Introduction
JDBC is a set of classes and interfaces written in Java that allows Java programs to access a database. This how-to explains how to use encryption with IBM's DB2 type 4 thin driver. Database connection encryption becomes increasingly important to protect database query transmissions over long distance, insecure channels, and to add another layer of protection.
IBM's DB2 database server can be set up to secure client access with SSL/TLS encryption. An example installation guide for say, DB2 v11.1 can be found in IBM's Knowledge Center Link. Setting up SSL/TLS involves creating a DB2 key store, a x509.3 certificate, and enabling it in the DB2 instance configuration for a dedicated database listener port.
Database server side SSL/TLS setup information
While this guide is focussed on the client side, some key information below is needed from the database server side. There, encryption is handled by the included IBM Global Security Kit (GSKit) libraries and commandline tools.
db2inst1@lts140464:~$ db2 get database manager configuration |grep SSL SSL server keydb file (SSL_SVR_KEYDB) = /home/db2inst1/ssl/key.kdb SSL server stash file (SSL_SVR_STASH) = /home/db2inst1/ssl/key.sth SSL server certificate label (SSL_SVR_LABEL) = ltsdb2 SSL service name (SSL_SVCENAME) = db2ssl SSL cipher specs (SSL_CIPHERSPECS) = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL versions (SSL_VERSIONS) = TLSV12 SSL client keydb file (SSL_CLNT_KEYDB) = SSL client stash file (SSL_CLNT_STASH) =
This output confirms that SSL is configured, and our encryption port listed under SSL_SVCENAME is called "db2ssl". The following check confirms that this SSL port is ready for connections.
db2inst1@lts140464:~$ sudo lsof -i |grep db2 db2sysc 22828 db2inst1 6u IPv4 42977 0t0 TCP *:db2 (LISTEN) db2sysc 22828 db2inst1 7u IPv4 42978 0t0 TCP *:db2ssl (LISTEN)
Now we can get the TCP port number from /etc/services:
db2inst1@lts140464:~$ grep db2ssl /etc/services db2ssl 50001/tcp # SSL/TLS port for DB2 instance "db2inst1"
Finally we connect to the database SSL port, verify it really accepts SSL connections, and get the certificate from it.
db2inst1@lts140464:~$ openssl s_client -connect localhost:50001 </dev/null CONNECTED(00000003) depth=0 C = JP, L = Setagaya, O = FM4DD, OU = Support, CN = db2test.fm4dd.com verify error:num=18:self signed certificate verify return:1 depth=0 C = JP, L = Setagaya, O = FM4DD, OU = Support, CN = db2test.fm4dd.com verify return:1 --- Certificate chain 0 s:/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com i:/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDgDCCAmigAwIBAgIIHSAGv1CSeP0wDQYJKoZIhvcNAQELBQAwXjELMAkGA1UE BhMCSlAxETAPBgNVBAcTCFNldGFnYXlhMQ4wDAYDVQQKEwVGTTRERDEQMA4GA1UE CxMHU3VwcG9ydDEaMBgGA1UEAxMRZGIydGVzdC5mbTRkZC5jb20wHhcNMTcxMjA0 MDY1NTU2WhcNMTgxMjA1MDY1NTU2WjBeMQswCQYDVQQGEwJKUDERMA8GA1UEBxMI U2V0YWdheWExDjAMBgNVBAoTBUZNNEREMRAwDgYDVQQLEwdTdXBwb3J0MRowGAYD VQQDExFkYjJ0ZXN0LmZtNGRkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAPF1huDdHbx/0s+vHV9yFaQsh7i2yVi/eTUsrfNCb4N5/v+0DfHy7VTt mKtt9WqUuW3h47K7QLexIunl/y3R834eUKOmHDTMDPk5NPQr8AYVDmb4X3cMc2uf X9TPsgbzdvn6qAuW9uQ6gJlwXSLFhXtF2RpQmrjXaPVp0yTnLL27HUozpvWTgEiv qIzoxDtxJM3Fp3Wtk8hC+heqmZ1bR7ysT0dv46W2RxUgPGLUmBPPG0p4DS6AfZxN NRnyZ/25mn55n6GB1f0Ca+HeVhTOF/PDx7ZTcs0+Mp6kQe5QQ5vv5BOdBNwnoD+H jAME6+MVZFgkeuCvc0c1BsgaNoxsICkCAwEAAaNCMEAwHQYDVR0OBBYEFP8Afew7 mtb+xf76QqXylWjjZGGEMB8GA1UdIwQYMBaAFP8Afew7mtb+xf76QqXylWjjZGGE MA0GCSqGSIb3DQEBCwUAA4IBAQDTlo2SI4NKz/fQY6YkO6lRgGnK3yraFrRCM+Kd mfr9edPqQAAAl3f+ZPo/ow4YTeyX4+gRTUMY6E6a/1jfLikb8vUztO61YxlsqKCP CVGdL2EIG9gboLwOesHHv36AHT/VUuuG/gRValFAnYdiYZfPdf/g4XPmtautYR7F +x3yHuQzOxlbJMAK/GPvIoy0lzdE2oNHr5vwrNmnQq92PwqM8n7GpZOeFv+SHYIk 4oMKpfocVNwjHF+8jbT9E48xzEOhfoihSXY6KYsB8RprIgZBPTZmsa4hX7zfmw14 Wl+0ZxddkAGxglVsx4e+u3zEEEVNR5zYf+bN6LwtZf1pBx9f -----END CERTIFICATE----- subject=/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com issuer=/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com --- No client certificate CA names sent --- SSL handshake has read 1478 bytes and written 509 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported ...
