hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhenua Protasevich (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1755) SNI problem when connecting to nginx
Date Wed, 13 Jul 2016 08:10:20 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15374571#comment-15374571
] 

Zhenua Protasevich commented on HTTPCLIENT-1755:
------------------------------------------------

So, 




{code}
$ java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStorePassword=tmptmp -Djavax.net.ssl.trustStore=truststore5.ts
-jar target/httpclienttest-1.0.jar mail.lets.by
trustStore is: truststore5.ts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Issuer:  CN=DST Root CA X3, O=Digital Signature Trust Co.
  Algorithm: RSA; Serial number: 0xa0141420000015385736a0b85eca708
  Valid from Thu Mar 17 19:40:46 MSK 2016 until Wed Mar 17 19:40:46 MSK 2021

trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1451553807 bytes = { 105, 244, 27, 87, 140, 233, 249, 95, 5, 128, 245,
115, 101, 219, 200, 209, 243, 1, 226, 244, 84, 105, 68, 43, 150, 207, 243, 13 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1,
sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1,
sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1,
sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA,
SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 235
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1451553808 bytes = { 177, 236, 117, 43, 227, 249, 170, 228, 137, 45, 79,
199, 97, 129, 68, 46, 192, 235, 66, 14, 102, 173, 131, 113, 32, 236, 119, 241 }
Session ID:  {90, 60, 132, 0, 58, 67, 62, 214, 17, 10, 61, 249, 63, 194, 84, 172, 84, 49,
158, 177, 255, 57, 253, 136, 4, 186, 75, 53, 200, 127, 65, 212}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 2470
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=lets.by
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 20783009961485177170710506621297683459209779147133709805240301929863519988417165967795600086886120890077580015376128550146056475941455664327361234391889715360640500380663690718540401902985281507743861264338565773494671786315495904365037279635786432067204662175281925501671560337259811374373711157735591096522391469639894998962734294232454831121415485906820610888019794441145518663923852472257534778307922938910419873659638694812225612783033473051694557253915668561092725908871566538660691889731184979064503106745461548453619047586660263687052739899219210981680497015983219570344034493155867831865168412586160979156569
  public exponent: 65537
  Validity: [From: Mon Jul 11 22:05:00 MSK 2016,
               To: Sun Oct 09 22:05:00 MSK 2016]
  Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  SerialNumber: [    031d749b 0b28f38a 4b270590 f2fbe28d 3c23]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69  0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only 
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[7]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: lets.by
  DNSName: www.lets.by
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FF 41 64 B0 7C 15 9A 9A   59 BA AA 7C F4 1B A4 D4  .Ad.....Y.......
0010: 75 77 61 9D                                        uwa.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 6D 16 3F E4 10 C0 6D 3F   94 A9 1B BA 03 26 8C A3  m.?...m?.....&..
0010: 1C A5 FE 96 1C B4 06 8B   9A BF E0 8F 71 52 1D 0F  ............qR..
0020: A5 F7 C1 6C E1 A7 2F 28   BB D9 3B 99 FD 55 08 D1  ...l../(..;..U..
0030: AE 3E 0D 31 81 94 85 32   60 FF 69 3C BC B3 EC C3  .>.1...2`.i<....
0040: CA 9F 64 B1 1C 83 02 E5   7B CD 35 FB 25 72 AC 45  ..d.......5.%r.E
0050: 4D 43 EE D1 3A 70 DE 93   1A 30 87 BF E4 66 14 CF  MC..:p...0...f..
0060: 12 58 94 C1 BD AB 41 86   D4 F2 55 94 59 D9 67 15  .X....A...U.Y.g.
0070: 4E 03 E5 BF 53 C2 32 73   A2 59 E7 47 7E 82 89 0C  N...S.2s.Y.G....
0080: 16 B2 58 3C 4B A6 51 12   FD 27 5F 0F 14 52 C7 27  ..X<K.Q..'_..R.'
0090: 18 A9 A8 0F 12 78 72 34   77 35 FF 8A EB 3D F1 0F  .....xr4w5...=..
00A0: 2F 14 64 64 8D 64 23 B2   63 78 F7 A6 D8 CF 31 2A  /.dd.d#.cx....1*
00B0: 49 8D 38 FA E2 F4 93 FD   32 F4 D4 9D B3 CC E0 20  I.8.....2...... 
00C0: DC 97 CA 51 49 4F EB 45   6C 48 50 13 B3 FF 83 44  ...QIO.ElHP....D
00D0: 13 B6 3B 44 CD A9 EF 4A   AF F1 E2 38 EE 5E B3 ED  ..;D...J...8.^..
00E0: FD 3B 2F 9C DD 5C 24 4C   7B CF AD 0A 01 7F ED FC  .;/..\$L........
00F0: 5C E4 EA 24 4B CC DF A7   4F 6B 7B FB 48 B0 5F 41  \..$K...Ok..H._A

