+1. So when you invoke the HTTPS service with client auth enabled, the connection should be rejected since there is no OCSP/CRL information in the client certificate.
But we should test this with some custom made certificates. Create a self signed *CA certificate* and a *User certificate* signed by that CA. You can use the tool *openssl* for this. (No need to create an intermediate CA cert) [1]. Before giving the Certificate signing request(CSR) to the CA you have to give the proper X509Extensions *Authority Information Access* [2] and *Crl Distribution Points* [3] so that the URLs for OCSP and CRL servers will be added to the certificate you create. You will have to create an *openssl.cnf* file with the following information to be given to *openssl*with the CSR as an extension file. authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl The above urls are from the CA which has signed WSO2 certificates (Digicert). Please check the certificate. Now you can add the created certificates to wso2carbon.jks (Both keystore and truststore) : see online resources on how to do that. Once configured, call the HTTPS service with client auth enabled. Use curl to send the getQuote request. curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v https://localhost:8243 Now the ESB should do OCSP/CRL validations and since there are no revocation information with Digicert on the certificate you created, the HTTPS connection should be established. Please ask if you have any questions. [1] http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ [2] http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html [3] http://stackoverflow.com/a/12023746/1411653 Thanks, Jeewantha On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara <sudhe...@wso2.com>wrote: > Hi Jeewantha, > > I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from > /transport/nhttp/config/ to /transport/http/config/ because those two > classed are common to both nhttp and passthru transports. > > Here are the diff files of the two files that I edited. > > I used an online tool to generate ServerConnFactoryBuilder.diff because I > did not committed the changes after I moved the file to http directory so > the format of the diff file may different. > > thanks. > > > > On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama < > jeewan...@wso2.com> wrote: > >> [Adding @dev] >> >> Hi Sudheera, >> >> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from >> the source and added the changed classes again? Its difficult to see which >> lines have changed in the patch file. >> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from >> your local source, svn up again, and then do the changes in those files and >> create the patch file. >> >> Thanks, >> Jeewantha >> >> >> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara >> <sudhe...@wso2.com>wrote: >> >>> Hi ayya, >>> >>> I have done some coding ServerSSLSetupHander.java and >>> ServerConnFactoryBuilder.java as they did in the backend side. I think the >>> logic is ok but it's hard to test since we don't have certificate chain >>> that signed by a CA. I used wso2carbon.jks for client and the request get >>> failed since both ocsp and crl verification get failed for wso2carbon.jks . >>> I have attached the diff file. Can you take a look. >>> >>> >>> thanks. >>> >>> >>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara < >>> sudhe...@wso2.com> wrote: >>> >>>> Hi ayya, >>>> >>>> In ServerConnFactoryBuilder.java file line 202 >>>> >>>> >>>> >>>> * ServerSSLSetupHandler sslSetupHandler = >>>> (clientAuth != null || httpsProtocols != >>>> null) ? new >>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;* >>>> >>>> it seems like if SSLVerifyClient parameter not defined then >>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this >>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp and >>>> crl ? >>>> >>>> >>>> >>>> >>>> >>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama < >>>> jeewan...@wso2.com> wrote: >>>> >>>>> Hi Sudheera, >>>>> >>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL profiles >>>>> are to define different SSL configurations (Trust stores, Keystores) to >>>>> different backends. And according to the logs, the connection is not made >>>>> to an HTTPS backend. Error occurs during SSL handshake. >>>>> >>>>> To make an HTTPS connection just host your service in some server >>>>> (doesnt matter which) and in the ESB define the endpoint to connect to the >>>>> https port with the correct HTTPS endpoint URL. >>>>> >>>>> However to test OCSP/CRL you cant use a carbon server which runs in >>>>> your local macine. The reason is, the certificates defined in the Carbon >>>>> Servers are fake (Self signed). That's why the web browser says "Untrusted >>>>> connection" when you try connect to the management console of a locally >>>>> running carbon server. And in those fake certificates, the CRL/OCSP urls >>>>> are not defined. So you cant test OCSP/CRL feature that way. >>>>> >>>>> So don't run the backend in your local machine. Instead, use some >>>>> HTTPS backend like https://www.facebook.com or if you need a >>>>> webservice use the echo service in Stratos Live[1] . Stratos live uses >>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its >>>>> OCSP/CRL servers running[2]. >>>>> >>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl >>>>> [2] http://www.digicert.com/ >>>>> >>>>> If you have more questions please ask on @Dev to be more visible to >>>>> the public. >>>>> >>>>> Thanks, >>>>> Jeewantha >>>>> >>>>> >>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara < >>>>> sudhe...@wso2.com> wrote: >>>>> >>>>>> Hi ayya. >>>>>> >>>>>> I'm trying to invoke the already implemented ocsp at the transport >>>>>> sender and get an idea about the flow. But I'm having some difficulties >>>>>> during the process. here's what I've done >>>>>> >>>>>> 1 . followed this >>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>] >>>>>> document to create the SSL profiles. (used same axis2.xml with password >>>>>> as >>>>>> *wso2carbon* ) >>>>>> 2. Started a separate DSS with clientAuth="true" in >>>>>> catalina-server.xml >>>>>> 3. created a proxy service in ESB to invoke *echo service* deployed >>>>>> at DSS with use of *https* in the endppoint. >>>>>> >>>>>> When I invoked the proxy service I'm getting this error >>>>>> >>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error: >>>>>> Unrecognized SSL message, plaintext connection?* >>>>>> >>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>]. >>>>>> >>>>>> Can you help me out please. I there any other way to test this, I >>>>>> might need something similar for transport listener too. thank you >>>>>> >>>>>> >>>>>> [1] >>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html >>>>>> [2] http://pastebin.com/5VMK4cnT >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Jeewantha Dharmaparakrama >>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>> Phone : (+94) 774726790 >>>>> Skype : prasad.jeewantha >>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>> Twitter: https://twitter.com/jeewamp >>>>> Blog: http://jeewanthad.blogspot.com/ >>>>> >>>> >>>> >>> >> >> >> -- >> Jeewantha Dharmaparakrama >> Software Engineer; WSO2, Inc.; http://wso2.com/ >> Phone : (+94) 774726790 >> Skype : prasad.jeewantha >> LinkedIn : http://www.linkedin.com/in/jeewanthad >> Twitter: https://twitter.com/jeewamp >> Blog: http://jeewanthad.blogspot.com/ >> > > -- Jeewantha Dharmaparakrama Software Engineer; WSO2, Inc.; http://wso2.com/ Phone : (+94) 774726790 Skype : prasad.jeewantha LinkedIn : http://www.linkedin.com/in/jeewanthad Twitter: https://twitter.com/jeewamp Blog: http://jeewanthad.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
