OCSP validation in snmp4j TLSTM

Hello ,
I am looking OCSP validation during snmp4j TLSTM connection establishment .

To try this I have the revoked certificate (which has the OCSP URL in the certificate) in the TrustStores of SNMP4j Agent and Client application which connects using snmp4j API.

Have set the the system properties as below in Client and Agent.
System.setProperty(com.sun.net.ssl.checkRevocation,true);|
System.setProperty(ocsp.enable,true);

However the during the initial handshake the certificates get validated and connection gets established successfully .

Is there any configuration available to enable OCSP validation in SNMP4J ?
If not how are we supposed to do the OCSP validation ? As the snmp.send gets executed once the certificate is validated and we do not have the reference of Agent/client certificate to validate in Client/Agent .

Note:
I am running the OCSP server locally and verifying the certificate using openssl command returns the status as revoked(as expected) .

image

Can you please provide your inputs on this ?

Hi,
I have to reproduce that, maybe there is an additional configuration during the TrustManager initialization needed, but I expect that it should be fine to support Java’s standard revocation checking.
It will probably take 2 or 3 weeks until I can report back my test results here.

BTW, what SNMP4J and Java version are you using?

Best regards
Frank

Hi Frank ,
Thank you for the response.

I have tried the OCSP validation scenario with latest SNMP4J
> SNMP4J -3.5.1
> SNMP4J-agent-3.5.0
> JDK-9.0.4

Regards,
Vikas

Hi Vikas,
I suggest to try JRE 16 too, because there were a lot of changes and fixes on the TLS engine between version 9 and 16.
I will first try to reproduce it with the latest version by end of next week. The versions 15 and above have even better debugging output available.
Hope this helps anyway.
Best regards
Frank

Hi Frank ,
I tried with JDK 16 , still the behavior is same . Connection was successfully established even with revoked certificate.
Please let me know if you need any details w.r.t logs or the self signed certificate which I have used.

Regards ,
Vikas

Hi Frank,
By any chance where you able to check this ?

As per the java documentation we need to use setRevocationEnabled method on PKIXParameters setting the ocsp.enable property to "true" .
https://docs.oracle.com/javase/10/security/java-pki-programmers-guide.htm#JSSEC-GUID-E6E737DB-4000-4005-969E-BCD0238B1566

I did not find any code related to setRevocationEnabled in snmp4j .

So I tried adding it in TLSTMUtil but still the behavior was same (Connection was successful for revoked certificate )

Regards,
Vikas

I need some more days to be able to setup a unit test for this. But I think initializing the PKIXParameters class with the key store that contains the revoked certificate does not make any sense. But I need to verify this assumption reading the JDK source code - the documentation is unclear about this.

In the Oracle JDK 13 source code I found:

/**
 * Flag indicating whether to enable revocation check for the PKIX trust
 * manager. Typically, this will only work if the PKIX implementation
 * supports CRL distribution points as we do not manually setup CertStores.
 */
private static final boolean checkTLSRevocation = GetBooleanAction
        .privilegedGetProperty("com.sun.net.ssl.checkRevocation");

and in the same class PKIXValidator:

/**
 * Set J2SE global default PKIX parameters. Currently, hardcoded to disable
 * revocation checking. In the future, this should be configurable.
 */
private void setDefaultParameters(String variant) {
    if ((variant == Validator.VAR_TLS_SERVER) ||
            (variant == Validator.VAR_TLS_CLIENT)) {
        parameterTemplate.setRevocationEnabled(checkTLSRevocation);
    } else {
        parameterTemplate.setRevocationEnabled(false);
    }
}

That means, maybe it works with setting the com.sun.net.ssl.checkRevocation system property to true. But that would be a non-portable solution, of course.

Therefore I am going to implement a generic revocation check that can be enabled programmatically using the SNMP4J API.

Thank you Frank.

Would we have the support for below mentioned points in next release ?

Support for OCSP (revocation check) from SNMP4J API
Support for Bouncy castle Keystore ( Support for Bouncy castle Keystore - #5 by AGENTPP ).

Can you please let us know when can we expect(approximate) the next release to be available ?

The new release will be available latest first week of November 2021, but I hope that there no problems during implementation of the revocation support function and then it could be ready one or two weeks earlier.

1 Like

The revocation checking based on CRL file or OCSP is working for TLSTM in the latest SNMP4J 3.6.0-SNAPSHOT.

In any case, CRL/OSCP revocation checking will be disabled by default, because it consumes a lot of performance during handshake.