]
chain [1] = [
[
  Version: V3
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499
  public exponent: 65537
  Validity: [From: Thu Mar 17 19:40:46 MSK 2016,
               To: Wed Mar 17 19:40:46 MSK 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    0a014142 00000153 85736a0b 85eca708]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: DD 33 D7 11 F3 63 58 38   DD 18 15 FB 09 55 BE 76  .3...cX8.....U.v
0010: 56 B9 70 48 A5 69 47 27   7B C2 24 08 92 F1 5A 1F  V.pH.iG'..$...Z.
0020: 4A 12 29 37 24 74 51 1C   62 68 B8 CD 95 70 67 E5  J.)7$tQ.bh...pg.
0030: F7 A4 BC 4E 28 51 CD 9B   E8 AE 87 9D EA D8 BA 5A  ...N(Q.........Z
0040: A1 01 9A DC F0 DD 6A 1D   6A D8 3E 57 23 9E A6 1E  ......j.j.>W#...
0050: 04 62 9A FF D7 05 CA B7   1F 3F C0 0A 48 BC 94 B0  .b.......?..H...
0060: B6 65 62 E0 C1 54 E5 A3   2A AD 20 C4 E9 E6 BB DC  .eb..T..*. .....
0070: C8 F6 B5 C3 32 A3 98 CC   77 A8 E6 79 65 07 2B CB  ....2...w..ye.+.
0080: 28 FE 3A 16 52 81 CE 52   0C 2E 5F 83 E8 D5 06 33  (.:.R..R.._....3
0090: FB 77 6C CE 40 EA 32 9E   1F 92 5C 41 C1 74 6C 5B  .wl.@.2...\A.tl[
00A0: 5D 0A 5F 33 CC 4D 9F AC   38 F0 2F 7B 2C 62 9D D9  ]._3.M..8./.,b..
00B0: A3 91 6F 25 1B 2F 90 B1   19 46 3D F6 7E 1B A6 7A  ..o%./...F=....z
00C0: 87 B9 A3 7A 6D 18 FA 25   A5 91 87 15 E0 F2 16 2F  ...zm..%......./
00D0: 58 B0 06 2F 2C 68 26 C6   4B 98 CD DA 9F 0C F9 7F  X../,h&.K.......
00E0: 90 ED 43 4A 12 44 4E 6F   73 7A 28 EA A4 AA 6E 7B  ..CJ.DNosz(...n.
00F0: 4C 7D 87 DD E0 C9 02 44   A7 87 AF C3 34 5B B4 42  L......D....4[.B

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499
  public exponent: 65537
  Validity: [From: Thu Mar 17 19:40:46 MSK 2016,
               To: Wed Mar 17 19:40:46 MSK 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    0a014142 00000153 85736a0b 85eca708]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: DD 33 D7 11 F3 63 58 38   DD 18 15 FB 09 55 BE 76  .3...cX8.....U.v
0010: 56 B9 70 48 A5 69 47 27   7B C2 24 08 92 F1 5A 1F  V.pH.iG'..$...Z.
0020: 4A 12 29 37 24 74 51 1C   62 68 B8 CD 95 70 67 E5  J.)7$tQ.bh...pg.
0030: F7 A4 BC 4E 28 51 CD 9B   E8 AE 87 9D EA D8 BA 5A  ...N(Q.........Z
0040: A1 01 9A DC F0 DD 6A 1D   6A D8 3E 57 23 9E A6 1E  ......j.j.>W#...
0050: 04 62 9A FF D7 05 CA B7   1F 3F C0 0A 48 BC 94 B0  .b.......?..H...
0060: B6 65 62 E0 C1 54 E5 A3   2A AD 20 C4 E9 E6 BB DC  .eb..T..*. .....
0070: C8 F6 B5 C3 32 A3 98 CC   77 A8 E6 79 65 07 2B CB  ....2...w..ye.+.
0080: 28 FE 3A 16 52 81 CE 52   0C 2E 5F 83 E8 D5 06 33  (.:.R..R.._....3
0090: FB 77 6C CE 40 EA 32 9E   1F 92 5C 41 C1 74 6C 5B  .wl.@.2...\A.tl[
00A0: 5D 0A 5F 33 CC 4D 9F AC   38 F0 2F 7B 2C 62 9D D9  ]._3.M..8./.,b..
00B0: A3 91 6F 25 1B 2F 90 B1   19 46 3D F6 7E 1B A6 7A  ..o%./...F=....z
00C0: 87 B9 A3 7A 6D 18 FA 25   A5 91 87 15 E0 F2 16 2F  ...zm..%......./
00D0: 58 B0 06 2F 2C 68 26 C6   4B 98 CD DA 9F 0C F9 7F  X../,h&.K.......
00E0: 90 ED 43 4A 12 44 4E 6F   73 7A 28 EA A4 AA 6E 7B  ..CJ.DNosz(...n.
00F0: 4C 7D 87 DD E0 C9 02 44   A7 87 AF C3 34 5B B4 42  L......D....4[.B

