD F9 79 A6 26 1E zY..<h......y.&.
00D0: 4A 6C 7F C9 4B 32 88 C7 C4 02 21 00 DA 39 B7 77 Jl..K2....!..9.w
00E0: 86 54 45 40 86 E7 D0 C9 F0 41 DA A0 E7 94 CE C3 .TE@.....A......
00F0: 35 51 C3 8A 85 FB 78 7C 74 A8 0D 0C 00 75 00 DA 5Q....x.t....u..
0100: B6 BF 6B 3F B5 B6 22 9F 9B C2 BB 5C 6B E8 70 91 ..k?..\"....\\k.p.
0110: 71 6C BB 51 84 85 34 BD A4 3D 30 48 D7 FB AB 00 ql.Q..4..=0H....
0120: 00 01 89 86 D8 93 74 00 00 04 03 00 46 30 44 02 ......t.....F0D.
0130: 20 72 51 2D 3D 4B EB CD 93 C5 72 B4 14 11 B5 06 rQ-=K....r.....
0140: F5 73 4F 24 74 D6 D2 FE FC 7B 8F 6A 81 C6 B3 FB .sO$t......j....
0150: 36 02 20 09 52 1B 50 09 66 D2 02 C2 8B 48 F6 BF 6. .R.P.f....H..
0160: 7A 9B E6 85 C9 1F 78 8D 1B 1F DB 94 33 6D C7 52 z.....x.....3m.R
0170: 70 5E 96 p^.
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.globalsign.com/gsrsaovsslca2018
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F8 EF 7F F2 CD 78 67 A8 DE 6F 8F 24 8D 88 F1 87 .....xg..o.$....
0010: 03 02 B3 EB ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.com/gsrsaovsslca2018.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.4146.1.20]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F ository/
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: edelivery.tech.ec.europa.eu
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CC 5F 64 E9 BB 83 95 70 92 6A F6 9F D0 B2 C1 18 ._d....p.j......
0010: CB 80 3A 96 ..:.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 5E 1D 4E 76 9B 01 C0 09 38 63 66 7B 8C 72 2D 93 ^.Nv....8cf..r-.
0010: 3E E8 24 8E 39 65 75 68 49 C1 A0 43 46 61 A4 21 >.$.9euhI..CFa.!
0020: 93 F7 EF FD 15 D9 07 16 18 A9 66 DA 93 C2 69 F5 ..........f...i.
0030: 3A E6 F2 A6 66 8E C5 DD CB 4A CE AD 3D 8C 7E 13 :...f....J..=...
0040: 50 43 A4 E4 9F 84 3F BD 4F 96 CD D6 D2 31 8E D8 PC....?.O....1..
0050: 3D 38 D7 D7 2B E4 99 45 F9 9C D3 A1 DE 9C 04 E7 =8..+..E........
0060: D9 35 BC 66 1E BA 03 AA D7 90 9A D4 6C 32 85 BA .5.f........l2..
0070: 1A 1D 36 22 08 3B B4 9C C7 40 79 75 D7 EB B6 31 ..6\".;...@yu...1
0080: 29 88 F4 FF 18 B1 F1 D7 F6 14 D2 59 E2 7B 40 88 )..........Y..@.
0090: D0 12 4E 02 4B F9 10 25 A9 65 50 64 80 47 80 7A ..N.K..%.ePd.G.z
00A0: 73 74 EF 89 41 81 31 85 35 8C B4 84 3A 34 28 08 st..A.1.5...:4(.
00B0: 2B 7A B4 E4 C1 C1 46 34 C1 83 10 7C 45 52 9D C5 +z....F4....ER..
00C0: 6A 94 F2 58 CA C6 A7 65 F1 56 C4 52 FC 54 91 D9 j..X...e.V.R.T..
00D0: 74 74 A5 41 B8 DF 57 E2 88 2C 51 5A 26 05 16 2D tt.A..W..,QZ&..-
00E0: 0E E5 40 4E 21 06 97 D5 65 DD C0 43 E6 AB A1 1A ..@N!...e..C....
