'What is the reason of this issue org.bouncycastle.tls.TlsFatalAlert

What is the reason of this issue org.bouncycastle.tls.TlsFatalAlert,Client raised fatal(2) certificate_unknown(46) alert: Failed to read record org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)

Provider: SecureRandom.null algorithm from: BCFIPS_RNG
Mon Mar 28 16:44:00.330 IST 2022 [main] [o.b.jsse.provider.ProvTlsClient: INFO ] - Client raised fatal(2) certificate_unknown(46) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
    at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:135)
    at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:360)
bouncycastlefips


Solution 1:[1]

According to the source code, it is likely that you are not using a trusted CA certificate (or at least, your client program doesn't trust it). https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java#L135 shows the trust store check failing.

This guide (and many others on sf) show how to register a trust store with your client SSL context: https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf

import java.security.Security;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
/**
* Basic SSL Client - using the '!' protocol.
*/
public class TLSClientExample
{
 public static void main(
 String[] args)
 throws Exception
 {
 Security.addProvider(new BouncyCastleFipsProvider()); // or use regular if not doing fips.
 Security.addProvider(new BouncyCastleJsseProvider());
 SSLContext sslContext = SSLContext.getInstance("TLS", "BCJSSE");
 TrustManagerFactory trustMgrFact = TrustManagerFactory.getInstance(
 "PKIX", "BCJSSE");
 trustMgrFact.init(Utils.createServerTrustStore()); // <--- a java keystore containing the X509 root CA certificate.
 sslContext.init(null, trustMgrFact.getTrustManagers(), null);
 SSLSocketFactory fact = sslContext.getSocketFactory();
 SSLSocket cSock = (SSLSocket)fact.createSocket(
 Utils.HOST, Utils.PORT_NO);

 Protocol.doClientSide(cSock);
 }
}

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Hightower

Related Questions