Develop Reference

Letsencrypt DST Root CA X3 Problem with Magento SOAP-Service client or server side?

Since 30.9. - due to DST Root CA X3 SOAP Calls (SOAPUI or PHP SoapCLient) against the system fail. However via webbrowser I can open the https-Website just fine.
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xyz.de
verify return:1
---
Certificate chain
0 s:/CN=xyz.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgISBIGPZIOSvZxPr5l/FlDTq2eoMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMDgwODM3NTNaFw0yMjAxMDYwODM3NTJaMBUxEzARBgNVBAMT
CnN1Ym9sYWIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDik8F+
acJc9+DtWgj830rwZL2UmkA69FT3myx27HCJSJmJ96itiN7J2GAR2/ykqHZb+4KW
0vxeA2Yp8ZcrSuxlRUITC8eCppsv+FACW+G7gO6/GVL8KIF9AA3VsyHrGEI9OKp+
W+NgIUDJrf38zONF+Of+nq2HYKJ3QJBguJYlAZpa0RD/SkmZ6J+46frQarmRuvao
R6e/DB0aMxojV9/40xUBty4hTDM3N5XQWWB1Y8WtBIpoWJDxRAExESf6pRVPae8X
QlDFq/sK7ZymlXaBB0fDk0qtlQBAUs+5fbm11SlPEuEYr1fqZUDv+OVXq2YN9goR
P9P/9FdccOLm9DH/AgMBAAGjggJTMIICTzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FE5unoQ3VpJf/Fa9z8DzKpnBhXQ6MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCUG
A1UdEQQeMByCCnN1Ym9sYWIuZGWCDnd3dy5zdWJvbGFiLmRlMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUARqVV
63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8X0QnSgAABAMARjBEAiAv
OVmtIwzbha0CbgncP3gib90XhyZqv2zG009eliEAOAIgKlN5m2D4pyeL7u2kBbo/
Sa3eK4tybwF0s0QzEu6jmzYAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbII
mjfZEwAAAXxfRChkAAAEAwBGMEQCIA+CagvnauTu/l8918bZlzNfR4uBa+FlhGv6
pGywruzmAiAREmyTfzTUoAnxUbdMc+hfzZB9kJCzQa0vgqZnMIl2lzANBgkqhkiG
9w0BAQsFAAOCAQEAAMeb8OLAEG/IVfwdjzlZ/lEdPnv278qFVdotMuVa1Zl9/vwC
lTxs5RBn4MiDbECNnO+s6qDBrohMpp2bzsqZhCjmRQplpYSr+iqGzvrlWAVbxuKU
STWlSh+oThxX9esghT4G8FlkTrPU4V646IDsgbMUOYVxQv8rncvmw82q3h6ccOZz
8qhrUozrUXqqglR6bq49vsp1sOIhCPCuAkHswZvf1+KA72iwIKWayQUosFga9Wph
tIE/NY19D1nOwDIKhNSUA8YAhZAOrLZm4B6ZMJeajcMLFp+D3d3LyJNs2K0VK0Yu
uUbpGd5AthElVilw/X3TxzdIPU5G/AUPJNA9IQ==
-----END CERTIFICATE-----
subject=/CN=xyz.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4657 bytes and written 292 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E6AC1CB5A43712F0CDB1FA843B35D31F16195096541920D4A7C5F60E5089797C
Session-ID-ctx:
Master-Key: B621EBF40CB97A41A1DFAEBAD317FA48F01723BE72A25D6BBD6CCA7F91C4968399BCA3E146E20F2D44160F09BC1572E1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - a3 a3 ce f3 2a c0 9e f7-60 59 91 f6 15 c9 56 79 ....*...`Y....Vy
0010 - 31 f8 d7 d0 cb a4 1b de-7d 1d bf 12 73 4e 5a f1 1.......}...sNZ.
0020 - b9 12 8b ff 1c c1 28 f7-cb d3 d1 f3 0e 4c 75 64 ......(......Lud
0030 - ce 3d c5 28 4e 99 5b e4-37 d4 b4 1b 4e 91 b8 e3 .=.(N.[.7...N...
0040 - 08 68 8f 6b 8a 1e dd f1-a3 79 f1 f6 1d 81 5f e7 .h.k.....y...._.
0050 - 7f 34 78 0a 48 ab 34 aa-f1 41 e1 5b 5c 89 75 b7 .4x.H.4..A.[\.u.
0060 - d2 54 a9 8b 63 ee 66 f3-e7 ee aa df 6b 61 ee 9b .T..c.f.....ka..
0070 - d1 89 28 c6 f1 96 53 d3-29 d0 7f d3 28 5b 52 b1 ..(...S.)...([R.
0080 - 0c fb 37 10 1d 23 a4 d1-6e 4a ff 39 f5 9c f7 a6 ..7..#..nJ.9....
0090 - ad 05 e3 a3 bb 98 04 f3-9d 23 6c ea 10 3f a2 22 .........#l..?."
00a0 - 39 76 0b 16 5b f6 af 0d-1a 2d 10 56 6e 72 d0 f1 9v..[....-.Vnr..
Start Time: 1633688139
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
The certificate chain still uses DST Root CA X3 but I dont know if this is ok or not:
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Error-Message from all Soap-Clients i tried is:
PHP Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://xyz.de/api/v2_soap?wsdl=1' : failed to load external entity "https://xyz.de/api/v2_soap?wsdl=1"
Is the problem on server side, or more like an issue that ISRG Root X1 is not known on client side?

Problem solved, the problem is, that the System (Magento Version 1) is calling itself via Web to get the WSDL, and the System that is hosting Magento was using the outdated DST ROOT CA X3 plus did not know about the ISRG Root X1:
rm /etc/ssl/certs/DST_Root_CA_X3.pem
apt-get install ca-certificates -y
update-ca-certificates -f -v