BTW, when revocation checking is switched on by

System.setProperty("com.sun.net.ssl.checkRevocation", "true"); 

then it seems that it cannot be switched in the same VM anymore back to “false”. Does anyone know how to work around this behaviour?

Documentation on how to enable TLS certificate revocation checking with SNMP4J 3.6.0 or later can be found here:
https://doc.snmp.app/pages/viewpage.action?pageId=83525633

Thank you Frank for the support .

I will run a test and update on this.

Can I clone the SNMP4J 3.6.0 source code ? If so please share the link to clone the same .

Regards,
Vikas

Hi Vikas,
Cloning is not (yet) possible, although I am working on a secure and mostly automated process for doing that in the near future.
Best regards
Frank

Hi Frank ,

I used SNMP4J 3.6.0 and I don’t see the certificate validation getting failed for revoked certificate(Connection establishment successful for revoked certificate)

Have set both the properties as recommended in server side as well as client side .

image

I don’t see any logs related to connection establishment to OCSP server as well .

ENV:
SNMP4J 3.6.0
Java 16

I think besides the code you quoted you need to set the PKIXRevocationChecker with TLSTM.setPKIXRevocationChecker and create such a checker like the default one available with TLSTMUtil.createDefaultPKIXRevocationChecker() because current Java version do not actually do the revocation checking unless custom revocation checkers (i.e. PKIXBuilderParameters) are used:

/**
 * Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.
 * @return
 *    a simple revocation checker to be used with {@link #setPKIXRevocationChecker(PKIXRevocationChecker)}.
 * @since 3.6.0
 */
public static PKIXRevocationChecker createDefaultPKIXRevocationChecker() {
    CertPathBuilder cpb;
    try {
        cpb = CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
    PKIXRevocationChecker revocationChecker = (PKIXRevocationChecker)cpb.getRevocationChecker();
    // Relaxed checking - avoid OCSP because of 33% overhead on TLS connection creation:
    revocationChecker.setOptions(EnumSet.of(
            PKIXRevocationChecker.Option.PREFER_CRLS, // prefer CLR over OCSP
            PKIXRevocationChecker.Option.ONLY_END_ENTITY,
            PKIXRevocationChecker.Option.NO_FALLBACK)); // do not fall back to OCSP
    return revocationChecker;
}

Hi Frank ,
Can you please help with some sample implementation for OCSP using snmp4j ?
Some how I am ending up with same issue where the revocation check for OCSP is not happening and the connection gets established even for a revoked certificate .

Below is the procedure to where I used run the local OCS server using openssl .

#This requires the support of OpenSSL in your machine. So please install OpenSSL if it is not already installed.
An OpenSSL CA requires few files and some supporting directories to work. Follow the below commands to create that folder structure(Create the directory structure according to your openssl.cnf).

mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo ‘01’ > demoCA/serial

  1. Copy the content of the openssl.cnf into a separate file. We will be using this new file as the configuration file to create certificates, certificate signing requests and etc. Here I have renamed it as validation.cnf. Add the following line under the section [ usr_cert ].
    [ usr_cert ]
    authorityInfoAccess = OCSP;URI:http://127.0.0.1:8080

  2. Create a new stanza in validation.cnf as follows,
    [ v3_OCSP ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = OCSPSigning
    For this example, the OCSP server will be running on 127.0.0.1 on port 8080 as given in authorityInfoAccess extension.

  3. Create a private key for root CA.

openssl genrsa -out rootCA.key 1024

  1. Based on this key, generate a CA certificate which is valid for 10 years based on the root CA’ s private key.

openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt -config validation.cnf

  1. Create another private key to be used as the end user private key.

openssl genrsa -out certKey.key 1024

  1. Create an end user certificate based on the generated private key.

openssl req -new -x509 -days 3650 -key certKey.key -out certificate.crt -config validation.cnf

  1. Generate the certificate signing request(CSR) for the generated end-user certificate.

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey certKey.key

  1. Sign the client certificate, using above created CA and include CRL URLs and OCSP URLs in the certificate

openssl ca -batch -startdate 210709080000Z -enddate 250813090000Z -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -config validation.cnf -notext -out certificate.crt -infiles CSR.csr

Creating the OCSP server
In order to host an OCSP server, an OCSP signing certificate has to be generated. Run following 2 commands.

openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key
openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config “/cygdrive/c/Users/vvittala/workspace/CeritFolder/OCSP/validation.cnf”

  1. Start OCSP Server. Switch to a new terminal and run,
    openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ocspSigning.crt -rkey ocspSigning.key -CA rootCA.crt -text -out log.txt &
  2. Verify Certificate Revocation. Switch to a new terminal and run
    openssl ocsp -CAfile rootCA.crt -issuer rootCA.crt -cert certificate.crt -url http://127.0.0.1:8080 -resp_text -noverify
    This will show that the certificate status is good.

