Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKIX path building failed :: javax.net.ssl.SSLHandshakeException on nvd.nist.gov #2222

Closed
MMirabito opened this issue Sep 29, 2019 · 27 comments

Comments

@MMirabito
Copy link

commented Sep 29, 2019

Dear all,

We started noticing that when running dependency-check we are getting javax.net.ssl.SSLHandshakeException on nvd.nist.gov. This is sort of strange because we are not aware of anything that changed on our servers.

We are using:
JDK 1.8.0_221 (build 1.8.0_221-b27)
Dependency-Check Version 5.2.1

I tried the same thing directly on my machine first running the ant build that integrates with depency-check then tried using SSLPoke as suggested in another inquiry #2036 in both instances the javax.net.ssl.SSLHandshakeException exception is thrown.

%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1.2 Alert, length = 2 main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What I cannot figure out if the issue is on my side or on the nvd.nist.gov or something else. incidentally we noticed the issue over the weekend when the automated builds started failing because depdency-check could not complete the task:

Thanks in advance and any suggestion are greatly appreciated.

max

Exception from SSLPoke:

`Java -Djavax.net.debug=ssl SSLPoke nvd.nist.gov 443
System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Inaccessible trust store: C:\MyPrograms\Java\jre1.8.0_221\lib\security\jssecacerts
trustStore is: C:\MyPrograms\Java\jre1.8.0_221\lib\security\cacerts
trustStore type is: jks
trustStore provider is:
the last modified time is: Thu Jul 25 21:22:24 EDT 2019
Reload the trust store
Reload trust certs
Reloaded 90 trust certs
adding as trusted cert:
Subject: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Issuer: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Algorithm: EC; Serial number: 0xa68b79290000000050d091f9
Valid from Tue Dec 18 10:25:36 EST 2012 until Fri Dec 18 10:55:36 EST 2037

adding as trusted cert:
Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
Algorithm: RSA; Serial number: 0xcf08e5c0816a5ad427ff0eb271859d0
Valid from Tue Nov 07 14:31:18 EST 2006 until Mon Dec 31 14:40:55 EST 2029

adding as trusted cert:
Subject: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
Issuer: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
Algorithm: RSA; Serial number: 0xa0142800000014523cf467c00000002
Valid from Thu Jan 16 12:53:32 EST 2014 until Mon Jan 16 12:53:32 EST 2034

adding as trusted cert:
Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Issuer: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 00:20:49 EDT 2003 until Sat Sep 30 00:20:49 EDT 2023

adding as trusted cert:
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863def8
Valid from Fri Dec 24 12:50:51 EST 1999 until Tue Jul 24 10:15:12 EDT 2029

adding as trusted cert:
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x445734245b81899b35f2ceb82b3b5ba726f07528
Valid from Thu Jan 12 13:59:32 EST 2012 until Sun Jan 12 13:59:32 EST 2042

adding as trusted cert:
Subject: CN=TeliaSonera Root CA v1, O=TeliaSonera
Issuer: CN=TeliaSonera Root CA v1, O=TeliaSonera
Algorithm: RSA; Serial number: 0x95be16a0f72e46f17b398272fa8bcd96
Valid from Thu Oct 18 08:00:50 EDT 2007 until Mon Oct 18 08:00:50 EDT 2032

adding as trusted cert:
Subject: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x59b1b579e8e2132e23907bda777755c
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

adding as trusted cert:
Subject: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
Issuer: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
Valid from Thu Nov 16 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
Valid from Sun Nov 26 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: EC; Serial number: 0x2f80fe238c0e220f486712289187acb3
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
Issuer: CN=Entrust Root Certification Authority, OU="(c) 2006 Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, O="Entrust, Inc.", C=US
Algorithm: RSA; Serial number: 0x456b5054
Valid from Mon Nov 27 15:23:42 EST 2006 until Fri Nov 27 15:53:42 EST 2026

adding as trusted cert:
Subject: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
Issuer: OU=Security Communication RootCA2, O="SECOM Trust Systems CO.,LTD.", C=JP
Algorithm: RSA; Serial number: 0x0
Valid from Fri May 29 01:00:39 EDT 2009 until Tue May 29 01:00:39 EDT 2029

adding as trusted cert:
Subject: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0xb931c3ad63967ea6723bfc3af9af44b
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
Issuer: OU=ePKI Root Certification Authority, O="Chunghwa Telecom Co., Ltd.", C=TW
Algorithm: RSA; Serial number: 0x15c8bd65475cafb897005ee406d2bc9d
Valid from Sun Dec 19 21:31:27 EST 2004 until Tue Dec 19 21:31:27 EST 2034

adding as trusted cert:
Subject: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Commercial, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7777062726a9b17c
Valid from Fri Jan 29 09:06:06 EST 2010 until Tue Dec 31 09:06:06 EST 2030