]
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 77163766975699340803130404757460160701910836844720632649573046889351170335745
  public y coord: 50920701878508358601042260478698731068740060139884881369139865111276453161320
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 10, 219, 202, 167, 58, 255, 242, 120, 167, 133, 241, 153, 252, 21,
202, 26, 162, 69, 216, 132, 74, 35, 141, 36, 69, 131, 181, 156, 192, 242, 176, 153, 84, 45,
158, 207, 210, 90, 11, 240, 79, 247, 70, 202, 216, 79, 80, 200, 84, 158, 13, 119, 15, 145,
178, 12, 21, 20, 16, 190, 67, 12, 168, 193 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 66 97 DE 7F 58 5F 4E BB   BE C2 8C 7A 7B 46 BC F6  f...X_N....z.F..
0010: 62 B3 28 EC 43 52 B5 87   14 43 8D EF 96 71 E9 5C  b.(.CR...C...q.\
CONNECTION KEYGEN:
Client Nonce:
0000: 57 85 F4 0F 69 F4 1B 57   8C E9 F9 5F 05 80 F5 73  W...i..W..._...s
0010: 65 DB C8 D1 F3 01 E2 F4   54 69 44 2B 96 CF F3 0D  e.......TiD+....
Server Nonce:
0000: 57 85 F4 10 B1 EC 75 2B   E3 F9 AA E4 89 2D 4F C7  W.....u+.....-O.
0010: 61 81 44 2E C0 EB 42 0E   66 AD 83 71 20 EC 77 F1  a.D...B.f..q .w.
Master Secret:
0000: D0 7C 8B DC 17 F4 FA 8F   ED A5 5A 51 7C 0C 1A 83  ..........ZQ....
0010: 0A B7 F3 D2 1B A1 2E 09   64 75 31 26 E7 B2 D0 22  ........du1&..."
0020: DF C3 3A A1 EF 98 4F FE   4A 6F A3 63 61 68 52 7D  ..:...O.Jo.cahR.
... no MAC keys used for this cipher
Client write key:
0000: A0 6A 7B DF 61 C2 A7 AD   A2 0A E5 92 40 72 38 C3  .j..a.......@r8.
0010: 40 5D 36 BF 9D 39 9B E9   BD 87 07 86 7A 5C 06 99  @]6..9......z\..
Server write key:
0000: D7 BB 6C E5 40 55 21 91   AE 20 37 AF DD 10 F8 33  ..l.@U!.. 7....3
0010: E6 E0 CB 4D CE 76 D3 00   2B AC 54 4C 1D D2 64 3E  ...M.v..+.TL..d>
Client write IV:
0000: 43 E6 02 2B                                        C..+
Server write IV:
0000: E9 51 B0 E0                                        .Q..
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 193, 102, 229, 230, 94, 16, 63, 213, 69, 233, 72, 12 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 187, 143, 98, 101, 187, 34, 197, 185, 41, 170, 85, 22 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT:  warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match any of the
subject alternative names: [lets.by, www.lets.by]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at com.atlassianlabs.sslclient.Main.main(Main.java:57)
Exception in thread "main" java.lang.RuntimeException: javax.net.ssl.SSLException: Certificate
for <mail.lets.by> doesn't match any of the subject alternative names: [lets.by, www.lets.by]
	at com.atlassianlabs.sslclient.Main.main(Main.java:62)
Caused by: javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match
any of the subject alternative names: [lets.by, www.lets.by]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at com.atlassianlabs.sslclient.Main.main(Main.java:57)
{code}


while we expect data from the host *mail.lets.by* we get data *lets.by* (lets.by is a *default*
host on the server . If the connection without SNI or directly over IP opens the default host)

