ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Could not establish trust relationship for the SSL/TLS secure channel with authority
Article ID: 103876
Updated On:
Products
CA Application Test
CA Continuous Application Insight (PathFinder)
Issue/Introduction
The .Net client application is not able to connect to the HTTPS VSM deployed to VSE.
Different client applications are working fine.
The exception displayed is:
Different client applications are working fine.
The exception displayed is:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'VSE Server:port'
Environment
All supported DevTest releases.
Resolution
By adding the SSL debug property, -Djavax.net.debug=ssl, in the VSE vmoptions file, we could verify the VSE was receiving the request and the SSL handshake looked fine.
For more information regarding the SSL handshake, please take a look at the links below:
Of SSL, Java and DevTest - https://comm.support.ca.com/kb/Of-SSL-Java-and-DevTest/KB000009925
How to collect SSL debugging information with DevTest? - https://comm.support.ca.com/kb/how-to-collect-ssl-debugging-information-with-devtest/KB000117725
After the handshake is completed, it seemed that the client application closed the connection.
We can see the following in the VSE log file:
It implies that the signing authorities may not be trusted by the client end.
The root and intermediate certification authorities need to the imported in the client application.
For more information regarding the SSL handshake, please take a look at the links below:
Of SSL, Java and DevTest - https://comm.support.ca.com/kb/Of-SSL-Java-and-DevTest/KB000009925
How to collect SSL debugging information with DevTest? - https://comm.support.ca.com/kb/how-to-collect-ssl-debugging-information-with-devtest/KB000117725
After the handshake is completed, it seemed that the client application closed the connection.
We can see the following in the VSE log file:
PortServer:0.0.0.0/0.0.0.0:8000, called closeInbound()
PortServer:0.0.0.0/0.0.0.0:8000, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-43, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
PortServer:0.0.0.0/0.0.0.0:8000, SEND TLSv1 ALERT: fatal, description = internal_error
PortServer:0.0.0.0/0.0.0.0:8000, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-43, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
PortServer:0.0.0.0/0.0.0.0:8000, SEND TLSv1 ALERT: fatal, description = internal_error
It implies that the signing authorities may not be trusted by the client end.
The root and intermediate certification authorities need to the imported in the client application.
Feedback
Yes
No
Powered by