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
Algorithm: RSA; Serial number: 0x45e6bb038333c3856548e6ff4551
Valid from Tue Dec 09 19:00:00 EST 2014 until Sat Dec 09 19:00:00 EST 2034

adding as trusted cert:
Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Algorithm: RSA; Serial number: 0x444c0
Valid from Wed Oct 22 08:07:37 EDT 2008 until Mon Dec 31 07:07:37 EST 2029

adding as trusted cert:
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Algorithm: RSA; Serial number: 0x10020
Valid from Tue Jun 11 06:46:39 EDT 2002 until Fri Jun 11 06:46:39 EDT 2027

adding as trusted cert:
Subject: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
Issuer: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
Algorithm: RSA; Serial number: 0x50946cec18ead59c4dd597ef758fa0ad
Valid from Mon Nov 01 12:14:04 EST 2004 until Mon Jan 01 00:37:19 EST 2035

adding as trusted cert:
Subject: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust Qualified CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:44:50 EDT 2000 until Sat May 30 06:44:50 EDT 2020

adding as trusted cert:
Subject: CN=DST Root CA X3, O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Algorithm: RSA; Serial number: 0x44afb080d6a327ba893039862ef8406b
Valid from Sat Sep 30 17:12:19 EDT 2000 until Thu Sep 30 10:01:15 EDT 2021

adding as trusted cert:
Subject: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 2 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:38:03 EDT 2010 until Fri Oct 26 04:38:03 EDT 2040

adding as trusted cert:
Subject: CN=Sonera Class2 CA, O=Sonera, C=FI
Issuer: CN=Sonera Class2 CA, O=Sonera, C=FI
Algorithm: RSA; Serial number: 0x1d
Valid from Fri Apr 06 03:29:40 EDT 2001 until Tue Apr 06 03:29:40 EDT 2021

adding as trusted cert:
Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE
Algorithm: RSA; Serial number: 0x983f4
Valid from Thu Nov 05 03:50:46 EST 2009 until Mon Nov 05 03:50:46 EST 2029

adding as trusted cert:
Subject: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: EC; Serial number: 0xba15afa1ddfa0b54944afcd24a06cec
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: EC; Serial number: 0x3cb2f4480a00e2feeb243b5e603ec36b
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0xbb401c43f55e4fb0
Valid from Wed Oct 25 04:30:35 EDT 2006 until Sat Oct 25 04:30:35 EDT 2036

adding as trusted cert:
Subject: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Algorithm: EC; Serial number: 0x5c8b99c55a94c5d27156decd8980cc26
Valid from Sun Jan 31 19:00:00 EST 2010 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
Issuer: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
Algorithm: RSA; Serial number: 0xa0142800000014523c844b500000002
Valid from Thu Jan 16 13:12:23 EST 2014 until Mon Jan 16 13:12:23 EST 2034

adding as trusted cert:
Subject: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 2, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x509
Valid from Fri Nov 24 13:27:00 EST 2006 until Mon Nov 24 13:23:33 EST 2031

adding as trusted cert:
Subject: CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
Issuer: CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
Algorithm: RSA; Serial number: 0x983f3
Valid from Thu Nov 05 03:35:58 EST 2009 until Mon Nov 05 03:35:58 EST 2029

adding as trusted cert:
Subject: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x78585f2ead2c194be3370735341328b596d46593
Valid from Thu Jan 12 12:27:44 EST 2012 until Sun Jan 12 12:27:44 EST 2042

adding as trusted cert:
Subject: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Algorithm: EC; Serial number: 0x1f47afaa62007050544c019e9b63992a
Valid from Wed Mar 05 19:00:00 EST 2008 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Algorithm: RSA; Serial number: 0x1fd6d30fca3ca51a81bbc640e35032d
Valid from Sun Jan 31 19:00:00 EST 2010 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Algorithm: RSA; Serial number: 0x8210cfb0d240e3594463e0bb63828b00
Valid from Thu Jun 04 07:04:38 EDT 2015 until Mon Jun 04 07:04:38 EDT 2035

adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
Valid from Sun May 17 20:00:00 EDT 1998 until Tue Aug 01 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x2ac5c266a0b409b8f0b79f2ae462577
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
Algorithm: RSA; Serial number: 0x400000000010f8626e60d
Valid from Fri Dec 15 03:00:00 EST 2006 until Wed Dec 15 03:00:00 EST 2021

