sslv3 alert certificate unknown in SSL_accept() -> fail

Henrique de Moraes Holschuh hmh at debian.org
Sun May 21 11:01:02 EDT 2017


On Sun, 21 May 2017, Anton via Info-cyrus wrote:
> Problem looks like java app cannot validate new cert. Check ssl_store
> for your java based mail gate. Are there CA and Intermediate SSL
> Certificates for your new 256ssl cert in mail gate ssl store?

Some java versions can take https stapling *really* seriously.

You could check if the OCSP URL, and any other URLs inside the
certificate itself are all https...

This is known to be an issue at least on Debian openjdk-7 v121 and
later, and it was rather annoying to track down.  I have personally
observed it happen only to IcedTea (old-style browser plugin to run java
applets), which would refuse to run a signed applet received over https
if the applet-signing certificate has an http OCSP URI, but still...

-- 
  Henrique Holschuh


More information about the Info-cyrus mailing list