00F0: 33 9C F9 FF 96 AE 87 21 6B 07 52 4F EB 20 26 3F 3......!k.RO. &?
], [
[
Version: V3
Subject: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 21126566361448906107436419936616456930503766795295011397390099377214532594339540630127839983694000880957855429090662736543459885979148095011845773324878609805910592394098822605447205094595434773457756619595496551339815291517938821967518409268674135327890982411359059853554206557405488402844883476783910436071263072611374930015184977470928360416482680275213210359134955800600416298955663157681791825971806614492086218468021537113159139781585498849221181678353105886727402106622369312650411327690533152044002528504537929182833153678424044530351812527294481555102466085982300518657855234182316103558953341555178558367567
public exponent: 65537
Validity: [From: Wed Nov 21 00:00:00 UTC 2018,
To: Tue Nov 21 00:00:00 UTC 2028]
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
SerialNumber: [ 01ee5f22 1dfc623b d4333a85 57]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp2.globalsign.com/rootr3
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 8F F0 4B 7F A8 2E 45 24 AE 4D 50 FA 63 9A 8B DE ..K...E$.MP.c...
0010: E2 DD 1B BC ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.com/root-r3.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F ository/
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 EF 7F F2 CD 78 67 A8 DE 6F 8F 24 8D 88 F1 87 .....xg..o.$....
0010: 03 02 B3 EB ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 99 90 C8 2D 5F 42 8A D4 0B 66 DB 98 03 73 11 D4 ...-_B...f...s..
0010: 88 86 52 28 53 8A FB AD DF FD 73 8E 3A 67 04 DB ..R(S.....s.:g..
0020: C3 53 14 70 14 09 7C C3 E0 F8 D7 1C 98 1A A2 C4 .S.p............
0030: 3E DB E9 00 E3 CA 70 B2 F1 22 30 21 56 DB D3 AD >.....p..\"0!V...
0040: 79 5E 81 58 0B 6D 14 80 35 F5 6F 5D 1D EB 9A 47 y^.X.m..5.o]...G
0050: 05 FF 59 8D 00 B1 40 DA 90 98 96 1A BA 6C 6D 7F ..Y...@......lm.
0060: 8C F5 B3 80 DF 8C 64 73 36 96 79 79 69 74 EA BF ......ds6.yyit..
0070: F8 9E 01 8F A0 95 69 8D E9 84 BA E9 E5 D4 88 38 ......i........8
0080: DB 78 3B 98 D0 36 7B 29 B0 D2 52 18 90 DE 52 43 .x;..6.)..R...RC
0090: 00 AE 6A 27 C8 14 9E 86 95 AC E1 80 31 30 7E 9A ..j'........10..
00A0: 25 BB 8B AC 04 23 A6 99 00 E8 F1 D2 26 EC 0F 7E %....#......&...
00B0: 3B 8A 2B 92 38 13 1D 8F 86 CD 86 52 47 E6 34 7C ;.+.8......RG.4.
00C0: 5B A4 02 3E 8A 61 7C 22 76 53 5A 94 53 33 86 B8 [..>.a.\"vSZ.S3..
00D0: 92 A8 72 AF A1 F9 52 87 1F 31 A5 FC B0 81 57 2F ..r...R..1....W/
00E0: CD F4 CE DC F6 24 CF A7 E2 34 90 68 9D FE AA F1 .....$...4.h....
00F0: A9 9A 12 CC 9B C0 C6 C3 A8 A5 B0 21 7E DE 48 F6 ...........!..H.
]], UNKNOWN)
2023-11-28T13:53:56,806 INFO com.helger.commons.ws.TrustManagerTrustAll.checkServerTrusted(TrustManagerTrustAll.java:69) - checkServerTrusted ([[
[
Version: V3
Subject: CN=edelivery.tech.ec.europa.eu, O=European Commission, L=Brussels, ST=Brussels-Capital Region, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 29573442910608890274964506394851617461462393378201187129286486057826326808575306607460482297651358900494662491660451036494778967275793479943339837067783937955740256468001380007106539786871875262212501547687554170360231944769789462933576074572690125435911201460708058634618446519457761664119874304859959706084215564036747861036310004192706024115261012262202328800233820085694658524674081881473284733341242826184366735045229902947088301472155932091068193925933683345448250954405174617999193741854024221537646229720202039920840135694698302378527693190975919187973034272309163700274802755632374734929084066754295698607839
public exponent: 65537
Validity: [From: Mon Jul 24 07:41:20 UTC 2023,
To: Sat Aug 24 07:41:19 UTC 2024]
Issuer: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
SerialNumber: [ 37966eac 11cf207d 2805b7a9]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 77 00 EE CD D0 ...o...k.i.w....
