Jim Scarborough created HTTPCLIENT-1585:
-------------------------------------------
Summary: Client certificate not submitted half the time
Key: HTTPCLIENT-1585
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1585
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.3.5, 5.0
Environment: Fedora 20 on a Thinkpad T540p, Sun JDK 1.6,1.7,1.8
Reporter: Jim Scarborough
h1. Overview
The http client submits the client certificate when requested about half the
time. This may well be a bug in the underlying SSLSocketImpl or nearby code.
I welcome assistance in determining which layer has the bug.
h1. Stack trace
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1705)
at
sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:122)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:982)
at
sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1154)
at
sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1066)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:341)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)
at
org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
h1. Steps to reproduce
h2. 1. Set up certificates
create server key/cert pair. use FQDN as First Last name
keytool -keystore server_keystore -alias server -genkey -keyalg RSA
export server cert to a curl usable format.
keytool -exportcert -alias server -keystore server_keystore -rfc -file
server.pem
create client key/cert pair. use email as First Last name
keytool -keystore client_keystore -alias client -genkey -keyalg RSA
export client key/cert pair to a firefox usablabe format.
keytool -importkeystore -srckeystore client_keystore -destkeystore
client_keystore.pkcs12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
password -deststorepass password -srcalias client -destalias client -srckeypass
password -destkeypass password
export client key/cert pair to a curl usable format.
openssl pkcs12 -in client_keystore.pkcs12 -out client.crt.pem -clcerts -nokeys
openssl pkcs12 -in client_keystore.pkcs12 -out client.key.pem -nocerts -nodes
h2. 2. Set up Jetty, configure it to require a client cert
vim jetty-ssl.xml
<Set name="KeyStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.keystore" default="etc/server_keystore"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password"
default="password"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password"
default="password"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="."
/>/<Property name="jetty.truststore" default="etc/client_keystore"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password"
default="password"/></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth"
default="true"/></Set>
vim jetty-https.xml
<Set name="port"><Property name="https.port" default="8443" /></Set>
vim start.ini
jetty.dump.stop=false
etc/jetty-ssl.xml
etc/jetty-https.xml
h2. 3. Verify Jetty works
Copy the exported certs to your machine.
Go to https://FQDN:8443 in the browser with and without the cert to make sure
it works
or use curl
curl -L -v --cacert server.pem -E ./client.crt.pem --key ./client.key.pem
https://dmtest2.intranet.dev.int.devlab.redhat.com:8443
h2. 4. Run this code against it:
{code:title=HttpsClientCertificateTest.java|borderStyle=solid}
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.net.Socket;
import com.google.common.io.Resources;
import junit.framework.AssertionFailedError;
import org.junit.Test;
import static org.junit.Assert.*;
public class HttpsClientCertificateTest {
@Test
public void testClientCertificate() throws Exception {
int success=0;
int failure=0;
for (int i=0;i<40;i++) {
try {
String testKeystorePath =
Resources.getResource("test-keystore").toString();
String testClientCertPath =
Resources.getResource("test-clientstore").toString();
assertEquals("protected\n",secureContentFor("https://dmtest2.intranet.dev.int.devlab.redhat.com:8443/";,
testKeystorePath, testClientCertPath));
success++;
} catch (AssertionFailedError e) {
e.printStackTrace();
failure++;
} catch (SSLHandshakeException e) {
e.printStackTrace();
failure++;
}
}
assertEquals("failed " + failure + "/" + (success+failure) + "
succeeded " + (success*100/(success+failure)) + "%",0,failure);
}
static String secureContentFor(String url, String clientKeyStore, String
clientTrustStore) throws Exception {
KeyStore trustStore = readKeyStore(clientTrustStore);
KeyStore keyStore = readKeyStore(clientKeyStore);
// Trust own CA and all self-signed certs
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
.loadKeyMaterial(keyStore, "password".toCharArray())
.loadKeyMaterial(trustStore, "password".toCharArray())
.useTLS()
.build();
// Allow TLSv1 protocol only
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext,
new String[] { "TLSv1" }, // supported protocols
null, // supported cipher suites
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
HttpGet get = new HttpGet(url);
HttpResponse response = httpClient.execute(get);
String content = EntityUtils.toString(response.getEntity());
return content;
}
static KeyStore readKeyStore(String resourceURL) throws KeyStoreException,
IOException, NoSuchAlgorithmException, CertificateException {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new
URL(resourceURL).getFile());
try {
trustStore.load(instream, "password".toCharArray());
} finally {
instream.close();
}
return trustStore;
}
}
{code}
h1. Actual results
Exceptions as noted above, and some ultimate failure note like this:
java.lang.AssertionError: failed 19/40 succeeded 52%
Expected :0
Actual :19
h2. Expected results
No exceptions, test passes
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