Revoke a certificate
If you want to revoke the certificate run following command
openssl ca -keyfile rootCA.key -cert rootCA.crt -revoke certificate.crt
2. Then restart the OCSP server.
openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ocspSigning.crt -rkey ocspSigning.key -CA rootCA.crt -text -out log.txt &
3. Verify Certificate Revocation. Switch to a new terminal and run
openssl ocsp -CAfile rootCA.crt -issuer rootCA.crt -cert certificate.crt -url http://127.0.0.1:8080 -resp_text -noverify
This will show that the certificate status as revoked.

I do not think that a JRE will accept a OCSP server without https certificate.

But that should be reported by Java in their extended java.net.ssl debug output.
Have you checked that output? What is the reason that OCSP is not recognizing the revocation?

Hi Frank ,

That’s the issue, we don’t see loggings w.r.t OCSP .

PFA the filtered javax.net.ssl logs .

Line 269: javax.net.ssl|ALL|01|main|2021-12-09 11:47:06.388 IST|SSLContextImpl.java:115|trigger seeding of SecureRandom
Line 270: javax.net.ssl|ALL|01|main|2021-12-09 11:47:06.388 IST|SSLContextImpl.java:119|done seeding of SecureRandom
Line 271: javax.net.ssl|DEBUG|01|main|2021-12-09 11:47:06.404 IST|SSLConfiguration.java:458|System property jdk.tls.server.SignatureSchemes is set to ‘null’
Line 272: javax.net.ssl|DEBUG|01|main|2021-12-09 11:47:06.435 IST|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to ‘null’
Line 284: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.518 IST|ServerNameExtension.java:268|Unable to indicate server name
Line 285: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.518 IST|SSLExtensions.java:260|Ignore, context unavailable extension: server_name
Line 286: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.524 IST|SignatureScheme.java:384|Ignore unsupported signature scheme: ecdsa_sha224
Line 287: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.525 IST|SignatureScheme.java:384|Ignore unsupported signature scheme: rsa_sha224
Line 288: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.525 IST|SignatureScheme.java:384|Ignore unsupported signature scheme: dsa_sha224
Line 289: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.528 IST|SignatureScheme.java:403|Ignore disabled signature scheme: rsa_md5
Line 290: javax.net.ssl|INFO|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.529 IST|AlpnExtension.java:182|No available application protocols
Line 291: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.530 IST|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
Line 292: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.530 IST|SessionTicketExtension.java:408|Stateless resumption supported
Line 293: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.531 IST|SSLExtensions.java:260|Ignore, context unavailable extension: renegotiation_info
Line 294: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.546 IST|ClientHello.java:652|Produced ClientHello handshake message (
Line 346: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.548 IST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.2 handshake, length = 290
Line 347: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.556 IST|SSLEngineOutputRecord.java:528|Raw write (
Line 379: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.855 IST|SSLEngineInputRecord.java:177|Raw read (
Line 470: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.856 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 handshake, length = 1367
Line 471: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.859 IST|ServerHello.java:888|Consuming ServerHello handshake message (
Line 491: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.859 IST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
Line 492: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.859 IST|ServerHello.java:984|Negotiated protocol version: TLSv1.2
Line 493: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.860 IST|SSLExtensions.java:192|Consumed extension: renegotiation_info
Line 494: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.861 IST|SSLExtensions.java:173|Ignore unavailable extension: server_name
Line 495: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.861 IST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
Line 496: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.861 IST|SSLExtensions.java:173|Ignore unavailable extension: status_request
Line 497: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.861 IST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
Line 498: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
Line 499: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:192|Consumed extension: extended_master_secret
Line 500: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:192|Consumed extension: session_ticket
Line 501: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:192|Consumed extension: renegotiation_info
Line 502: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLSessionImpl.java:220|Session initialized: Session(1639030626862|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Line 503: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:207|Ignore unavailable extension: server_name
Line 504: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.862 IST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
Line 505: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:207|Ignore unavailable extension: status_request
Line 506: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
Line 507: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
Line 508: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
Line 509: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
Line 510: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:215|Ignore impact of unsupported extension: session_ticket
Line 511: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.863 IST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
Line 512: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.866 IST|CertificateMessage.java:366|Consuming server Certificate handshake message (
Line 566: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.871 IST|X509TrustManagerImpl.java:301|Found trusted certificate (
Line 616: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.887 IST|ECDHServerKeyExchange.java:514|Consuming ECDH ServerKeyExchange handshake message (