0010: 64 D5 DB 1A CE C5 5C B7 9D B4 CD 13 A2 32 87 46 d.....\\......2.F
0020: 7C BC EC DE C3 51 48 59 46 71 1F B5 9B 00 00 01 .....QHYFq......
0030: 89 86 D8 93 4E 00 00 04 03 00 48 30 46 02 21 00 ....N.....H0F.!.
0040: D4 8C DC C8 CC 7C E4 16 B4 D0 4D 07 CE 5C 79 84 ..........M..\\y.
0050: 2E 01 95 F2 1B 15 E7 28 55 5C 7D 02 4F 8B 69 89 .......(U\\..O.i.
0060: 02 21 00 E5 33 6B 59 90 23 F7 BD EF 2A 8E 7C 4E .!..3kY.#...*..N
0070: D9 E9 BB 48 C4 1E 58 47 FE 37 F2 AA 1C C0 A0 D0 ...H..XG.7......
0080: 4E 02 60 00 77 00 48 B0 E3 6B DA A6 47 34 0F E5 N.`.w.H..k..G4..
0090: 6A 02 FA 9D 30 EB 1C 52 01 CB 56 DD 2C 81 D9 BB j...0..R..V.,...
00A0: BF AB 39 D8 84 73 00 00 01 89 86 D8 93 66 00 00 ..9..s.......f..
00B0: 04 03 00 48 30 46 02 21 00 FD C3 54 C9 4A E8 63 ...H0F.!...T.J.c
00C0: 7A 59 F4 E3 3C 68 C9 B8 C0 1B AD F9 79 A6 26 1E zY..<h......y.&.
00D0: 4A 6C 7F C9 4B 32 88 C7 C4 02 21 00 DA 39 B7 77 Jl..K2....!..9.w
00E0: 86 54 45 40 86 E7 D0 C9 F0 41 DA A0 E7 94 CE C3 .TE@.....A......
00F0: 35 51 C3 8A 85 FB 78 7C 74 A8 0D 0C 00 75 00 DA 5Q....x.t....u..
0100: B6 BF 6B 3F B5 B6 22 9F 9B C2 BB 5C 6B E8 70 91 ..k?..\"....\\k.p.
0110: 71 6C BB 51 84 85 34 BD A4 3D 30 48 D7 FB AB 00 ql.Q..4..=0H....
0120: 00 01 89 86 D8 93 74 00 00 04 03 00 46 30 44 02 ......t.....F0D.
0130: 20 72 51 2D 3D 4B EB CD 93 C5 72 B4 14 11 B5 06 rQ-=K....r.....
0140: F5 73 4F 24 74 D6 D2 FE FC 7B 8F 6A 81 C6 B3 FB .sO$t......j....
0150: 36 02 20 09 52 1B 50 09 66 D2 02 C2 8B 48 F6 BF 6. .R.P.f....H..
0160: 7A 9B E6 85 C9 1F 78 8D 1B 1F DB 94 33 6D C7 52 z.....x.....3m.R
0170: 70 5E 96 p^.
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.globalsign.com/gsrsaovsslca2018
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F8 EF 7F F2 CD 78 67 A8 DE 6F 8F 24 8D 88 F1 87 .....xg..o.$....
0010: 03 02 B3 EB ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.com/gsrsaovsslca2018.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.4146.1.20]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F ository/
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: edelivery.tech.ec.europa.eu
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CC 5F 64 E9 BB 83 95 70 92 6A F6 9F D0 B2 C1 18 ._d....p.j......