Spring Boot / Stomp / RabbitMQ + TLS

I,
I try to configure Reactor Netty TCP client to connect to RabbitMQ Stomp but I get TLS error from the JVM. Can anybody help me?
Versions:
JDK: 11.0.10 (but I tried with 1.8 and 15)
OS: Fedora 33
Spring Boot: 1.4.21
RabbitMQ: 3.7
RabbitMQ configuration:
loopback_users.guest = false
ssl_options.cacertfile = /etc/ssl/rabbitmq/ca.loc.pem
ssl_options.certfile = /etc/ssl/rabbitmq/broker.loc.pem
ssl_options.keyfile = /etc/ssl/rabbitmq/broker.loc.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
listeners.tcp.default = 5672
listeners.ssl.default = 5671
stomp.listeners.tcp.1 = 61613
stomp.listeners.ssl.1 = 61614
RabbitMQ runs inside a Docker container with this configuration:
broker:
image: gleroy/rabbitmq-stomp:3.7-1
ports:
- 61613:61613
- 61614:61614
volumes:
- ./docker/broker/ssl:/etc/ssl/rabbitmq
- ./docker/broker/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf
The gleroy/rabbitmq-stomp image contains a RabbitMQ 3.7 with enabled stomp plugin.
Stomp configuration:
#Configuration
class WebSocketConfiguration(
private val props: Properties
) : WebSocketMessageBrokerConfigurer {
override fun configureMessageBroker(registry: MessageBrokerRegistry) {
val client = ReactorNettyTcpClient(
{ tcpClient ->
val sslContextBuilder = SslContextBuilder.forClient()
val configuredTcpClient = tcpClient
.host(props.broker.host.hostAddress)
.port(props.broker.port)
if (props.broker.tlsEnabled) {
configuredTcpClient.secure { it.sslContext(sslContextBuilder) }
} else {
configuredTcpClient
}
},
StompReactorNettyCodec()
)
registry
.setApplicationDestinationPrefixes("/app")
.enableStompBrokerRelay(ApiConstants.WebSocket.TopicPath)
.setTcpClient(client)
.setClientLogin(props.broker.username)
.setClientPasscode(props.broker.password)
}
override fun registerStompEndpoints(registry: StompEndpointRegistry) {
registry
.addEndpoint(ApiConstants.WebSocket.Path)
.setAllowedOriginPatterns(*props.server.allowedOrigins.split(",").toTypedArray())
.withSockJS()
}
}
with:
props.broker.host set to InetAddress.getLoopbackAddress()
props.broker.port set to 61614
Everything works fine when props.broker.tlsEnabled is set to false.
Logs (with -Djavax.net.debug=all, I remove some useless logs):
javax.net.ssl|DEBUG|01|main|2021-03-14 18:20:22.063 CET|TrustStoreManager.java:112|trustStore is: api/ssl/truststore.p12
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Sun Mar 14 16:21:48 CET 2021
javax.net.ssl|DEBUG|01|main|2021-03-14 18:20:22.063 CET|TrustStoreManager.java:311|Reload the trust store
javax.net.ssl|DEBUG|01|main|2021-03-14 18:20:22.211 CET|TrustStoreManager.java:318|Reload trust certs
javax.net.ssl|DEBUG|01|main|2021-03-14 18:20:22.212 CET|TrustStoreManager.java:323|Reloaded 1 trust certs
javax.net.ssl|DEBUG|01|main|2021-03-14 18:20:22.215 CET|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "36 05 A8 93 C7 A7 66 F8 95 9A DF 15 F0 D1 FD 60 62 6A 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ca.loc, L=Montpellier, C=FR",
"not before" : "2021-03-14 16:20:51.000 CET",
"not after" : "2048-07-29 17:20:51.000 CEST",
"subject" : "CN=ca.loc, L=Montpellier, C=FR",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 50 06 35 EA AB 26 C5 FC A1 56 98 45 D1 42 FB 60 P.5..&...V.E.B.`
0010: DD 56 F0 EE .V..
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 50 06 35 EA AB 26 C5 FC A1 56 98 45 D1 42 FB 60 P.5..&...V.E.B.`
0010: DD 56 F0 EE .V..
]
]
}
]}
)
...
d.gleroy.ivanachess.api.IvanaChessApiKt : Started IvanaChessApiKt in 3.962 seconds (JVM running for 4.371)
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA for TLS13
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.850 CET|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA for TLS13
javax.net.ssl|WARNING|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.860 CET|ServerNameExtension.java:261|Unable to indicate server name
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.860 CET|SSLExtensions.java:260|Ignore, context unavailable extension: server_name
javax.net.ssl|WARNING|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.863 CET|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.863 CET|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:371|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:371|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: dsa_sha256
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: dsa_sha224
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: ecdsa_sha1
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: dsa_sha1
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SignatureScheme.java:391|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|INFO|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.865 CET|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.866 CET|SSLExtensions.java:260|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.874 CET|PreSharedKeyExtension.java:634|No session to resume.
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.874 CET|SSLExtensions.java:260|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.876 CET|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "93 46 41 CB 92 A2 3B 07 86 DD 4A 5A 66 90 5C 58 04 1D C4 84 F5 BE 62 86 79 E9 C1 F0 39 E5 7E C9",
"session id" : "8E F4 F0 4E A9 EA 27 11 47 F9 E7 69 E2 76 8A 51 A2 AD 19 22 C1 85 BD 92 CD 7F F3 5C 51 4A 3A 97",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha224, rsa_sha224]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha224, rsa_sha224]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 8A B2 32 3D FC 8D 2D EF B9 1A 94 7D 98 17 69 C1 ..2=..-.......i.
0010: 65 39 F2 1E C6 FA B5 ED 0E 15 D4 DB 7F 02 7C 3C e9.............<
}
},
]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.891 CET|SSLEngineOutputRecord.java:505|WRITE: TLS13 handshake, length = 287
javax.net.ssl|DEBUG|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.892 CET|SSLEngineOutputRecord.java:523|Raw write (
0000: 16 03 03 01 1F 01 00 01 1B 03 03 93 46 41 CB 92 ............FA..
0010: A2 3B 07 86 DD 4A 5A 66 90 5C 58 04 1D C4 84 F5 .;...JZf.\X.....
0020: BE 62 86 79 E9 C1 F0 39 E5 7E C9 20 8E F4 F0 4E .b.y...9... ...N
0030: A9 EA 27 11 47 F9 E7 69 E2 76 8A 51 A2 AD 19 22 ..'.G..i.v.Q..."
0040: C1 85 BD 92 CD 7F F3 5C 51 4A 3A 97 00 16 C0 2C .......\QJ:....,
0050: C0 2B C0 2F C0 30 C0 13 C0 14 00 9C 00 2F 00 35 .+./.0......./.5
0060: 13 01 13 02 01 00 00 BC 00 05 00 05 01 00 00 00 ................
0070: 00 00 0A 00 16 00 14 00 1D 00 17 00 18 00 19 00 ................
0080: 1E 01 00 01 01 01 02 01 03 01 04 00 0B 00 02 01 ................
0090: 00 00 0D 00 1E 00 1C 04 03 05 03 06 03 08 04 08 ................
00A0: 05 08 06 08 09 08 0A 08 0B 04 01 05 01 06 01 03 ................
00B0: 03 03 01 00 32 00 1E 00 1C 04 03 05 03 06 03 08 ....2...........
00C0: 04 08 05 08 06 08 09 08 0A 08 0B 04 01 05 01 06 ................
00D0: 01 03 03 03 01 00 11 00 09 00 07 02 00 04 00 00 ................
00E0: 00 00 00 17 00 00 00 2B 00 05 04 03 04 03 03 00 .......+........
00F0: 2D 00 02 01 01 00 33 00 26 00 24 00 1D 00 20 8A -.....3.&.$... .
0100: B2 32 3D FC 8D 2D EF B9 1A 94 7D 98 17 69 C1 65 .2=..-.......i.e
0110: 39 F2 1E C6 FA B5 ED 0E 15 D4 DB 7F 02 7C 3C FF 9.............<.
0120: 01 00 01 00 ....
)
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.908 CET|SSLEngineImpl.java:752|Closing outbound of SSLEngine
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.908 CET|SSLEngineImpl.java:724|Closing inbound of SSLEngine
javax.net.ssl|ERROR|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.908 CET|TransportContext.java:341|Fatal (INTERNAL_ERROR): closing inbound before receiving peer's close_notify (
"throwable" : {
javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
at java.base/sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:733)
at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1848)
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1115)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:241)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1405)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248)
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:901)
at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:819)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:497)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:834)}
)
javax.net.ssl|ALL|31|tcp-client-loop-nio-2|2021-03-14 18:20:22.908 CET|SSLSessionImpl.java:784|Invalidated session: Session(1615742422831|SSL_NULL_WITH_NULL_NULL)
2021-03-14 18:20:22.911 INFO 62266 --- [ient-loop-nio-2] o.s.m.s.s.StompBrokerRelayMessageHandler : TCP connection failure in session _system_: Failed to connect: null
java.nio.channels.ClosedChannelException: null
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1112) ~[netty-handler-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:241) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1405) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:901) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:819) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) ~[netty-common-4.1.58.Final.jar:4.1.58.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) ~[netty-common-4.1.58.Final.jar:4.1.58.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:497) ~[netty-transport-4.1.58.Final.jar:4.1.58.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[netty-common-4.1.58.Final.jar:4.1.58.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.58.Final.jar:4.1.58.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.58.Final.jar:4.1.58.Final]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

