Added the option,
I am getting below message in catalina
%% Initialized: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Thread-101, READ: TLSv1.2 Handshake, length = 958
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=mid.com, OU=Data , O=company, L=XX, ST=XX, C=GB
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24039292375563925702638477649504069454882919310652819892508280365692557099285203368736320010515095860379860530863387424108827763907550759
public exponent: 65537
Validity: [From: Tue Mar 04 12:45:23 GMT 2025,
To: Wed Mar 07 12:45:23 GMT 2026]
Issuer: CN=mid.com, OU=Data, O=company, L=XX, ST=XX, C=GB
SerialNumber: [ b53e1c3e2 2af44883e]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4A 78 6A 04 B3 15 49 1A E0 DC AD 61 1F 63 C1 CE Jxj...I....a.c..
0010: C2 F3 D2 43 35 29 7F 66 8D 28 74 9E A0 60 05 89 ...C5).f.(t..`..
0020: 98 62 24 9F 7A 40 E2 4B 24 C4 46 05 C3 88 43 C1 .b$.z@.K$.F...C.
0030: 3F 72 A7 21 FF 91 81 BD 64 CB 94 39 51 F8 ED C5 ?r.!....d..9Q...
0040: F4 B7 E0 63 7F D0 D2 5F C2 B1 B0 61 2C 1D 87 1D ...c..._...a,...
0050: 8C 34 34 4D E7 23 75 14 09 95 FF 84 53 24 4A D1 .44M.#u.....S$J.
0060: 0A 1F 32 14 2D E6 9A DB C5 49 C0 4C 3A 66 1E DB ..2.-....I.L:f..
00B0: 74 68 69 58 0E E6 9F A4 10 D4 3C BC A2 7A 0A 8B thiX......<..z..
00C0: 7E 1C 29 13 93 94 08 0C 30 77 32 2E 5C EA 44 B3 ..).....0w2.\.D.
00D0: D7 8E A5 1D F4 8A DD D3 27 97 38 31 68 76 6C C3 ........'.81hvl.
00E0: BC CD 69 9F 3D E0 74 0E A6 06 38 92 C8 90 C6 0C ..i.=.t...8.....
00F0: 4F 89 D4 38 27 0A 6E C1 51 F4 08 02 79 25 4E 7A O..8'.n.Q...y%Nz
]
***
%% Invalidated: [Session-3, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
Thread-101, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
Thread-101, WRITE: TLSv1.2 Alert, length = 2
Thread-101, called closeSocket()
Thread-101, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Thread-101, called close()
Thread-101, called closeInternal(true)
Thread-101, called close()
Thread-101, called closeInternal(true)
Thread-101, called close()
Thread-101, called closeInternal(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/opt/sas/config/Lev1/Web/WebAppServer/SASServer1_1/lib/slf4j-log4j12.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/sas/home/SASVersionedJarRepository/eclipse/plugins/slf4j_1.5.10.0_SAS_20121211183229/slf4j-log4j12.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-101, setSoTimeout(3500) called
Thread-101, setSoTimeout(3500) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1724318512 bytes = { 146, 184, 245, 149, 42, 192, 34, 12, 57, 25, 229, 64, 168, 175, 50, 141, 66, 230, 222, 100, 194, 248, 213, 143, 127, 55, 7, 78 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=mid.com]
***
Thread-101, WRITE: TLSv1.2 Handshake, length = 248
Thread-101, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1555134129 bytes = { 168, 245, 86, 187, 241, 172, 117, 87, 11, 166, 10, 250, 169, 84, 49, 142, 202, 107, 245, 24, 26, 132, 10, 68, 159, 85, 116, 238 }
Session ID: {208, 95, 134, 156, 127, 39, 87, 54, 14, 245, 99, 7, 25, 33, 121, 66, 121, 93, 183, 254, 105, 51, 140, 124, 123, 40, 148, 97, 202, 146, 97, 141}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension server_name, server_name:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
and I couldn't find our trustore certs but I can see below
trustStore is: /opt/sas/home/SASPrivateJavaRuntimeEnvironment/9.4/jre/lib/security/jssecacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
Issuer: CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK
Algorithm: RSA; Serial number: 0x3e8
Valid from Thu May 15 06:13:14 BST 2003 until Mon May 15 05:52:29 BST 2023
adding as trusted cert:
Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
Algorithm: RSA; Serial number: 0xcf08e5c0816a5ad427ff0eb271859d0
Valid from Tue Nov 07 19:31:18 GMT 2006 until Mon Dec 31 19:40:55 GMT 2029
... View more