jdk.certpath.disabledAlgorithms = SHA1 jdkCA & usage TLSClient certpath: Constraints: SSLv3 certpath: Constraints: RC4 certpath: Constraints: MD5withRSA certpath: Constraints: DH keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: Constraints: SHA1 jdkCA & usage TLSClient certpath: Constraints set to jdkCA. certpath: Constraints usage length is 1 Client: connected certpath: Constraints: SHA1 jdkCA & usage TLSClient certpath: Constraints set to jdkCA. certpath: Constraints usage length is 1 certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: ad3dccd188246216 Issuer: CN=Test CA, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN Subject: CN=Test CA, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Test CA, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN certpath: AlgorithmChecker.contains: SHA1withRSA certpath: AnchorCertificate.contains: matched CN=Test CA, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN certpath: trustedMatch = true certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=Test Intermediate, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withRSA Variant: tls server certpath: jdkCAConstraints.permits(): SHA1 certpath: Checking if usage constraint "tls client" matches "tls server" certpath: java.lang.Exception at java.base/sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(DisabledAlgorithmConstraints.java:681) at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraint.next(DisabledAlgorithmConstraints.java:481) at java.base/sun.security.util.DisabledAlgorithmConstraints$jdkCAConstraint.permits(DisabledAlgorithmConstraints.java:539) at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:384) at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:158) at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:332) at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:231) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:349) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:245) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1825) at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1655) at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:260) at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1086) at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1020) at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733) at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67) at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81) at SSLClient.main(SSLClient.java:25) certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Mar 10 11:32:31 CST 2017... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Test CA, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN; subject: CN=Test Intermediate, OU=Test Unit, O=Test Org, L=Unknown City, ST=Some State, C=UN; serial#: 15960013863811188877 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withRSA Variant: tls server certpath: jdkCAConstraints.permits(): SHA1 certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Cert path validation succeeded. (PKIX validation algorithm) certpath: -------------------------------------------------------------- certpath: KeySizeConstraints.permits(): EC Client: finished