Hadoop standby UI not coming up after enabling SSL. no cipher suites in common

I have enabled SSL in hadoop cluster in ambari using signed certs via custom self-signed CA. However, only Namenode1 UI is opening and Namenode2 UI is giving ERR_SSL_VERSION_OR_CIPHER_MISMATCH. All signed certs including CA cert are in java truststore and custom truststore. In backend, cluster is up and running Active/Slave mode as it should be. Pasted debug logs for server & client ssl handshake.
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1552146602 bytes = { 124, 246, 85, 32, 231, 117, 102, 26, 129, 194, 161, 10, 142, 155, 11, 83, 45, 193, 13, 189, 43, 178, 57, 21, 53, 202, 219, 200 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=example-infra-01.example.com]
***
main, WRITE: TLSv1.2 Handshake, length = 232
main, READ: TLSv1.2 Handshake, length = 1461
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1552146602 bytes = { 74, 111, 68, 189, 88, 130, 151, 116, 37, 202, 171, 111, 66, 248, 239, 41, 250, 142, 55, 7, 207, 189, 203, 250, 210, 210, 141, 80 }
Session ID: {93, 132, 225, 170, 221, 77, 24, 110, 248, 135, 94, 71, 89, 216, 117, 97, 101, 98, 53, 53, 19, 30, 141, 221, 62, 185, 153, 241, 122, 113, 23, 100}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
Extension extended_master_secret
***
%% Initialized: [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=exampletest02#example.com, CN=example-infra-01.example.com, OU=dev, O=org, L=current, ST=state, C=country
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 21841755142500677173038686755031873041366701846670510917687245038534981997174536899121267104976251234487931691682356456587057979146131226006486802945627458953213345485002320762746572550140153263127388890940484242628083923909940555188294345156730990162012315907130788552918940050956069183125819873814807318195323024331782362924669648387137160317840086368280513586813886958200363786656575039759673832758101555834192465439708239536183449763070916218201916947796469040269718952095684909120070890691280563367820197999332144131568815041448905148594619506642918085699503567938203770656599824571574354719182434767493343531767
public exponent: 65537
Validity: [From: Fri Sep 20 11:20:44 UTC 2019,
To: Mon Sep 17 11:20:44 UTC 2029]
Issuer: EMAILADDRESS=exampletest02#example.com, CN=exampletest02CA, OU=dev, O=org, L=current, ST=state, C=country
SerialNumber: [ f353]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example-infra-01.example.com
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 54 F3 7D 47 26 59 C8 1A B8 35 04 45 88 B8 64 ED T..G&Y...5.E..d.
0010: 9B BD CB 80 D0 34 3D B5 B2 FF A7 71 A6 12 4A 26 .....4=....q..J&
0020: DE EC 2B A3 7D 10 E4 5E 94 EE 01 E0 9A 54 F2 EA ..+....^.....T..
0030: EC 3C 1B B6 5B 90 73 11 3B 3C DC FB 85 FF CE 8E .<..[.s.;<......
0040: 03 41 6C CE 81 89 25 0C 7C EF 03 AE 31 2F 8D CD .Al...%.....1/..
0050: AB C2 81 6C DB 7E CA 07 00 0F B6 01 E4 67 EA A0 ...l.........g..
0060: 84 3B 94 6A 53 5B 47 70 0B 58 BE 2D D4 2E D5 F8 .;.jS[Gp.X.-....
0070: 00 7E D2 1D C4 C1 D3 0F 42 5D 83 0E 8A DB A9 89 ........B]......
0080: 82 5A D8 5E D5 C8 B6 CE 51 E8 36 EC 23 1B 13 8C .Z.^....Q.6.#...
0090: 2D 93 B3 1B F4 37 A1 B5 BA 56 B7 00 51 96 CE CB -....7...V..Q...
00A0: BB 53 8C F8 60 0E 90 0B A7 1C 58 5F 54 D9 BE B7 .S..`.....X_T...
00B0: 61 06 8A 67 25 0C D5 68 15 14 34 BB 69 F2 96 66 a..g%..h..4.i..f
00C0: CE DC 57 3A 90 E5 22 1D 52 8E 89 68 AC 3D C3 3B ..W:..".R..h.=.;
00D0: 19 CA 59 C6 03 6C 16 38 4E 94 25 49 53 49 6C B2 ..Y..l.8N.%ISIl.
00E0: CE 13 13 82 C5 84 E5 5E 1B 9B 94 54 23 B8 29 1E .......^...T#.).
00F0: 17 E0 4A 5F BF 58 DE 9E 2A 25 9B C2 32 EA E5 F6 ..J_.X..*%..2...
]
***
Found trusted certificate:
[
[
Version: V3
Subject: EMAILADDRESS=exampletest02#example.com, CN=example-infra-01.example.com, OU=dev, O=org, L=current, ST=state, C=country
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 21841755142500677173038686755031873041366701846670510917687245038534981997174536899121267104976251234487931691682356456587057979146131226006486802945627458953213345485002320762746572550140153263127388890940484242628083923909940555188294345156730990162012315907130788552918940050956069183125819873814807318195323024331782362924669648387137160317840086368280513586813886958200363786656575039759673832758101555834192465439708239536183449763070916218201916947796469040269718952095684909120070890691280563367820197999332144131568815041448905148594619506642918085699503567938203770656599824571574354719182434767493343531767
public exponent: 65537
Validity: [From: Fri Sep 20 11:20:44 UTC 2019,
To: Mon Sep 17 11:20:44 UTC 2029]