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x18dad19e267de8bb4a2158cdcc6b3b4a
Valid from Tue Nov 07 19:00:00 EST 2006 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x5c6
Valid from Fri Nov 24 14:11:23 EST 2006 until Mon Nov 24 14:06:44 EST 2031

adding as trusted cert:
Subject: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Thu Mar 04 00:00:00 EST 2004 until Sun Mar 04 00:00:00 EST 2029

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Algorithm: RSA; Serial number: 0x4000000000121585308a2
Valid from Wed Mar 18 06:00:00 EDT 2009 until Sun Mar 18 06:00:00 EDT 2029

adding as trusted cert:
Subject: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Mon Aug 31 20:00:00 EDT 2009 until Thu Dec 31 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 14:46:00 EDT 2000 until Mon May 12 19:59:00 EDT 2025

adding as trusted cert:
Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x67c8e1e8e3be1cbdfc913b8ea6238749
Valid from Tue Dec 31 19:00:00 EST 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x1
Valid from Wed Dec 31 19:00:00 EST 2003 until Sun Dec 31 18:59:59 EST 2028

adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:39:16 EDT 2004 until Thu Jun 29 13:39:16 EDT 2034

adding as trusted cert:
Subject: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Issuer: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU
Algorithm: RSA; Serial number: 0x0
Valid from Tue Sep 30 12:13:43 EDT 2003 until Wed Sep 30 12:13:44 EDT 2037

adding as trusted cert:
Subject: CN=Swisscom Root CA 2, OU=Digital Certificate Services, O=Swisscom, C=ch
Issuer: CN=Swisscom Root CA 2, OU=Digital Certificate Services, O=Swisscom, C=ch
Algorithm: RSA; Serial number: 0x1e9e28e848f2e5efc37c4a1e5a1867b6
Valid from Fri Jun 24 04:38:14 EDT 2011 until Wed Jun 25 03:38:14 EDT 2031

adding as trusted cert:
Subject: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x2ef59b0228a7db7affd5a3a9eebd03a0cf126a1d
Valid from Thu Jan 12 15:26:32 EST 2012 until Sun Jan 12 15:26:32 EST 2042

adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Thu Sep 30 20:00:00 EDT 1999 until Wed Jul 16 19:59:59 EDT 2036

adding as trusted cert:
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x40000000001154b5ac394
Valid from Tue Sep 01 08:00:00 EDT 1998 until Fri Jan 28 07:00:00 EST 2028

adding as trusted cert:
Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
Algorithm: RSA; Serial number: 0x570a119742c4e3cc
Valid from Thu Sep 22 07:22:02 EDT 2011 until Sun Sep 22 07:22:02 EDT 2030

adding as trusted cert:
Subject: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Algorithm: RSA; Serial number: 0x44be0c8b500024b411d3362de0b35f1b
Valid from Fri Jul 09 14:31:20 EDT 1999 until Tue Jul 09 14:40:36 EDT 2019

adding as trusted cert:
Subject: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Networking, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x7c4f04391cd4992d
Valid from Fri Jan 29 09:08:24 EST 2010 until Tue Dec 31 09:08:24 EST 2030

adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

adding as trusted cert:
Subject: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium, O=AffirmTrust, C=US
Algorithm: RSA; Serial number: 0x6d8c1446b1a60aee
Valid from Fri Jan 29 09:10:36 EST 2010 until Mon Dec 31 09:10:36 EST 2040

adding as trusted cert:
Subject: CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU
Issuer: CN=LuxTrust Global Root, O=LuxTrust s.a., C=LU
Algorithm: RSA; Serial number: 0xbb8
Valid from Thu Mar 17 05:51:37 EDT 2011 until Wed Mar 17 05:51:37 EDT 2021

adding as trusted cert:
Subject: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Issuer: CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM
Algorithm: RSA; Serial number: 0x3ab6508b
Valid from Mon Mar 19 13:33:33 EST 2001 until Wed Mar 17 14:33:33 EDT 2021

adding as trusted cert:
Subject: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Issuer: CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO
Algorithm: RSA; Serial number: 0x2
Valid from Tue Oct 26 04:28:58 EDT 2010 until Fri Oct 26 04:28:58 EDT 2040