Client system access preparations
Besides encrypting the data, SSL also ensures its talking to the correct endpoint at the server side, using certificate verification. This means JDBC needs access to the database server certificate we identified in the step before. Java uses its own keystore container file. If it does not exist yet we need to create it, and import the database server certificate (I saved above certificate into file db2cert.pem). The JDBC code can now reference this keystore container file, and its access password.
fm@susie:~> keytool -import -file db2cert.pem -keystore keystore.jks -alias ltsdb2 -storepass mypassword Owner: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Issuer: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Serial number: 1d2006bf509278fd Valid from: Mon Dec 04 15:55:56 JST 2017 until: Wed Dec 05 15:55:56 JST 2018 Certificate fingerprints: MD5: C2:DC:11:26:63:39:E9:72:FC:C1:66:7C:AA:D4:8E:FF SHA1: 62:88:F2:E1:32:09:F0:16:11:A2:AF:25:C7:7E:E5:50:E2:C0:BF:34 SHA256: 0C:9A:34:18:6C:C8:DD:DC:F0:C5:35:70:D6:98:2D:33:4F:86:8F:A5:33:1B:44:0C:47:FF:F5:76:2D:1A:DC:46 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: FF 00 7D EC 3B 9A D6 FE C5 FE FA 42 A5 F2 95 68 ....;......B...h 0010: E3 64 61 84 .da. ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: FF 00 7D EC 3B 9A D6 FE C5 FE FA 42 A5 F2 95 68 ....;......B...h 0010: E3 64 61 84 .da. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
JDBC Java code for encrypted DB2 access
The following example code JdbcEncDB2.java can be used to quickly access and test the JDBC connection.
vi JdbcEncDB2.java
// ------------------------------------------------
// JdbcEncDB2.java
// Tests a encrypted connection to DB2, using IBM
// DB2 SSL. See "IBM KNowledge Center", Section
// "Configuring Secure Sockets Layer (SSL) support
// in a DB2 instance". Encryption is enforced at the
// DB2-side port and cleartext connection will fail.
// ------------------------------------------------
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
import java.sql.SQLException;
import java.util.Properties;
class JdbcEncDB2 {
public static void main (String args[]) {
try {
// use the JDBCtype 4 driver
Class.forName("com.ibm.db2.jcc.DB2Driver");
}
catch (ClassNotFoundException e) {
System.err.println (e);
System.exit(-1);
}
try {
Properties properties = new Properties();
properties.put("user", "db2inst1");
properties.put("password", "test");
properties.put("sslConnection", "true");
properties.put("sslTrustStoreLocation", "/home/fm/keystore.jks");
properties.put("sslTrustStorePassword", "mypassword");
String url = "jdbc:db2://localhost:50001/SAMPLE";
Connection connection = DriverManager.getConnection(url, properties);
// build query, use table "ENV_INST_INFO" in schema "SYSIBM"
String query = "select INST_NAME from SYSIBMADM.ENV_INST_INFO" ;
// execute query
Statement statement = connection.createStatement() ;
ResultSet rs = statement.executeQuery(query) ;
// return query result
while ( rs.next() )
System.out.println("DB2 Query result: " + rs.getString(1)) ;
connection.close() ;
}
catch (java.sql.SQLException e) {
System.err.println(e) ;
System.exit(-1) ;
}
}
}
Compile and run the test program
fm@susie:~> javac JdbcEncDB2.java fm@susie:~> java JdbcEncDB2 DB2 Query result: db2inst1
Should this test fail, typical reasons are:
- Wrong database port? DB2 typically uses ports 50000 and up
- Wrong database user, or database user does not have admin rights
- The test program tries to access the database "sample", it can be installed using the command 'db2sampl'
- The test program tries to access a non-SSL database port, verify the port is actually using encryption
db2inst1@lts140464:~$ db2level DB21085I This instance or install (instance name, where applicable: "db2inst1") uses "64" bits and DB2 code release "SQL11010" with level identifier "0201010F". Informational tokens are "DB2 v11.1.0.0", "s1606081100", "DYN1606081100AMD64", and Fix Pack "0". Product is installed at "/home/db2inst1/sqllib".And at the client side:
fm@susie:~> java -cp db2jcc4.jar com.ibm.db2.jcc.DB2Jcc -version IBM Data Server Driver for JDBC and SQLJ 4.19.66 fm@susie:~> java -version java version "1.7.0_151" OpenJDK Runtime Environment (IcedTea 2.6.11) (7u151-2.6.11-2ubuntu0.14.04.1) OpenJDK 64-bit Server VM (build 24.151-b01, mixed mode)
Confirm encryption on the client side
The script output is as expected, but how do we tell the connection is really encrypted, and uses adequate encryption parameters? We can verify with a Java debug parameter.
