Could not establish trust relationship for the SSL/TLS secure channel with authority

Article Id: 103876

Status: Published

Updated On: 17-10-2018 15:22

Products:

CA Application Test Service Virtualization CA Continuous Application Insight (PathFinder)

Issue/Introduction:

The .Net client application is not able to connect to the HTTPS VSM deployed to VSE.
Different client applications are working fine.
The exception displayed is:

Could not establish trust relationship for the SSL/TLS secure channel with authority 'VSE Server:port'

Environment:

All supported DevTest releases.

Resolution:

By adding the SSL debug property, -Djavax.net.debug=ssl, in the VSE vmoptions file, we could verify the VSE was receiving the request and the SSL handshake looked fine.
For more information regarding the SSL handshake, please take a look at the links below:
Of SSL, Java and DevTest - https://comm.support.ca.com/kb/Of-SSL-Java-and-DevTest/KB000009925
How to collect SSL debugging information with DevTest? - https://comm.support.ca.com/kb/how-to-collect-ssl-debugging-information-with-devtest/KB000117725

After the handshake is completed, it seemed that the client application closed the connection.
We can see the following in the VSE log file:

PortServer:0.0.0.0/0.0.0.0:8000, called closeInbound()
PortServer:0.0.0.0/0.0.0.0:8000, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-43, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
PortServer:0.0.0.0/0.0.0.0:8000, SEND TLSv1 ALERT: fatal, description = internal_error

It implies that the signing authorities may not be trusted by the client end.
The root and intermediate certification authorities need to the imported in the client application.