FULL PRODUCT VERSION :
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) Client VM (build 25.112-b15, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 7 pro 64bit [version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
SmartCard Reader Installed and custom PKCS11 java.security.KeyStore.

A DESCRIPTION OF THE PROBLEM :
Contact secured webservice with CXF 3.1.8

I used this link to fix SNI's problem
http://javabreaks.blogspot.fr/2015/12/java-ssl-handshake-with-server-name.html



REGRESSION.  Last worked in version 7u80

ADDITIONAL REGRESSION INFORMATION: 
Everything work with Java 7u80.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Contact secured webservice 

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
work like Java 7u80
ACTUAL -
doesn't work

ERROR MESSAGES/STACK TRACES THAT OCCUR :
trustStore is: C:\Program Files (x86)\Java\jdk1.8.0_112\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

[......... ALL CERT...........]

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
TraitementMessage-Serveur, setSoTimeout(60000) called
TraitementMessage-Serveur, the previous server name in SNI (type=host_name (0), value=XXXXXXXXXXXX) was replaced with (type=host_name (0), value=XXXXXXXXXXX)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1479373728 bytes = { 3, 145, 189, 27, 145, 57, 167, 95, 114, 173, 216, 148, 200, 251, 85, 104, 51, 162, 213, 135, 84, 197, 35, 173, 202, 104, 43, 142 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {java.security.spec.ECParameterSpec@73dbf2, java.security.spec.ECParameterSpec@473ae2, java.security.spec.ECParameterSpec@713660, java.security.spec.ECParameterSpec@1dbabe0, java.security.spec.ECParameterSpec@15f5322, java.security.spec.ECParameterSpec@a2f381, java.security.spec.ECParameterSpec@15d1003, java.security.spec.ECParameterSpec@1ff2f23, java.security.spec.ECParameterSpec@10befd, java.security.spec.ECParameterSpec@eb036c, java.security.spec.ECParameterSpec@105b09a, java.security.spec.ECParameterSpec@1cc26bd, java.security.spec.ECParameterSpec@eefa53, java.security.spec.ECParameterSpec@73da7d, java.security.spec.ECParameterSpec@45244b, java.security.spec.ECParameterSpec@1f860cb, java.security.spec.ECParameterSpec@118e33b, java.security.spec.ECParameterSpec@52e1af, java.security.spec.ECParameterSpec@1e5adb0, java.security.spec.ECParameterSpec@155767f, java.security.spec.ECParameterSpec@15e5895, java.security.spec.ECParameterSpec@768b08, java.security.spec.ECParameterSpec@3a35db, java.security.spec.ECParameterSpec@d05eed, java.security.spec.ECParameterSpec@11536d2}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=XXXXXXXXXXX]
***
TraitementMessage-Serveur, WRITE: TLSv1.2 Handshake, length = 266
TraitementMessage-Serveur, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 666558274 bytes = { 133, 164, 44, 154, 193, 60, 234, 10, 8, 41, 227, 42, 3, 139, 125, 227, 225, 226, 71, 118, 251, 98, 74, 21, 60, 51, 67, 176 }
Session ID:  {88, 39, 124, 169, 72, 153, 163, 166, 208, 69, 166, 212, 254, 77, 107, 67, 108, 241, 130, 142, 55, 220, 78, 24, 110, 107, 62, 161, 10, 18, 2, 96}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension server_name, server_name: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TraitementMessage-Serveur, READ: TLSv1.2 Handshake, length = 2865
*** Certificate chain
[......... MY CERT ...........]

***
Found trusted certificate:
[.....TRUST CERT FOUND........]

TraitementMessage-Serveur, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: EC Public Key
            X: 464e1a60b15519c4d1c63bb7673f275840b81f5bedfcabaeb5fab43a925701fe
            Y: ad7c9800d49bd270d606e78f43b786e0dd4e5662fed2822d1db1d3001d8d2da2

TraitementMessage-Serveur, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 235, 158, 251, 58, 228, 82, 173, 195, 82, 149, 64, 164, 160, 227, 54, 160, 134, 226, 210, 110, 129, 206, 173, 189, 223, 6, 116, 99, 24, 83, 74, 210, 174, 170, 166, 217, 250, 15, 104, 169, 116, 179, 32, 0, 190, 46, 102, 110, 145, 252, 87, 223, 46, 234, 39, 205, 9, 220, 162, 140, 39, 176, 176, 245 }
TraitementMessage-Serveur, WRITE: TLSv1.2 Handshake, length = 70
TraitementMessage-Serveur, handling exception: java.security.ProviderException: Could not derive key
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
TraitementMessage-Serveur, SEND TLSv1.2 ALERT:  fatal, description = internal_error
TraitementMessage-Serveur, WRITE: TLSv1.2 Alert, length = 2
TraitementMessage-Serveur, called closeSocket()
TraitementMessage-Serveur, called close()
TraitementMessage-Serveur, called closeInternal(true)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
It requires a card reader, and valid card
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
I can use Java 7 but cacert is not up to date. I have to use Java 8u51
...
COMODO RSA Certification Authority
alias: comodorsaca
DN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
...