sslv3 alert certificate unknown in SSL_accept() -> fail
Henrique de Moraes Holschuh
hmh at debian.org
Sun May 21 11:01:02 EDT 2017
On Sun, 21 May 2017, Anton via Info-cyrus wrote:
> Problem looks like java app cannot validate new cert. Check ssl_store
> for your java based mail gate. Are there CA and Intermediate SSL
> Certificates for your new 256ssl cert in mail gate ssl store?
Some java versions can take https stapling *really* seriously.
You could check if the OCSP URL, and any other URLs inside the
certificate itself are all https...
This is known to be an issue at least on Debian openjdk-7 v121 and
later, and it was rather annoying to track down. I have personally
observed it happen only to IcedTea (old-style browser plugin to run java
applets), which would refuse to run a signed applet received over https
if the applet-signing certificate has an http OCSP URI, but still...
More information about the Info-cyrus