Issuer: EMAILADDRESS=exampletest02#example.com, CN=exampletest02CA, OU=dev, O=org, L=current, ST=state, C=country
SerialNumber: [ f353]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: example-infra-01.example.com
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 54 F3 7D 47 26 59 C8 1A B8 35 04 45 88 B8 64 ED T..G&Y...5.E..d.
0010: 9B BD CB 80 D0 34 3D B5 B2 FF A7 71 A6 12 4A 26 .....4=....q..J&
0020: DE EC 2B A3 7D 10 E4 5E 94 EE 01 E0 9A 54 F2 EA ..+....^.....T..
0030: EC 3C 1B B6 5B 90 73 11 3B 3C DC FB 85 FF CE 8E .<..[.s.;<......
0040: 03 41 6C CE 81 89 25 0C 7C EF 03 AE 31 2F 8D CD .Al...%.....1/..
0050: AB C2 81 6C DB 7E CA 07 00 0F B6 01 E4 67 EA A0 ...l.........g..
0060: 84 3B 94 6A 53 5B 47 70 0B 58 BE 2D D4 2E D5 F8 .;.jS[Gp.X.-....
0070: 00 7E D2 1D C4 C1 D3 0F 42 5D 83 0E 8A DB A9 89 ........B]......
0080: 82 5A D8 5E D5 C8 B6 CE 51 E8 36 EC 23 1B 13 8C .Z.^....Q.6.#...
0090: 2D 93 B3 1B F4 37 A1 B5 BA 56 B7 00 51 96 CE CB -....7...V..Q...
00A0: BB 53 8C F8 60 0E 90 0B A7 1C 58 5F 54 D9 BE B7 .S..`.....X_T...
00B0: 61 06 8A 67 25 0C D5 68 15 14 34 BB 69 F2 96 66 a..g%..h..4.i..f
00C0: CE DC 57 3A 90 E5 22 1D 52 8E 89 68 AC 3D C3 3B ..W:..".R..h.=.;
00D0: 19 CA 59 C6 03 6C 16 38 4E 94 25 49 53 49 6C B2 ..Y..l.8N.%ISIl.
00E0: CE 13 13 82 C5 84 E5 5E 1B 9B 94 54 23 B8 29 1E .......^...T#.).
00F0: 17 E0 4A 5F BF 58 DE 9E 2A 25 9B C2 32 EA E5 F6 ..J_.X..*%..2...
]
check handshake state: server_key_exchange[12]
update handshake state: server_key_exchange[12]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 71243459788679529452333968749910729075781137069187014570295198815671440442567
public y coord: 113361508572920438429337576097115462276383236410260704000629230880259446655931
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
check handshake state: server_hello_done[14]
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 152, 139, 246, 59, 71, 138, 250, 25, 160, 51, 106, 181, 172, 76, 157, 91, 105, 32, 165, 230, 140, 77, 233, 215, 0, 196, 240, 108, 155, 117, 232, 15, 162, 215, 135, 203, 87, 222, 29, 97, 172, 72, 136, 204, 71, 25, 247, 149, 241, 148, 109, 231, 95, 118, 19, 176, 121, 145, 52, 44, 166, 16, 187, 155 }
update handshake state: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 7F DA 03 00 E7 C3 71 FA 17 21 E6 F3 A0 3D E2 36 ......q..!...=.6
0010: BD 95 F2 6F 99 72 77 99 8F 80 F7 38 44 8D 82 F6 ...o.rw....8D...
CONNECTION KEYGEN:
Client Nonce:
0000: 5D 84 E1 AA 7C F6 55 20 E7 75 66 1A 81 C2 A1 0A ].....U .uf.....
0010: 8E 9B 0B 53 2D C1 0D BD 2B B2 39 15 35 CA DB C8 ...S-...+.9.5...
Server Nonce:
0000: 5D 84 E1 AA 4A 6F 44 BD 58 82 97 74 25 CA AB 6F ]...JoD.X..t%..o
0010: 42 F8 EF 29 FA 8E 37 07 CF BD CB FA D2 D2 8D 50 B..)..7........P
Master Secret:
0000: 0B E0 95 54 2E EE 98 F8 10 16 1B 09 D1 B5 17 8E ...T............
0010: B7 79 CC 19 14 CF 26 FF B6 78 BC CA FC 0D F9 03 .y....&..x......
0020: 8F 2F B9 0C 61 13 BD C5 BF 55 80 FE FE 0E FA B1 ./..a....U......
Client MAC write Secret:
0000: 68 B0 DB F5 7C F5 B4 B6 CA 55 1F E3 FC 02 03 8A h........U......
0010: 26 7A FF 5C 43 7D 7C D4 9E 13 4A F1 37 FB 87 BC &z.\C.....J.7...
0020: 8A 2B 0E 02 CC B0 10 59 8D 18 B7 E8 9F D4 1B 57 .+.....Y.......W
Server MAC write Secret:
0000: B5 EE 51 5F 4B FC 2E F6 72 CF 51 8A 9E 77 00 90 ..Q_K...r.Q..w..
0010: D7 73 B4 95 03 99 38 CE B8 13 C5 53 FA 45 7F 90 .s....8....S.E..
0020: 23 B2 9F 47 CB 43 B6 2C 89 1E 33 EB 74 C1 05 70 #..G.C.,..3.t..p
Client write key:
0000: D5 2C 69 E9 C9 45 A2 09 F2 C5 19 8C FE 78 F4 64 .,i..E.......x.d
0010: 38 8E E1 7A D1 4A 23 8F 82 11 31 B5 91 E8 6F D1 8..z.J#...1...o.
Server write key:
0000: 69 24 D3 17 8A 54 8D 14 3A 62 0D 0B AC 05 BA 9E i$...T..:b......
0010: 1B BD C2 79 EF 8F 79 A7 27 A4 65 4F 66 DB E6 33 ...y..y.'.eOf..3
... no IV derived for this protocol
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 128, 248, 254, 214, 242, 88, 203, 66, 123, 158, 131, 38 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 96
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data: { 7, 205, 135, 154, 166, 68, 152, 172, 238, 87, 23, 223 }
***
%% Cached client session: [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, WRITE: TLSv1.2 Application Data, length = 400
main, READ: TLSv1.2 Application Data, length = 304
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 80
main, called closeSocket(true)
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(60000) called
main, the previous server name in SNI (type=host_name (0), value=example-infra-01.example.com) was replaced with (type=host_name (0), value=example-infra-01.example.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% Client cached [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