adding as trusted cert:
Subject: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x15ac6e9419b2794b41f627a9c3180f1f
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
Issuer: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
Algorithm: EC; Serial number: 0x35fc265cd9844fc93d263d579baed756
Valid from Sun Nov 04 19:00:00 EST 2007 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Issuer: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xa3da427ea4b1aeda
Valid from Fri Aug 01 08:29:50 EDT 2008 until Sat Jul 31 08:29:50 EDT 2038

adding as trusted cert:
Subject: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4f1bd42f54bb2f4b
Valid from Wed Oct 25 04:32:46 EDT 2006 until Sat Oct 25 04:32:46 EDT 2036

adding as trusted cert:
Subject: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Issuer: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Algorithm: RSA; Serial number: 0x4a538c28
Valid from Tue Jul 07 13:25:54 EDT 2009 until Sat Dec 07 12:55:54 EST 2030

adding as trusted cert:
Subject: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:38:31 EDT 2000 until Sat May 30 06:38:31 EDT 2020

adding as trusted cert:
Subject: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0xce7e0e517d846fe8fe560fc1bf03039
Valid from Thu Nov 09 19:00:00 EST 2006 until Sun Nov 09 19:00:00 EST 2031

adding as trusted cert:
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 13:06:20 EDT 2004 until Thu Jun 29 13:06:20 EDT 2034

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
Algorithm: EC; Serial number: 0x2a38a41c960a04de42b228a50be8349802
Valid from Mon Nov 12 19:00:00 EST 2012 until Mon Jan 18 22:14:07 EST 2038

adding as trusted cert:
Subject: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Algorithm: RSA; Serial number: 0x1
Valid from Tue May 30 06:48:38 EDT 2000 until Sat May 30 06:48:38 EDT 2020

adding as trusted cert:
Subject: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Algorithm: RSA; Serial number: 0x1
Valid from Wed Oct 01 06:29:56 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033

adding as trusted cert:
Subject: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Issuer: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Algorithm: RSA; Serial number: 0xc9cdd3e9d57d23ce
Valid from Fri Aug 01 08:31:40 EDT 2008 until Sat Jul 31 08:31:40 EDT 2038

adding as trusted cert:
Subject: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
Issuer: CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
Algorithm: RSA; Serial number: 0x600197b746a7eab4b49ad64b2ff790fb
Valid from Tue Apr 01 20:00:00 EDT 2008 until Tue Dec 01 18:59:59 EST 2037

adding as trusted cert:
Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Algorithm: RSA; Serial number: 0x4caaf9cadb636fe01ff74ed85b03869d
Valid from Mon Jan 18 19:00:00 EST 2010 until Mon Jan 18 18:59:59 EST 2038

adding as trusted cert:
Subject: CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: EC; Serial number: 0x55556bcf25ea43535c3a40fd5ab4572
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

adding as trusted cert:
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Wed Aug 12 20:29:00 EDT 1998 until Mon Aug 13 19:59:00 EDT 2018

adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x36122296c5e338a520a1d25f4cd70954
Valid from Wed Jul 31 20:00:00 EDT 1996 until Fri Jan 01 18:59:59 EST 2021

adding as trusted cert:
Subject: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Issuer: CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US
Algorithm: EC; Serial number: 0x7497258ac73f7a54
Valid from Fri Jan 29 09:20:24 EST 2010 until Mon Dec 31 09:20:24 EST 2040

adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 00:00:00 EDT 2002 until Sat May 21 00:00:00 EDT 2022

adding as trusted cert:
Subject: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Algorithm: RSA; Serial number: 0x1
Valid from Wed Oct 01 06:40:14 EDT 2008 until Sat Oct 01 19:59:59 EDT 2033

adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 04:36:00 EDT 2006 until Sat Oct 25 04:36:00 EDT 2036

adding as trusted cert:
Subject: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Issuer: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
Algorithm: RSA; Serial number: 0x1121bc276c5547af584eefd4ced629b2a285
Valid from Mon May 25 20:00:00 EDT 2009 until Mon May 25 20:00:00 EDT 2020

adding as trusted cert:
Subject: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
Algorithm: RSA; Serial number: 0x33af1e6a711a9a0bb2864b11d09fae5
Valid from Thu Aug 01 08:00:00 EDT 2013 until Fri Jan 15 07:00:00 EST 2038

adding as trusted cert:
Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
Algorithm: EC; Serial number: 0x605949e0262ebb55f90a778a71f94ad86c
Valid from Mon Nov 12 19:00:00 EST 2012 until Mon Jan 18 22:14:07 EST 2038

keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1552933033 bytes = { 230, 137, 68, 81, 77, 127, 108, 178, 107, 213, 166, 229, 64, 168, 168, 213, 103, 117, 225, 5, 60, 111, 72, 78, 244, 189, 242, 82 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=nvd.nist.gov]