Line 640: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.888 IST|CertificateRequest.java:675|Consuming CertificateRequest handshake message (
Line 647: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.890 IST|X509Authentication.java:249|No X.509 cert selected for EC
Line 648: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.890 IST|CertificateRequest.java:769|Unavailable authentication scheme: ecdsa_secp256r1_sha256
Line 649: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.890 IST|X509Authentication.java:249|No X.509 cert selected for EC
Line 650: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.890 IST|CertificateRequest.java:769|Unavailable authentication scheme: ecdsa_secp384r1_sha384
Line 651: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.891 IST|X509Authentication.java:249|No X.509 cert selected for EC
Line 652: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.891 IST|CertificateRequest.java:769|Unavailable authentication scheme: ecdsa_secp521r1_sha512
Line 653: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.891 IST|X509Authentication.java:249|No X.509 cert selected for EdDSA
Line 654: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.891 IST|CertificateRequest.java:769|Unavailable authentication scheme: ed25519
Line 655: javax.net.ssl|ALL|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.892 IST|X509Authentication.java:249|No X.509 cert selected for EdDSA
Line 656: javax.net.ssl|WARNING|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.892 IST|CertificateRequest.java:769|Unavailable authentication scheme: ed448
Line 657: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.892 IST|SunX509KeyManagerImpl.java:397|matching alias: revokedp12
Line 658: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.892 IST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
Line 661: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.894 IST|CertificateMessage.java:330|Produced client Certificate handshake message (
Line 713: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.909 IST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
Line 721: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.961 IST|CertificateVerify.java:767|Produced CertificateVerify handshake message (
Line 736: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.980 IST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
Line 737: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.981 IST|Finished.java:398|Produced client Finished handshake message (
Line 744: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.983 IST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.2 handshake, length = 978
Line 745: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:06.987 IST|SSLEngineOutputRecord.java:528|Raw write (
Line 812: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.014 IST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.2 change_cipher_spec, length = 1
Line 813: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.014 IST|SSLEngineOutputRecord.java:528|Raw write (
Line 819: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.015 IST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.2 handshake, length = 16
Line 820: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.018 IST|SSLCipher.java:1770|Plaintext before ENCRYPTION (
Line 823: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.019 IST|SSLEngineOutputRecord.java:528|Raw write (
Line 836: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.118 IST|SSLEngineInputRecord.java:177|Raw read (
Line 955: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.119 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 handshake, length = 1861
Line 956: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.146 IST|NewSessionTicket.java:678|Consuming NewSessionTicket
Line 1084: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.150 IST|SSLEngineInputRecord.java:177|Raw read (
Line 1087: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.150 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 change_cipher_spec, length = 1
Line 1088: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.152 IST|ChangeCipherSpec.java:149|Consuming ChangeCipherSpec message
Line 1092: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.156 IST|SSLEngineInputRecord.java:177|Raw read (
Line 1101: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.156 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 handshake, length = 40
Line 1102: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.157 IST|SSLCipher.java:1672|Plaintext after DECRYPTION (
Line 1105: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.158 IST|Finished.java:550|Consuming server Finished handshake message (
Line 1115: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.167 IST|SSLEngineOutputRecord.java:271|WRITE: TLSv1.2 application_data, length = 69
Line 1116: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.175 IST|SSLCipher.java:1770|Plaintext before ENCRYPTION (
Line 1123: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.175 IST|SSLEngineOutputRecord.java:287|Raw write (
Line 1139: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.254 IST|SSLEngineInputRecord.java:177|Raw read (
Line 1148: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.254 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 106
Line 1149: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.254 IST|SSLCipher.java:1672|Plaintext after DECRYPTION (
Line 1175: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.266 IST|SSLEngineOutputRecord.java:271|WRITE: TLSv1.2 application_data, length = 75
Line 1176: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.267 IST|SSLCipher.java:1770|Plaintext before ENCRYPTION (
Line 1183: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.268 IST|SSLEngineOutputRecord.java:287|Raw write (
Line 1201: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.282 IST|SSLEngineInputRecord.java:177|Raw read (
Line 1210: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.282 IST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 101
Line 1211: javax.net.ssl|DEBUG|0E|TLSTM_10.206.137.225/0|2021-12-09 11:47:07.283 IST|SSLCipher.java:1672|Plaintext after DECRYPTION (

Regards,
Vikas

I have no idea what is going wrong with your setup, except that “http” will not work as OCSP server address.