%% Try resuming [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] from port 38288
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1552146602 bytes = { 156, 4, 46, 63, 96, 91, 233, 184, 59, 248, 73, 0, 6, 45, 107, 156, 136, 184, 177, 47, 63, 14, 208, 172, 82, 179, 167, 79 }
Session ID: {93, 132, 225, 170, 221, 77, 24, 110, 248, 135, 94, 71, 89, 216, 117, 97, 101, 98, 53, 53, 19, 30, 141, 221, 62, 185, 153, 241, 122, 113, 23, 100}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=example-infra-01.example.com]
***
main, WRITE: TLSv1.2 Handshake, length = 264
main, READ: TLSv1.2 Handshake, length = 85
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1552146602 bytes = { 54, 37, 146, 192, 105, 253, 113, 196, 34, 251, 28, 19, 242, 223, 145, 202, 72, 194, 181, 147, 86, 35, 253, 145, 193, 227, 29, 180 }
Session ID: {93, 132, 225, 170, 221, 77, 24, 110, 248, 135, 94, 71, 89, 216, 117, 97, 101, 98, 53, 53, 19, 30, 141, 221, 62, 185, 153, 241, 122, 113, 23, 100}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
CONNECTION KEYGEN:
Client Nonce:
0000: 5D 84 E1 AA 9C 04 2E 3F 60 5B E9 B8 3B F8 49 00 ]......?`[..;.I.
0010: 06 2D 6B 9C 88 B8 B1 2F 3F 0E D0 AC 52 B3 A7 4F .-k..../?...R..O
Server Nonce:
0000: 5D 84 E1 AA 36 25 92 C0 69 FD 71 C4 22 FB 1C 13 ]...6%..i.q."...
0010: F2 DF 91 CA 48 C2 B5 93 56 23 FD 91 C1 E3 1D B4 ....H...V#......
Master Secret:
0000: 0B E0 95 54 2E EE 98 F8 10 16 1B 09 D1 B5 17 8E ...T............
0010: B7 79 CC 19 14 CF 26 FF B6 78 BC CA FC 0D F9 03 .y....&..x......
0020: 8F 2F B9 0C 61 13 BD C5 BF 55 80 FE FE 0E FA B1 ./..a....U......
Client MAC write Secret:
0000: E0 19 EA 79 72 6D 05 6B 85 E6 14 1D 97 73 B9 40 ...yrm.k.....s.#
0010: 43 9B 1F 2E A5 B3 67 84 B0 9D 16 C9 E0 EC 0A 68 C.....g........h
0020: EF 31 10 83 19 D1 A3 CA 6A 83 3F AC 31 A2 B6 E5 .1......j.?.1...
Server MAC write Secret:
0000: E0 73 33 C9 08 40 53 30 21 BA 38 F7 BD F6 8D 81 .s3..#S0!.8.....
0010: 27 24 5F 05 78 A8 DC 77 04 30 19 32 06 79 39 54 '$_.x..w.0.2.y9T
0020: A9 AA 46 87 CD C9 12 FD 92 DD B6 0E 9A 36 96 17 ..F..........6..
Client write key:
0000: 4D F3 EF 58 06 82 5B 6E 5B FB 3C 06 D6 BF 31 6D M..X..[n[.<...1m
0010: 8B B2 17 D0 70 A3 12 60 A9 8D E9 EB E3 B6 D5 1C ....p..`........
Server write key:
0000: 31 BD FD 1E 38 51 61 57 E5 F3 47 4D 0C 76 3D 92 1...8QaW..GM.v=.
0010: 74 1F 3C 27 23 7A C7 91 01 B1 27 90 0C 3C EC A6 t.<'#z....'..<..
... no IV derived for this protocol
%% Server resumed [Session-7, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
update handshake state: server_hello[2]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
main, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
main, READ: TLSv1.2 Handshake, length = 96
check handshake state: finished[20]
update handshake state: finished[20]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
*** Finished
verify_data: { 75, 62, 236, 200, 14, 200, 178, 123, 37, 211, 140, 250 }
***
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 185, 171, 138, 219, 67, 211, 3, 16, 36, 213, 230, 75 }
***
update handshake state: finished[20]
main, WRITE: TLSv1.2 Handshake, length = 96
main, WRITE: TLSv1.2 Application Data, length = 1408
main, READ: TLSv1.2 Application Data, length = 880
main, setSoTimeout(60000) called
main, WRITE: TLSv1.2 Application Data, length = 560
main, READ: TLSv1.2 Application Data, length = 912
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp2092801316-44, READ: TLSv1 Handshake, length = 211
check handshake state: client_hello[1]
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1465277827 bytes = { 145, 94, 102, 159, 70, 125, 116, 216, 246, 70, 130, 67, 253, 91, 217, 187, 215, 75, 95, 191, 145, 123, 47, 190, 114, 8, 235, 115 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xaa, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=example-mst-02.example.com]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, signature:0x5), Unknown (hash:0x8, signature:0x6), SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withDSA, Unknown (hash:0x5, signature:0x2), Unknown (hash:0x6, signature:0x2), SHA1withDSA
***
%% Initialized: [Session-8, SSL_NULL_WITH_NULL_NULL]
matching alias: example-mst-02.example.com
matching alias: example-mst-02.example.com
matching alias: example-mst-02.example.com
matching alias: example-mst-02.example.com
qtp2092801316-44, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-8, SSL_NULL_WITH_NULL_NULL]
qtp2092801316-44, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp2092801316-44, WRITE: TLSv1.2 Alert, length = 2
qtp2092801316-44, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp2092801316-44, called closeOutbound()
qtp2092801316-44, closeOutboundInternal()
Using SSLEngineImpl.