main, WRITE: TLSv1.2 Handshake, length = 214
main, READ: TLSv1.2 Handshake, length = 93
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 888373860 bytes = { 229, 253, 125, 7, 104, 68, 243, 107, 40, 246, 168, 123, 218, 131, 170, 74, 135, 124, 50, 173, 81, 108, 88, 65, 155, 205, 122, 90 }
Session ID: {128, 54, 105, 212, 73, 73, 255, 92, 183, 62, 182, 223, 43, 131, 189, 6, 85, 185, 120, 160, 181, 117, 73, 86, 228, 23, 249, 27, 73, 216, 150, 7}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension server_name, server_name:
Extension renegotiation_info, renegotiated_connection:
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]


%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange12
upcoming handshake states: certificate_request13
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate11
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify15
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 1848
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange12
upcoming handshake states: certificate_request13
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate11
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify15
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=nvd.nist.gov, OU=OISM, O=National Institute of Standards and Technology, L=Gaithersburg, ST=Maryland, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
modulus: 25594131913523496269060106854058710862271807885319681561717432942227804823065213261843410825792111480028220117311241746329220057864785509365746789780684305819380045327053243185208622996569201479685584358510160754238783775675270644560338585854642025878998876813767822670954192728522045875806355789685214427179763218263396224440605358504234708122982076882063647525476512005136355621464088528831559829645075648095586656866610271475010275079179936417438084657532818410068168523619359655398268513366099695311860079370582876462042495884356375893429602824463957752597162173950993144281331568953239041424491431754573761567479
public exponent: 65537
Validity: [From: Tue Nov 13 19:00:00 EST 2018,
To: Fri Nov 15 07:00:00 EST 2019]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 09ab1da2 a73d123c 4dc06804 965e740c]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 F4 04 81 F1 00 EF 00 76 00 A4 B9 09 90 B4 .........v......
0010: 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 04 F9 .X......gp.<5...
0020: 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 67 14 ....w.........g.
0030: 23 9D E9 00 00 04 03 00 47 30 45 02 21 00 C8 69 #.......G0E.!..i
0040: 57 C6 67 EF E4 D1 A0 0A 2A 38 8F 7D 61 93 E4 BB W.g.....8..a...
0050: 1E 6C D7 37 07 B1 FA 43 D7 68 0C B8 B0 F3 02 20 .l.7...C.h.....
0060: 43 18 93 31 85 4A 33 F1 24 5C 78 42 88 43 A4 C9 C..1.J3.$\xB.C..
0070: 71 25 9C 89 B9 EF ED 9C 17 A9 6E DA 22 D8 DE 9F q%........n."...
0080: 00 75 00 87 75 BF E7 59 7C F8 8C 43 99 5F BD F3 .u..u..Y...C._..
0090: 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA FF 5E n.V.GV6.J.`....^
00A0: A0 83 0F 00 00 01 67 14 23 9E C4 00 00 04 03 00 ......g.#.......
00B0: 46 30 44 02 20 5C 3D 6C A8 2B 7D 91 66 F9 5C 84 F0D. =l.+..f..
00C0: 91 42 89 16 5E F4 19 37 4B B8 47 3E 2A C5 93 18 .B..^..7K.G>
...
00D0: BC 20 29 FF 59 02 20 5E 1E FE BB AD 71 E5 D9 37 . ).Y. ^....q..7
00E0: 85 E4 E4 7B 89 D1 0C 2B 48 61 74 DD 8A 08 4E C5 .......+Hat...N.
00F0: 27 1F 92 82 23 75 D8 '...#u.