0010: CB 80 3A 96 ..:.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 5E 1D 4E 76 9B 01 C0 09 38 63 66 7B 8C 72 2D 93 ^.Nv....8cf..r-.
0010: 3E E8 24 8E 39 65 75 68 49 C1 A0 43 46 61 A4 21 >.$.9euhI..CFa.!
0020: 93 F7 EF FD 15 D9 07 16 18 A9 66 DA 93 C2 69 F5 ..........f...i.
0030: 3A E6 F2 A6 66 8E C5 DD CB 4A CE AD 3D 8C 7E 13 :...f....J..=...
0040: 50 43 A4 E4 9F 84 3F BD 4F 96 CD D6 D2 31 8E D8 PC....?.O....1..
0050: 3D 38 D7 D7 2B E4 99 45 F9 9C D3 A1 DE 9C 04 E7 =8..+..E........
0060: D9 35 BC 66 1E BA 03 AA D7 90 9A D4 6C 32 85 BA .5.f........l2..
0070: 1A 1D 36 22 08 3B B4 9C C7 40 79 75 D7 EB B6 31 ..6\".;...@yu...1
0080: 29 88 F4 FF 18 B1 F1 D7 F6 14 D2 59 E2 7B 40 88 )..........Y..@.
0090: D0 12 4E 02 4B F9 10 25 A9 65 50 64 80 47 80 7A ..N.K..%.ePd.G.z
00A0: 73 74 EF 89 41 81 31 85 35 8C B4 84 3A 34 28 08 st..A.1.5...:4(.
00B0: 2B 7A B4 E4 C1 C1 46 34 C1 83 10 7C 45 52 9D C5 +z....F4....ER..
00C0: 6A 94 F2 58 CA C6 A7 65 F1 56 C4 52 FC 54 91 D9 j..X...e.V.R.T..
00D0: 74 74 A5 41 B8 DF 57 E2 88 2C 51 5A 26 05 16 2D tt.A..W..,QZ&..-
00E0: 0E E5 40 4E 21 06 97 D5 65 DD C0 43 E6 AB A1 1A ..@N!...e..C....
00F0: 33 9C F9 FF 96 AE 87 21 6B 07 52 4F EB 20 26 3F 3......!k.RO. &?
], [
[
Version: V3
Subject: CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 21126566361448906107436419936616456930503766795295011397390099377214532594339540630127839983694000880957855429090662736543459885979148095011845773324878609805910592394098822605447205094595434773457756619595496551339815291517938821967518409268674135327890982411359059853554206557405488402844883476783910436071263072611374930015184977470928360416482680275213210359134955800600416298955663157681791825971806614492086218468021537113159139781585498849221181678353105886727402106622369312650411327690533152044002528504537929182833153678424044530351812527294481555102466085982300518657855234182316103558953341555178558367567
public exponent: 65537
Validity: [From: Wed Nov 21 00:00:00 UTC 2018,
To: Tue Nov 21 00:00:00 UTC 2028]
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
SerialNumber: [ 01ee5f22 1dfc623b d4333a85 57]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp2.globalsign.com/rootr3
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 8F F0 4B 7F A8 2E 45 24 AE 4D 50 FA 63 9A 8B DE ..K...E$.MP.c...
0010: E2 DD 1B BC ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.com/root-r3.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl
0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep
0020: 6F 73 69 74 6F 72 79 2F ository/
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F8 EF 7F F2 CD 78 67 A8 DE 6F 8F 24 8D 88 F1 87 .....xg..o.$....
0010: 03 02 B3 EB ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 99 90 C8 2D 5F 42 8A D4 0B 66 DB 98 03 73 11 D4 ...-_B...f...s..
0010: 88 86 52 28 53 8A FB AD DF FD 73 8E 3A 67 04 DB ..R(S.....s.:g..
0020: C3 53 14 70 14 09 7C C3 E0 F8 D7 1C 98 1A A2 C4 .S.p............
0030: 3E DB E9 00 E3 CA 70 B2 F1 22 30 21 56 DB D3 AD >.....p..\"0!V...