{code}
Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=lets.by
{code}

But we expect data from the host *mail.lets.by*

we get an error {code}Caused by: javax.net.ssl.SSLException: Certificate for <mail.lets.by>
doesn't match any of the subject alternative names: [lets.by, www.lets.by]{code}

in order to ensure that the certificates are installed correctly:
{code}
$ openssl s_client -showcerts -connect mail.lets.by:443 -servername mail.lets.by </dev/null
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mail.lets.by
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgISAyc5rE+QKzQoa4sOUHb/hMdEMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA3MTExODQ3MDBaFw0x
NjEwMDkxODQ3MDBaMBcxFTATBgNVBAMTDG1haWwubGV0cy5ieTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANSdsBo9iMZnGijSrfXm+1xyP6371GIMxzCy
6cjlCtI+27EL109KUsuA8qKOuE6xlnkjD1cl5xeOZD9Fzf7eV7WGMR85oV1xxGX2
h6069WDFhsGgDRKEgreuOreakOIzCU//uwBElbqUClN0tnscNjvIVHC7Se0qkpjt
fQhjZSx++dCQQVzwTq1SGMSM+h6Rt9rRQ+H588N9yJYOrnfWnAT2/7o5HrIOLryC
vGIVfKkVdwSUMsNurs8g5KAZB4079QhxUNb7K7+bCW8LK0jJUUOoCQDBicjI31Yr
bhPRuG1IT6L1Ik/yVEszSSsuL/5G3p8nd+lNQWx8Qwx3u2bpTiMCAwEAAaOCAg0w
ggIJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPNaRFUcN88kek0Z0MEl3BjHL9vAw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wFwYDVR0RBBAwDoIMbWFpbC5sZXRzLmJ5MIH+BgNVHSAEgfYwgfMwCAYGZ4EM
AQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0
ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5k
IG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kg
Zm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJ
KoZIhvcNAQELBQADggEBAGzd6kvKTExXXQRLFo5prAiQDADiWZsaDLKqDQHcPMyy
LxxI1aqfQ6/qgG4kGzR5RJmr5GGEk3aB7PZpN3Z9aIeyjW4nY58pH/ly8N/tjogK
rXkmKD6fyOxNqqo+jQKlo6kRot/x/KfBy35jgzRYNLUxgfDJh4dUekKHuBYd7P7m
xcn+XLix1gwYx+5dipOXMn4fjOw3+irjOHIJjXfLNyVg90WNPrxSxSjOW5ysJjFy
z7HP+YQ7OR1Q8MgQqjNgvA/GCnlcj9KxY6SAgWlNUrycJzFiO2tSuf4J/x+5Ofei
DGW9uLSRSOpEFw2uDUMYawl1HYkEn9I9XlYJzjccHsU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.lets.by
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3152 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 900 (seconds)
    TLS session ticket: ...
    Start Time: 1468397094
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
{code}