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com

accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS

]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nvd.nist.gov
DNSName: icat.nist.gov
DNSName: web.nvd.nist.gov
DNSName: static.nvd.nist.gov
DNSName: services.nvd.nist.gov
DNSName: checklists.nist.gov
DNSName: scap.nist.gov
DNSName: beacon.nist.gov
DNSName: usgcb.nist.gov
DNSName: fdcc.nist.gov
DNSName: csrc.nist.gov
DNSName: sbc.nist.gov
DNSName: scrm.nist.gov
DNSName: auth.nvd.nist.gov
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 59 02 40 6B E1 DC 30 2B AB 72 A3 CD 1F C2 7B bY.@k..0+.r.....
0010: 37 25 E2 80 7%..
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 54 E5 0F B1 8F 66 FC 0C A3 DD E8 5B 6B 65 AF 73 T....f.....[ke.s
0010: B6 56 21 E7 B6 B8 24 0B 1E B1 EF 54 B9 FB 9C B2 .V!...$....T....
0020: A4 B8 18 F6 E3 8C F0 22 BC B6 3E 59 3D 2B E4 AD ......."..>Y=+..
0030: 9A 01 88 3E F0 E7 EB 38 C2 66 4A 57 D4 F7 E8 ED ...>...8.fJW....
0040: 30 ED A2 59 54 DE 54 0E 4F D3 03 2C 18 C5 77 B0 0..YT.T.O..,..w.
0050: F2 09 A9 DE F8 73 F3 7E 24 2A 33 CB D1 31 17 D4 .....s..$*3..1..
0060: 62 CE 1E BC C4 DC E8 38 A5 27 C9 BC B8 E2 FC 00 b......8.'......
0070: AA E6 B4 77 14 C8 51 99 46 A9 E0 DA 1B EA 79 4D ...w..Q.F.....yM
0080: 3F A3 FB 74 71 01 E8 29 2D 58 4A B9 82 1C 30 39 ?..tq..)-XJ...09
0090: 2C EB C5 5B 00 28 20 C5 C5 E2 10 C0 40 AD 84 81 ,..[.( .....@...
00A0: D6 0F BB 07 93 0D 4E E9 22 DE F1 63 15 3D 92 DE ......N."..c.=..
00B0: 56 D2 25 5A 96 66 27 4C D6 9E 7B 69 CF 77 FF 6C V.%Z.f'L...i.w.l
00C0: BB EB 93 51 B7 88 76 B3 B0 7B 75 79 8E ED AF 2D ...Q..v...uy...-
00D0: 88 5B 36 07 59 31 29 CA A8 1C D3 29 EF 49 14 10 .[6.Y1)....).I..
00E0: 26 F9 7B 71 37 EF 94 5A 3C 38 D5 6E 38 3D 85 69 &..q7..Z<8.n8=.i
00F0: C9 0C 1A B0 B2 FC F8 A7 D9 0A 58 3A 1A A5 7E B7 ..........X:....

]


%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 16 more`

Exception from within Ant Build:

[dependency-check] Begin Engine Version Check [dependency-check] Last checked: 1569771061 [dependency-check] Now: 1569773680 [dependency-check] Current version: 5.2.1 [dependency-check] Upgrade not needed Finding class org.owasp.dependencycheck.data.update.RetireJSDataSource Loaded from D:\MyPrograms\dependency-check-ant\lib\dependency-check-core-5.2.1.jar org/owasp/dependencycheck/data/update/RetireJSDataSource.class Class org.owasp.dependencycheck.data.update.RetireJSDataSource loaded from ant loader (parentFirst) [dependency-check] Settings.getDataFile() - file: 'D:\MyPrograms\dependency-check-ant\data\4.0' [dependency-check] Last updated: 1569771062607 [dependency-check] Now: 1569773680248 [dependency-check] Skipping RetireJS update since last update was within 24 hours. [dependency-check] Lock released ([main, b32b5cae0b931e66f4bff5a7a83a4fd0, 2019-09-29 12:14:40.252]) {} @ {} [dependency-check] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [dependency-check] Update Error UpdateException: org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:1581) at org.owasp.dependencycheck.taskdefs.Check.execute(Check.java:1540) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1391) at org.apache.tools.ant.Project.executeTarget(Project.java:1364) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1254) at org.apache.tools.ant.Main.runBuild(Main.java:830) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta' at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:115) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340) ... 23 more Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connect. at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238) at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138) at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110) ... 24 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167) at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178) ... 26 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 37 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 43 more

@MMirabito MMirabito added the question label Sep 29, 2019
@nickmbailey

This comment has been minimized.

Copy link

commented Sep 29, 2019

Also seeing this since last night.

@jukkasi

This comment has been minimized.

Copy link

commented Sep 29, 2019

Same problem running latest Docker image

@stevespringett

This comment has been minimized.

Copy link
Collaborator

commented Sep 29, 2019

The Dependency-Track community also reported this issue.

DependencyTrack/dependency-track#457

I have sent an email to the NVD informing them.

@lutzhorn

This comment has been minimized.

Copy link

commented Sep 30, 2019

@THausherr

This comment has been minimized.

Copy link

commented Sep 30, 2019

IMHO they don't provide the whole chain.

@markdenihan

This comment has been minimized.