fm@susie:~> java -Djavax.net.debug=ssl JdbcEncDB2 adding as trusted cert: Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Issuer: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Algorithm: RSA; Serial number: 0x1d2006bf509278fd Valid from Mon Dec 04 15:55:56 JST 2017 until Wed Dec 05 15:55:56 JST 2018 trigger seeding of SecureRandom done seeding SecureRandom Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false main, setSoTimeout(0) called Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 ... Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 %% No cached client session *** ClientHello, TLSv1.2 RandomCookie: GMT: 1512463372 bytes = { 254, 132, 47, 18, 4, 186, 43, 182, 29, 251, 241, 43, 160, 186, 56, 173, 104, 202, 169, 207, 232, 122, 161, 206, 248, 58, 235, 194 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA *** main, WRITE: TLSv1.2 Handshake, length = 163 main, READ: TLSv1.2 Handshake, length = 1366 *** ServerHello, TLSv1.2 RandomCookie: GMT: 12 bytes = { 254, 197, 211, 220, 99, 170, 246, 161, 124, 195, 220, 186, 199, 233, 208, 89, 221, 200, 55, 118, 190, 219, 94, 39, 223, 32, 107, 166 } Session ID: {125, 18, 100, 73, 131, 118, 139, 185, 70, 201, 246, 218, 255, 166, 172, 204, 120, 1, 188, 227, 139, 230, 136, 65, 186, 21, 148, 93, 67, 77, 111, 90} Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Compression Method: 0 Extension ec_point_formats, formats: [uncompressed] Extension renegotiation_info, renegotiated_connection:*** %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 30481386155750323326890561212765513281567421242176194898751858931652993621496236434827210211691425956433242353400256070134803805873805723207258980516716970314030800719253945261286239910493621803130345302469598118525596381326812681031904397930628940286850337735344592230011594976905839506611288453316511431732281594348447439140543423734450206326944835989267737975768308019977932319003153515281642515573386889003942953866610419768793878236308454675709597627794881132542036872740413484831867046429464822662479008274091387654236421080515525118326183680708154809697092353190550680854732296659929474836731058451927068844073 public exponent: 65537 Validity: [From: Mon Dec 04 15:55:56 JST 2017, To: Wed Dec 05 15:55:56 JST 2018] Issuer: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP SerialNumber: [ 1d2006bf 509278fd] ...[shortening output]... *** Found trusted certificate: [ [ Version: V3 Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 ...[shortening output]... *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object) public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895 public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800 parameters: secp384r1 [NIST P-384] (1.3.132.0.34) *** ServerHelloDone *** ECDHClientKeyExchange ECDH Public value: { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 } main, WRITE: TLSv1.2 Handshake, length = 102 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 } *** ...[shortening output]... *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object) public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895 public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800 parameters: secp384r1 [NIST P-384] (1.3.132.0.34) *** ServerHelloDone *** ECDHClientKeyExchange ECDH Public value: { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 } main, WRITE: TLSv1.2 Handshake, length = 102 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 } *** ...[shortening output]... *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object) public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895 public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800 parameters: secp384r1 [NIST P-384] (1.3.132.0.34) *** ServerHelloDone *** ECDHClientKeyExchange ECDH Public value: { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 } main, WRITE: TLSv1.2 Handshake, length = 102 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 } *** ...[shortening output]... *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object) public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895 public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800 parameters: secp384r1 [NIST P-384] (1.3.132.0.34) *** ServerHelloDone *** ECDHClientKeyExchange ECDH Public value: { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 } main, WRITE: TLSv1.2 Handshake, length = 102 main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 } *** main, WRITE: TLSv1.2 Handshake, length = 96 main, READ: TLSv1.2 Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 96 *** Finished verify_data: { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 } *** ...