0040: 79 5E 81 58 0B 6D 14 80 35 F5 6F 5D 1D EB 9A 47 y^.X.m..5.o]...G
0050: 05 FF 59 8D 00 B1 40 DA 90 98 96 1A BA 6C 6D 7F ..Y...@......lm.
0060: 8C F5 B3 80 DF 8C 64 73 36 96 79 79 69 74 EA BF ......ds6.yyit..
0070: F8 9E 01 8F A0 95 69 8D E9 84 BA E9 E5 D4 88 38 ......i........8
0080: DB 78 3B 98 D0 36 7B 29 B0 D2 52 18 90 DE 52 43 .x;..6.)..R...RC
0090: 00 AE 6A 27 C8 14 9E 86 95 AC E1 80 31 30 7E 9A ..j'........10..
00A0: 25 BB 8B AC 04 23 A6 99 00 E8 F1 D2 26 EC 0F 7E %....#......&...
00B0: 3B 8A 2B 92 38 13 1D 8F 86 CD 86 52 47 E6 34 7C ;.+.8......RG.4.
00C0: 5B A4 02 3E 8A 61 7C 22 76 53 5A 94 53 33 86 B8 [..>.a.\"vSZ.S3..
00D0: 92 A8 72 AF A1 F9 52 87 1F 31 A5 FC B0 81 57 2F ..r...R..1....W/
00E0: CD F4 CE DC F6 24 CF A7 E2 34 90 68 9D FE AA F1 .....$...4.h....
00F0: A9 9A 12 CC 9B C0 C6 C3 A8 A5 B0 21 7E DE 48 F6 ...........!..H.
]], UNKNOWN)
jakarta.xml.ws.WebServiceException: javax.net.ssl.SSLException: Tag mismatch!
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:181)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:227)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:218)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:131)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:111)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1106)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1020)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:989)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:847)
at com.sun.xml.ws.client.Stub.process(Stub.java:431)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:160)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:62)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:132)
at com.sun.proxy.$Proxy47.create(Unknown Source)
at com.helger.peppol.smlclient.ManageParticipantIdentifierServiceCaller.create(ManageParticipantIdentifierServiceCaller.java:173)
at com.helger.peppol.smlclient.ManageParticipantIdentifierServiceCaller.create(ManageParticipantIdentifierServiceCaller.java:139)
at com.sml.SMLWriter.write(SMLWriter.java:81)
at com.sml.SMLWriter.main(SMLWriter.java:50)
Caused by: javax.net.ssl.SSLException: Tag mismatch!
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1514)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1481)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1070)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:789)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:724)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:748)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1615)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:177)
... 18 more
Caused by: javax.crypto.AEADBadTagException: Tag mismatch!
at java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623)
at java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1122)
at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1059)
at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:945)
at java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491)
at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779)
at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497)
at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1929)
at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:264)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
... 32 more
phax commented
Very interesting. Are you using an outbound proxy server?
It would be also interesting if you can add the output of java -version of the failed version here
AlexandruCiobanu commented
Below is the java version output for the dev machine which experiences the Tag mismatch issue
# java -version
openjdk version "11.0.20" 2023-07-18 LTS
OpenJDK Runtime Environment Corretto-11.0.20.8.1 (build 11.0.20+8-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.20.8.1 (build 11.0.20+8-LTS, mixed mode)
The prod machine does not experience it :
# java -version
openjdk version "11.0.20.1" 2023-08-22 LTS
OpenJDK Runtime Environment Corretto-11.0.20.9.1 (build 11.0.20.1+9-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.20.9.1 (build 11.0.20.1+9-LTS, mixed mode)
uhoh. There is a small diff. I will try updating java to match prod and let you know
AlexandruCiobanu commented
Updated dev machine to
]$ java -version
openjdk version "11.0.21" 2023-10-17 LTS
OpenJDK Runtime Environment Corretto-11.0.21.9.1 (build 11.0.21+9-LTS)
OpenJDK 64-Bit Server VM Corretto-11.0.21.9.1 (build 11.0.21+9-LTS, mixed mode)
This seems to have done the trick. Thank you!
phax commented
Ah excellent - thanks :) The miracles of Java version related issues....