Copy link

commented Sep 30, 2019

Workaround (from stevespringett/nist-data-mirror#38)

Update your Java Options to contain:

export _JAVA_OPTIONS="-Dcom.sun.security.enableAIAcaIssuers=true"
@MMirabito

This comment has been minimized.

Copy link
Author

commented Sep 30, 2019

All,

Thanks for the comments

Workaround from several mentions including @markdenihan , @lutzhorn both referring to stevespringett/nist-data-mirror#38 appears to have it fixed at least temporarily. Now when I run SSLPoke

java -Dcom.sun.security.enableAIAcaIssuers=true SSLPoke nvd.nist.gov 443 It returns Successfully connected

Thank you much,
max

@ST-DDT

This comment has been minimized.

Copy link

commented Sep 30, 2019

Wouldn't adding the certificate to the truststore/keystore fix the issue?

(Yes, it does)

keytool -import -alias nvd.dist.gov -file nvd_nist_gov.crt -storetype JKS -keystore cacerts

cacerts can usually be found in $JAVA_HOME/lib/security/cacerts

Passwort for the default keystore is: changeit

nvd_nist_gov.crt.zip or if you don't trust me 😀 , download it with your browser and export it as crt/pem.

@lutzhorn

This comment has been minimized.

Copy link

commented Sep 30, 2019

Wouldn't adding the certificate to the truststore/keystore fix the issue?

That's only patching the symptoms, not fixing the root cause. Event the above mentioned flag is only a workaround to get things going again for now. A real solution would

  • digitally sign the JSON files so that
  • mirroring would be possible without having to trust the 3rd party running the mirror.
@lutzhorn

This comment has been minimized.

Copy link

commented Sep 30, 2019

Based on the database content as it was on 2019-09-27T14:02:23-04:00, I can provide you a mirror of the database created using nist-data-mirror.

Edit the configuration element of the plugin in your pom.xml:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>5.2.2</version>
    <configuration>
        <cveUrlModified>https://www.lhorn.de/nist/nvdcve-1.0-modified.json.gz</cveUrlModified>
        <cveUrlBase>https://www.lhorn.de/nist/nvdcve-1.0-%d.json.gz</cveUrlBase>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
            <configuration>
                <format>xml</format>
            </configuration>
        </execution>
    </executions>
</plugin>

Note that I can not guarantee 100% availability of this mirror nor it being up to date. But maybe it can be of a little use.

@OrangeDog

This comment has been minimized.

Copy link

commented Sep 30, 2019

For the Maven plugin:

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>properties-maven-plugin</artifactId>
  <version>1.0.0</version>
  <executions>
    <execution>
      <goals><goal>set-system-properties</goal></goals>
      <configuration>
        <properties>
          <property>
            <name>com.sun.security.enableAIAcaIssuers</name>
            <value>true</value>
          </property>
        </properties>
      </configuration>
    </execution>
  </executions>
</plugin>
@jeremylong

This comment has been minimized.

Copy link
Owner

commented Sep 30, 2019

I won't be able to push a release for a few days and barely had time to test this. As @OrangeDog has pointed out you can use either the plugin to set the system property to resolve the issue or you could set one of the following:

For Maven:

export MAVEN_OPTS="-Dcom.sun.security.enableAIAcaIssuers=true"

For Gradle:

export GRADLE_OPTS="-Dcom.sun.security.enableAIAcaIssuers=true"

For the CLI:

export JAVA_OPTS="-Dcom.sun.security.enableAIAcaIssuers=true"
@arjopoldervaart

This comment has been minimized.

Copy link

commented Sep 30, 2019

How do I do this for Jenkins? I tried starting Jenkins with "-Dcom.sun.security.enableAIAcaIssuers=true" added to JENKINS_JAVA_OPTIONS in /etc/sysconfig/jenkins and by executing 'System.setProperty("com.sun.security.enableAIAcaIssuers", "true")' in the script console.

Both these actions had no effect.

@faris-git

This comment has been minimized.

Copy link

commented Sep 30, 2019

How do I do this for Jenkins? I tried starting Jenkins with "-Dcom.sun.security.enableAIAcaIssuers=true" added to JENKINS_JAVA_OPTIONS in /etc/sysconfig/jenkins and by executing 'System.setProperty("com.sun.security.enableAIAcaIssuers", "true")' in the script console.

Both these actions had no effect.

If you are using Jenkins pipeline. You can run like this with java argument,
mvn -Dcom.sun.security.enableAIAcaIssuers=true org.owasp:dependency-check-maven:check

@OrangeDog

This comment has been minimized.