Oracle 12c SSL using JDBC get "Got minus one from a read call" error

I am trying to connect to Oracle 12c using SSL through JDBC. I am using ojdbc7.jar driver. Both client and server are Windows. Turned off firewall on both ends. Below is the output with ssl tracing on.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1430334282 bytes = { 69, 83, 91, 133, 150, 187, 85, 213, 202, 198, 31, 165, 246, 255, 111, 126, 81, 247, 157, 183, 87, 124, 202, 202, 207, 56, 95, 72 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1 Handshake, length = 52
main, WRITE: SSLv2 client hello message, length = 50
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie: GMT: 1430334282 bytes = { 222, 187, 114, 112, 185, 5, 24, 154, 27, 211, 110, 74, 27, 132, 102, 122, 148, 54, 211, 238, 236, 145, 39, 248, 95, 175, 5, 12 }
Session ID: {21, 95, 112, 37, 202, 22, 159, 81, 226, 171, 215, 84, 234, 128, 65, 150, 0, 250, 176, 102, 80, 188, 149, 6, 158, 212, 252, 235, 133, 209, 51, 127}
Cipher Suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
** SSL_RSA_WITH_3DES_EDE_CBC_SHA
main, READ: TLSv1 Handshake, length = 447
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=root_test, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 94182750650626781017220006010494789598067049291234592396111660568098076182306818772228773813222462430912731999733961420261369515567490874689665410658883934411598110479180388509795935352224877898397466823821735995311132530061707293945910076028247649797215982116364807695484530610638408551986552865648301686753
public exponent: 65537
Validity: [From: Tue Apr 28 11:25:24 EDT 2015,
To: Fri Apr 25 11:25:24 EDT 2025]
Issuer: CN=root_test, C=US
SerialNumber: [ 00]
]
Algorithm: [MD5withRSA]
Signature:
0000: 1D 1B A5 C0 E9 6C 9D DA 1F 84 FC 64 3D E9 E9 69 .....l.....d=..i
0010: 46 F2 E8 F9 54 64 55 F2 A7 46 D5 86 FF 9A 4A 5E F...TdU..F....J^
0020: EE 32 95 B5 43 D8 91 69 41 A2 DF 66 92 9C CE 87 .2..C..iA..f....
0030: AC 92 A7 E7 51 EB CF 0C 6F 77 AA F5 69 88 65 58 ....Q...ow..i.eX
0040: 4D FB 18 C9 BB 4A 60 C5 69 7C 1A 89 F7 02 5E 10 M....J`.i.....^.
0050: 27 C0 4F 27 22 DA 80 C0 D2 0E D7 3B F4 41 03 4C '.O'"......;.A.L
0060: 1F 29 1D 68 B1 68 04 1A E3 B3 BB 3F 95 88 BA 6C .).h.h.....?...l
0070: 53 20 36 5E 2B 3A 84 60 B0 9C 39 02 D0 BD 15 45 S 6^+:.`..9....E
]
***
Found trusted certificate:
[
[
Version: V1
Subject: CN=root_test, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 94182750650626781017220006010494789598067049291234592396111660568098076182306818772228773813222462430912731999733961420261369515567490874689665410658883934411598110479180388509795935352224877898397466823821735995311132530061707293945910076028247649797215982116364807695484530610638408551986552865648301686753
public exponent: 65537
Validity: [From: Tue Apr 28 11:25:24 EDT 2015,
To: Fri Apr 25 11:25:24 EDT 2025]
Issuer: CN=root_test, C=US
SerialNumber: [ 00]
]
Algorithm: [MD5withRSA]
Signature:
0000: 1D 1B A5 C0 E9 6C 9D DA 1F 84 FC 64 3D E9 E9 69 .....l.....d=..i
0010: 46 F2 E8 F9 54 64 55 F2 A7 46 D5 86 FF 9A 4A 5E F...TdU..F....J^
0020: EE 32 95 B5 43 D8 91 69 41 A2 DF 66 92 9C CE 87 .2..C..iA..f....
0030: AC 92 A7 E7 51 EB CF 0C 6F 77 AA F5 69 88 65 58 ....Q...ow..i.eX
0040: 4D FB 18 C9 BB 4A 60 C5 69 7C 1A 89 F7 02 5E 10 M....J`.i.....^.
0050: 27 C0 4F 27 22 DA 80 C0 D2 0E D7 3B F4 41 03 4C '.O'"......;.A.L
0060: 1F 29 1D 68 B1 68 04 1A E3 B3 BB 3F 95 88 BA 6C .).h.h.....?...l
0070: 53 20 36 5E 2B 3A 84 60 B0 9C 39 02 D0 BD 15 45 S 6^+:.`..9....E
]
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 9A D9 43 0E 09 9F B4 6D 08 0A D2 72 1E 72 ....C....m...r.r
0010: 44 4E D5 1C 1E D9 99 C8 F4 D0 22 15 47 77 DA 1A DN........".Gw..
0020: 88 9B 4E B3 E4 6C 37 C0 35 73 39 30 D7 78 11 B6 ..N..l7.5s90.x..
CONNECTION KEYGEN:
Client Nonce:
0000: 55 41 2B 4A 45 53 5B 85 96 BB 55 D5 CA C6 1F A5 UA+JES[...U.....
0010: F6 FF 6F 7E 51 F7 9D B7 57 7C CA CA CF 38 5F 48 ..o.Q...W....8_H
Server Nonce:
0000: 55 41 2B 4A DE BB 72 70 B9 05 18 9A 1B D3 6E 4A UA+J..rp......nJ
0010: 1B 84 66 7A 94 36 D3 EE EC 91 27 F8 5F AF 05 0C ..fz.6....'._...
Master Secret:
0000: 7B AB FC 97 08 50 8A 52 98 91 B0 47 70 99 45 95 .....P.R...Gp.E.
0010: 62 3F B1 34 E7 B5 8D DF 8C 63 69 75 BC 58 0D 3A b?.4.....ciu.X.:
0020: A7 A6 4E CD 0A E5 24 35 7A 19 6F 4C F5 AB 4C 58 ..N...$5z.oL..LX
Client MAC write Secret:
0000: D1 C9 88 93 14 80 46 A0 46 AC 3D DB 5E B2 BE C6 ......F.F.=.^...
0010: B3 0C 7E 45 ...E
Server MAC write Secret:
0000: 6E 16 66 BB 8D BB E8 B8 02 15 55 A2 82 86 2D A4 n.f.......U...-.
0010: 88 C0 EC E6 ....
Client write key:
0000: 17 92 22 F9 96 1D B2 F3 93 98 31 92 9B 96 37 9F ..".......1...7.
0010: 1D FE 02 6E 72 B2 91 CC ...nr...
Server write key:
0000: 2F EA 3E 02 D4 3A 3C 22 97 E5 EA 5E A7 76 2D 10 /.>..:<"...^.v-.
0010: 21 F1 D7 D8 BD 30 E0 86 !....0..
Client write IV:
0000: 2A EB 11 81 89 C6 2F 67 *...../g
Server write IV:
0000: D4 47 D1 03 CF B7 04 74 .G.....t
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 230, 88, 202, 9, 39, 20, 124, 226, 73, 60, 170, 78 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 40
*** Finished
verify_data: { 214, 171, 38, 239, 184, 194, 2, 22, 90, 90, 22, 199 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
main, WRITE: TLSv1 Application Data, length = 240
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 24
main, called closeSocket(selfInitiated)
main, called close()
main, called closeInternal(true)
java.sql.SQLRecoverableException: IO Error: Got minus one from a read call
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:673)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:715)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:385)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:30)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:564)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at oracletest.OracleTest.main(OracleTest.java:45)
Caused by: oracle.net.ns.NetException: Got minus one from a read call
at oracle.net.ns.Packet.receive(Packet.java:314)
at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:153)
at oracle.net.ns.NSProtocol.connect(NSPro`enter code here`tocol.java:263)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1360)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:486)
... 7 more

Without seeing your code:
There is an EOFException, which is ignored.
That main, SEND TLSv1 ALERT: warning, description = close_notify is a signal from the SSL layer(!), that it is closing the connection remotely.
I suspect the server refused your connection for some reason.
close_notify
This message notifies the recipient that the sender will not send any more messages on this connection.
Note that as of TLS 1.1, failure to properly close a connection no longer requires that a session not be resumed. This is a change from TLS 1.0 to conform with widespread implementation practice.
Either party may initiate a close by sending a close_notify alert. Any data received after a closure alert is ignored.

The server terminated the connection (EOF). The reason will show in the server-side traces. I would turn on tracing for both the listener the database processes:
listener.ora parameters:
DIAG_ADR_ENABLED_LISTNER=OFF
TRACE_DIRECTORY_LISTENER = <path>
TRACE_LEVEL_LISTENER = 16
sqlnet.ora parameters:
DIAG_ADR_ENABLED=OFF
TRACE_LEVEL_SERVER = 16
TRACE_DIRECTORY_SERVER = <path>

SSL certificate verify failure every other time

The following code gives an error on heroku, but only every other time.
host = "api.pagepeeker.com"
cert = "/usr/lib/ssl/certs/ca-certificates.crt"
(0..19).map do |i|
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.set_params(ca_file: cert, verify_mode: 1)
s = OpenSSL::SSL::SSLSocket.new(TCPSocket.open(host, 443, nil, nil), ssl_context)
s.sync_close = true
s.hostname = host
begin
s.connect
rescue
"error"
else
"ok"
ensure
s.close
end
end.join(' ')
#=> ok error ok error ok error ok error ok error
The error is: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
This corresponds to Net::HTTP.get(URI.parse("https://api.pagepeeker.com"))
I am stumped by the alternating failures and successes. Upgrading OpenSSL from 0.9.8k to 1.0.1e did not help.