and without "-servername"
{code}
$ openssl s_client -showcerts -connect mail.lets.by:443  </dev/null
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=lets.by
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgISAx10mwso84pLJwWQ8vvijTwjMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA3MTExOTA1MDBaFw0x
NjEwMDkxOTA1MDBaMBIxEDAOBgNVBAMTB2xldHMuYnkwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCkohY0JBvLXUpwK5ubrT9/9mJqH8OhvOO+hqpuWNgP
oVuXbHFHhBR4k67ZPFAXx5xK62NxwZPOP8qyvxgPs3GTU4RTI+yHSJazEHOzY4Fq
jcLJjshOrfsh/EmP7iIyyFy9piOkANOECORlm8yiKxbUKcDdYqKBZGro/4NT93gr
PayPEVxIUiTFHWAm6WwpELabzF2SE/iU3yFRzi8Q00epzQ7eJUSrvzTS3NMf6NnE
dNZ1wwFHm28O1MO+jLX6O/99LBWJJEonJw6rsBODJ64QwT8JeJTeinBi0zG1VXmY
kLvwMjQW8vmv+n2MVqevR2NLUEvPYmYSXGumpUKXp55ZAgMBAAGjggIVMIICETAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFP9BZLB8FZqaWbqqfPQbpNR1d2GdMB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAvBggr
BgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wLwYI
KwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB8G
A1UdEQQYMBaCB2xldHMuYnmCC3d3dy5sZXRzLmJ5MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
DQYJKoZIhvcNAQELBQADggEBAG0WP+QQwG0/lKkbugMmjKMcpf6WHLQGi5q/4I9x
Uh0PpffBbOGnLyi72TuZ/VUI0a4+DTGBlIUyYP9pPLyz7MPKn2SxHIMC5XvNNfsl
cqxFTUPu0Tpw3pMaMIe/5GYUzxJYlMG9q0GG1PJVlFnZZxVOA+W/U8Iyc6JZ50d+
gokMFrJYPEumURL9J18PFFLHJxipqA8SeHI0dzX/ius98Q8vFGRkjWQjsmN496bY
zzEqSY04+uL0k/0y9NSds8zgINyXylFJT+tFbEhQE7P/g0QTtjtEzanvSq/x4jju
XrPt/TsvnN1cJEx7z60KAX/t/Fzk6iRLzN+nT2t7+0iwX0E=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=lets.by
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3135 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E95CA6A82D0BC7E850E621BFDD02D51A292BDB81C345FF18C2045B9CC2BEE7FA
    Session-ID-ctx: 
    Master-Key: D851E65E6E71BE4E6A8368EC5AC896FBC0BC03A1BECF16C236CF1799606ABE9699D24DC8D93BE0960D3FFFB6963DB84B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 900 (seconds)
    TLS session ticket:
    0000 - cf 6c 75 ab 6c 6f 97 da-2f 75 c0 ed 93 a1 aa 0d   .lu.lo../u......
    0010 - 35 c2 7f 07 59 ab ae fd-1e 3b 09 b7 f5 5f df f3   5...Y....;..._..
    0020 - 87 8a 28 fa 05 b8 d0 f7-0c ce f0 14 f9 a6 e1 14   ..(.............
    0030 - b0 8a 5e 7d 38 a4 49 90-88 ec 73 22 72 c3 2c 0a   ..^}8.I...s"r.,.
    0040 - 0c 90 39 78 46 46 a4 b3-98 ef a8 c3 c4 c8 04 d4   ..9xFF..........
    0050 - 26 da d2 eb d7 6f c5 ab-7c 02 95 9e 01 f5 16 f8   &....o..|.......
    0060 - 54 33 96 6f 92 e2 7e f3-bd 4c 7c 27 3d 34 25 51   T3.o..~..L|'=4%Q
    0070 - 1e 34 1e 21 a9 61 3e 40-4a e3 a6 39 c8 ed ab 23   .4.!.a>@J..9...#
    0080 - 28 59 5c 84 cd 95 a8 79-be 64 2a c4 7e 9a 34 32   (Y\....y.d*.~.42
    0090 - 90 05 7c 5e c9 0f eb 44-20 75 48 65 53 8f 2f 0d   ..|^...D uHeS./.
    00a0 - 75 28 87 48 18 66 86 75-82 f5 b3 e5 3c df c5 ad   u(.H.f.u....<...

    Start Time: 1468397202
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
{code}

Truststore present in only 1 certificate: Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | https://letsencrypt.org/certificates/
{code}
wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
keytool -import -file lets-encrypt-x3-cross-signed.pem -alias letsencrypt -keystore truststore5.ts
-storepass tmptmp
{code}

> SNI problem when connecting to nginx
> ------------------------------------
>
>                 Key: HTTPCLIENT-1755
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1755
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.5.2
>         Environment: ORACLE JDK 8u91
> httpclient 4.5.2
>            Reporter: Zhenua Protasevich
>            Priority: Minor
>
> Using this code causes problems when connecting to nginx server.
> I tried several nginx and apache servers. this is relevant only for nginx
> while using this code, when connection is established the server nginx, we get not the
requested host, a standard server host
> SNI in this case does not work correctly
> {code:java}
> HttpClient client = new DefaultHttpClient();
>         HttpGet request = new HttpGet("https://" + args[0]);
>         HttpResponse response = null;
>         try
>         {
>             response = client.execute(request);
>         }
>         catch (IOException e)
>         {
>             e.printStackTrace();
>             throw new RuntimeException(e);
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message