sslv3 alert certificate unknown in SSL_accept() -> fail

Henrique de Moraes Holschuh hmh at
Sun May 21 11:01:02 EDT 2017

On Sun, 21 May 2017, Anton via Info-cyrus wrote:
> Problem looks like java app cannot validate new cert. Check ssl_store
> for your java based mail gate. Are there CA and Intermediate SSL
> Certificates for your new 256ssl cert in mail gate ssl store?

Some java versions can take https stapling *really* seriously.

You could check if the OCSP URL, and any other URLs inside the
certificate itself are all https...

This is known to be an issue at least on Debian openjdk-7 v121 and
later, and it was rather annoying to track down.  I have personally
observed it happen only to IcedTea (old-style browser plugin to run java
applets), which would refuse to run a signed applet received over https
if the applet-signing certificate has an http OCSP URI, but still...

  Henrique Holschuh

More information about the Info-cyrus mailing list