Copy link

commented Sep 30, 2019

@faris-git that's the Maven plugin. This is the Jenkins plugin: https://plugins.jenkins.io/dependency-check-jenkins-plugin

@arjopoldervaart it uses the CLI, so the export above should work. However, Jenkins service scripts may mess with it.

@FabianSawatzki1234

This comment has been minimized.

Copy link

commented Sep 30, 2019

It does work for us again. Seems like NVD has fixed the issue with their certificate chain.

@OrangeDog

This comment has been minimized.

Copy link

commented Sep 30, 2019

@stevespringett

This comment has been minimized.

Copy link
Collaborator

commented Sep 30, 2019

Response from NVD:

Good morning,

Thank you for reporting this to the NVD, we are aware of the problem and are currently working on a resolution. We apologize for the inconvenience.

V/r,
National Vulnerability Database Team
mailto:nvd@nist.gov

@MMirabito

This comment has been minimized.

Copy link
Author

commented Sep 30, 2019

Just a quick note to let you that I was able was able to run SSLPoke and it's now working without exceptions. The NVD cert appears to have been fixed.

java SSLPoke nvd.nist.gov 443

Thanks for all the help and suggestions,
max

@arjopoldervaart

This comment has been minimized.

Copy link

commented Oct 1, 2019

Working for us again as well.

What I find strange is that after importing the certificates manually into cacerts, I had SSLPoke working, a Groovy script from the Jenkins console was working, but the Dependency Check plugin in Jenkins was still failing. Is the plugin using a different SSL factory?

@OrangeDog

This comment has been minimized.

Copy link

commented Oct 1, 2019

@arjopoldervaart as I said it uses the CLI. It doesn’t run in the Jenkins JVM.

@arjopoldervaart

This comment has been minimized.

Copy link

commented Oct 1, 2019

@OrangeDog if it uses the CLI, shouldn't it behave like a regular Java application? SSLPoke was working, which I also ran from the command line.

@mjdavies

This comment has been minimized.

Copy link

commented Oct 15, 2019

Is anyone else still having issues downloading the file with the jenkins plugin? I can curl it without issues in a shell file in my jenkinsfile just above the dependency check section, but the dependency check section fails every time

[DependencyCheck] [INFO] Checking for updates
[DependencyCheck] [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347)
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385)
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653)
[DependencyCheck] 	at org.owasp.dependencycheck.App.runScan(App.java:251)
[DependencyCheck] 	at org.owasp.dependencycheck.App.run(App.java:183)
[DependencyCheck] 	at org.owasp.dependencycheck.App.main(App.java:80)
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta'
[DependencyCheck] 	at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:115)
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340)
[DependencyCheck] 	... 8 common frames omitted
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connect.
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110)
[DependencyCheck] 	... 9 common frames omitted
[DependencyCheck] Caused by: java.net.SocketTimeoutException: connect timed out
[DependencyCheck] 	at java.net.PlainSocketImpl.socketConnect(Native Method)
[DependencyCheck] 	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
[DependencyCheck] 	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
[DependencyCheck] 	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
[DependencyCheck] 	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[DependencyCheck] 	at java.net.Socket.connect(Socket.java:589)
[DependencyCheck] 	at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[DependencyCheck] 	at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
[DependencyCheck] 	at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
[DependencyCheck] 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
[DependencyCheck] 	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1156)
[DependencyCheck] 	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050)
[DependencyCheck] 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
[DependencyCheck] 	... 11 common frames omitted
@cdaller

This comment has been minimized.

Copy link

commented Oct 15, 2019

Is anyone else still having issues downloading the file with the jenkins plugin? I can curl it without issues in a shell file in my jenkinsfile just above the dependency check section, but the dependency check section fails every time

No, works without problems (using maven plugin version 5.2.2)

@mjdavies

This comment has been minimized.

Copy link

commented Oct 15, 2019

Thanks for getting back cdaller.

I'm using the jenkins plugin, not the maven plugin, although with all the ballache I'm having I'm considering not using either of them and using something completely different instead. Rather not though.

@OrangeDog

This comment has been minimized.

Copy link

commented Oct 15, 2019

Is anyone else still having issues downloading the file with the jenkins plugin?

No. It's fine since NIST fixed their chain.

connect timed out

Some sort of connection issue at your end.

@mjdavies

This comment has been minimized.

Copy link

commented Oct 15, 2019

Thanks both. Since upgrading to v5 I needed to add the proxyserver and proxyport values. V4 of the jenkins plugin didn't need it for some reason, must have been picking up the main http_proxy env variable.

@jeremylong jeremylong closed this Oct 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.