Sorry about the second answer. The first was too long to tack on, and this is a different finding.
It appears part of the problem is pagepeeker.com is not sending all the certificates required to validate the chain. That is, its not sending required intermediate certificates.
If pagepeeker.com does not send all the required certificates, then the client encounters the "which directory" problem. Its well known in PKI, and it means a client has no idea which X500 directory it should query to find the missing intermediate certificates.
Now, back to your problem: you might be seeing an intermittent problem because there could be one misconfigured server in a load balanced environment. Part of the solution to your problem may be the pagekeeper.com server sending all required certificates.
Here's the certificates sent by pagekeeper.com:
$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443 -showcerts
CONNECTED(00000003)
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu#gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu#gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu#gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
---
Server certificate
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1957 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 92E4B4B744DDFE63EBD2EDC8D0D6065FF9D05589FD10A05E0C971F6CE0B2526D
Session-ID-ctx:
Master-Key: CE01E4B9BFB3D0F3B95F81004013320DE44BFBE399AB84ABA047C0064DBDABC200CE5472F74EA5881BF99F66A58729F7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 63 03 ce 7b 9b 75 3b 4d-7f 1c dd f0 6d 56 1c 32 c..{.u;M....mV.2
0010 - c2 af 84 b2 1c c8 aa 18-6c 90 54 68 46 96 8f 5d ........l.ThF..]
0020 - 26 11 e7 37 89 e4 a4 29-ff 26 04 20 c8 08 f4 8a &..7...).&. ....
0030 - de cf 38 b1 57 83 ae 45-41 51 48 c1 7c b9 df 0f ..8.W..EAQH.|...
0040 - 6a e1 c7 75 93 b4 24 5c-5f 63 97 ce 2d b7 12 eb j..u..$\_c..-...
0050 - 05 a8 57 d3 4d af 31 5d-18 b3 f8 8e 02 70 6f 2f ..W.M.1].....po/
0060 - fe 33 18 c6 7d 83 58 76-37 5f 59 9a ed e5 28 ae .3..}.Xv7_Y...(.
0070 - d5 5a 9f a4 46 13 55 f3-14 aa 47 f5 b6 63 e8 76 .Z..F.U...G..c.v
0080 - 82 bf 2c f9 35 9a 01 fc-3d e9 2e 8f 1f ca a5 67 ..,.5...=......g
0090 - 3b 55 6f f4 4d c1 fa 79-40 20 6d 82 f7 49 58 7a ;Uo.M..y# m..IXz
Start Time: 1380751071
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
If you look at something from, for example Google, you will see the entire chain is sent:
$ echo "GET / HTTP\1.1" | openssl s_client -connect encrypted.google.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIIKTc2rLt+oBEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwOTExMTA1MDIxWhcNMTQwOTExMTA1MDIx
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq02vkZCV
ERg2AdnOE9/NLiCNJ/0oxe+7O7eAv3Oc2xTKCaT/fXrGjMnYP+g5povMi2peIPXY
eUCnONd3KGj1f4SaLPIzoIfErwsYEMq5GBWSEqXXvPSKbv/NIU6NT/FFd5GvQY3P
KtB4+DCLXWzLUBExqGYcw+F7bfut5l/RV/uFazi8nlROgXB59LRCjbo6fiI7+kjh
+CBteUXJuGd0gRYm08KVnLOM3qi0RzjYStqLxDTAbMgAVWFN5hKcNt0R0hYBGMMO
vyHIDXXAWVlgzKMHyrpvjSwcts4nML6xO7bKzKLZZbfQ5HRRlyj6eGI+aNopNl1b
Mbw3Qul5WA5s6wIDAQABo4ID7TCCA+kwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIICwwYDVR0RBIICujCCAraCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMu
Y26CFCouZ29vZ2xlY29tbWVyY2UuY29tgg0qLmdzdGF0aWMuY29tggwqLnVyY2hp
bi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22C
DSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcu
Y29tggthbmRyb2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNz
LmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4uY29t
ggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQUWdyXs0sRMgoX3k/dpzVLlcMD+l8wDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAO
MAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAHuO6zcxRTMJl60MP
jreD1J+5+nWy6IcpWlaAaLFclcVtz+FMNAi727OR3oX4JjlTbHNWZ94MCzPObxZN
8+OBrfWQ6GYIwgeTBoRH9Q4zp5HvxtsWGOkbJSU4DTXKm/oVXoOdb8O+3xLJKRBF
C3aH6tK31KR+strGrpX3nyGm8aFaLcFp9ChiWaBTKcCLF+hJAoAJ0+4LZAlZQODd
LhWbVVLPMKr0IDpaP/ElX9n3gVmYdExvtcYVdcgSEVf3axx44A4dXXTt3KBnrzAd
MvFpqRxHCU86WGw5cNq9pi62hh4D8sZAZf0vMshiOKCLtxeQa3IByJy23Kb0CDcQ
6R8Zww==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 4410 bytes and written 448 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D87198A1294D6B41660C0DA153137348B6F65BBD2E6B7D410104964C21A33682
Session-ID-ctx:
Master-Key: 2967DF01FECCBC2EF444C7723BD3CA105C522BFC613D568F8D65D3D28F2A8CD6EF031D9B6D3132DE3D8B3364ED061A41
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 8b 66 a6 c9 dd b3 2e c8-f6 2e 87 18 3c 90 8b 57 .f..........<..W
0010 - 77 18 39 be 93 40 fe 20-6a 08 1d f3 54 3a f1 22 w.9..#. j...T:."
0020 - d3 eb 51 8c 56 23 bc 87-51 0e 12 6b 23 57 ba 67 ..Q.V#..Q..k#W.g
0030 - f2 5b c2 78 d7 8f 06 99-42 97 7c ce 7f 99 4a 74 .[.x....B.|...Jt
0040 - ef ec 55 f2 77 64 f3 3e-c8 24 e7 45 92 1b 54 ef ..U.wd.>.$.E..T.
0050 - 79 f2 3b 0f 69 35 84 7d-cd 21 0a 45 b6 8a b9 e4 y.;.i5.}.!.E....
0060 - 61 9a 8e 7b c5 e9 26 82-56 27 b4 f3 25 b8 82 5b a..{..&.V'..%..[
0070 - 19 8b ce b9 bf 61 e2 3e-1c 08 16 7e af 91 e9 44 .....a.>...~...D
0080 - f9 53 75 cd 59 e0 80 50-03 09 07 67 e1 2d bf 6d .Su.Y..P...g.-.m
0090 - aa d4 b9 3a ...:
Start Time: 1380750955
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE

They are using a host certificate that does not chain back to a [trusted] root certificate. You should probably be seeing the error more often (every time?).
You might need to call SSL_CTX_load_verify_locations with a file that contains the required StartCom root certificate. You can get the StartCom root from http://www.startssl.com/?app=26. You want the one that includes "StartCom Certification Authority", which I believe is in the bundle http://www.startssl.com/certs/ca-bundle.pem. There's a few in that file, but OpenSSL handles the concatenation fine as long as you are willing to accept the risk of the additional roots.
$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: D761D5D91D9BD18933CD68A37A9E65CC9CF6D0A0F28A8CB1D07C34C0E7B98253
Session-ID-ctx:
Master-Key: 43E285E1113C70B0767EE4B62B042166D1BFC86B62BAFE0F3338DB2771479EE51C99C19DC6E09E98E44FB79130206B9F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - c7 19 e2 ed e1 7b a1 84-40 84 3a 0d f0 73 e2 4c .....{..#.:..s.L
0010 - 2b 79 a1 3e 22 24 9a a8-d3 3a 4a 51 8d 6f 54 a5 +y.>"$...:JQ.oT.
0020 - ea 64 e4 68 3c 2b dd f2-e8 80 b8 e0 be 52 c1 ad .d.h<+.......R..
0030 - ae 44 19 76 7d a2 64 19-e1 6d bb c1 8a 80 a0 d9 .D.v}.d..m......
0040 - 42 29 99 99 16 47 34 1e-44 11 10 be 9a 6a 95 6b B)...G4.D....j.k
0050 - 09 55 ef 28 8f 44 8f 04-1d bd aa 79 b8 07 59 5f .U.(.D.....y..Y_
0060 - 1f 4e bd 00 ef e3 31 3d-6e 1f e8 79 6b bb fa 4a .N....1=n..yk..J
0070 - b9 8a cb 3a 4e 7e 8e bb-7a e7 81 b7 1f af d0 50 ...:N~..z......P
0080 - 84 70 99 77 b3 81 1d 0e-7f 04 4e 52 7e 95 fa 05 .p.w......NR~...
0090 - 19 be 78 e8 e6 bb cd 3c-08 49 dd 77 64 92 f7 eb ..x....<.I.wd...
Start Time: 1380706251
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
When I use the Startcom CA bundle and the -CAfile option, I cannot reproduce the failure, even across consecutive runs:
$ echo "GET / HTTP\1.1" | openssl s_client -connect api.pagepeeker.com:443 -CAfile startcom-ca-bundle.pem
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 8CTO6gSuxeRRsIXl, C = RO, CN = api.pagepeeker.com, emailAddress = alexandru.florescu#gmail.com
verify return:1
---
Certificate chain
0 s:/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIDCJkoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTMwMTAzMDA0OTAx
WhcNMTQwMTA0MTIxOTIwWjByMRkwFwYDVQQNExA4Q1RPNmdTdXhlUlJzSVhsMQsw
CQYDVQQGEwJSTzEbMBkGA1UEAxMSYXBpLnBhZ2VwZWVrZXIuY29tMSswKQYJKoZI
hvcNAQkBFhxhbGV4YW5kcnUuZmxvcmVzY3VAZ21haWwuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2o4+19SXbidxdD02hFaBytgqz97/8Newj1lz
wOILWsTbc26/pTkDzN7IHphpPR8tJp3lH7OqV3cTshonu9ouTxxoqBAcVN+6ClSM
fH4IHFLmywcab6Rb7nhUUcFgwEWUfHbCH41fV+Yx7+tFpmzChwDMvp5m1cIVZWEb
kSk9tSTnOXT2PIAaFmVhqRJ9gFkOxrl5jNmVyo0RH3xdJ7M/pE8mK/oLcOXA9Oev
4p6d37OwbftoBOclmenDWo1fz7kgF3+BQCs5IAHQ1rnhI4v8+MelQpzUWUrxdvjX
z64KftQ9spVYl0XAMshHjncXenIO+owPGJ9NbTcE6W4GKYtCvwIDAQABo4IC5zCC
AuMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
HQYDVR0OBBYEFLU812MJONAqhRD11CpkAX0ZofLEMB8GA1UdIwQYMBaAFOtCNNCY
sKuf9BtrCPfMZC7vDixFMC0GA1UdEQQmMCSCEmFwaS5wYWdlcGVla2VyLmNvbYIO
cGFnZXBlZWtlci5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7Bgsr
BgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wu
Y29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBp
c3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWly
ZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkg
Zm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJl
bHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEw
fzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFz
czEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNv
bS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAxdu/aWSFN
iY1TkIxvA6w5XZPS93hIRoNOfs4xUkA7LGNAEnCt0WWe33lkyC9tHBbL3Li8pJib
bQZkgK7yX79KgwUlzHaAIlXcL4WYAhLroGbjvkzv5ldmt1hTcOCtFMVhPbBEGomB
U1XBQPaoba+D2ve7ZbUJihdMUSyIps8540fHC4G4CVpLxelc34OjdknyLTIsUpIF
ey2x9eazXnCKwjC5BgrEDIyE0ew8v5Xf/Gov4718ozc60CWLv4SNQzwMgrjNElEa
vOjjDljCFJ6xjJag00uf1xJjQ1C4g2mT6oQcZCMP4x6VlEXen9xZfI5RAfTw9ElL
5FJ1IIaJc7+5
-----END CERTIFICATE-----
subject=/description=8CTO6gSuxeRRsIXl/C=RO/CN=api.pagepeeker.com/emailAddress=alexandru.florescu#gmail.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5552 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 9A0E34E509AA7C2EED12E58D0D80B078B39D4A5A5C981E510D9D190E5F76B911
Session-ID-ctx:
Master-Key: 2F447B622ACBB0006DC121FA43FB562ACE2BDEAF73D3EC887AF7BC22548392AB42E3625530874EA541C569DB7543E273
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - c7 19 e2 ed e1 7b a1 84-40 84 3a 0d f0 73 e2 4c .....{..#.:..s.L
0010 - 46 cf b7 fd 33 95 88 14-fb da 08 4b 0a 58 e0 55 F...3......K.X.U
0020 - 31 ff 2a cf ff fb 65 a3-b4 db 8f 5f 65 6c 72 15 1.*...e...._elr.
0030 - ba ce c3 84 4f 83 9f 01-3d d4 87 f8 a1 eb bb b5 ....O...=.......
0040 - 1b a2 9a de 94 55 86 ad-d7 e7 29 ed f0 98 a4 5f .....U....)...._
0050 - 4d 93 f6 a7 db 15 7f d3-b3 ca 63 2c a9 8d 69 b2 M.........c,..i.
0060 - 77 3e a6 28 76 ba d3 a7-f7 5c 20 88 75 23 71 7d w>.(v....\ .u#q}
0070 - 99 62 b4 fd b9 09 1c ec-90 2d a0 c1 27 d0 23 61 .b.......-..'.#a
0080 - 18 da 47 17 06 3c 29 34-05 3e f3 d2 22 29 09 cc ..G..<)4.>..")..
0090 - d2 41 b7 8d 29 14 c2 88-3b ad 67 2a 88 25 e1 9b .A..)...;.g*.%..
Start Time: 1380708844
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE

This has been a misconfiguration on one of the PagePeeker load balancers. It has been fixed at the time the issue was mentioned.