Hi Jeewantha, I have created CA and client certificates like you asked. And using curl did the request. Here's what I got at the server log.
INFO - CacheManager OCSPCache Cache Manager Started INFO - CacheManager CRLCache Cache Manager Started INFO - RevocationVerificationManager OCSPVerifier failed. INFO - CRLVerifier Trying to get CRL for URL: http://crl3.digicert.com/ca3-g17.crl INFO - CRLCache Before set- HashMap size 0 INFO - CRLCache After set - HashMap size 1 INFO - PathChecker Certificate status is: Good INFO - CertificatePathValidator Certificate path validated INFO - RevocationVerificationManager Path verification Successful. Took 1075 ms. looks like OCSPVerifier has failed, what do you think? is it because a issue in the source or the certificate created by me? On Thu, Mar 20, 2014 at 11:01 PM, Jeewantha Dharmaparakrama < [email protected]> wrote: > +1. > > So when you invoke the HTTPS service with client auth enabled, the > connection should be rejected since there is no OCSP/CRL information in the > client certificate. > > But we should test this with some custom made certificates. Create a self > signed *CA certificate* and a *User certificate* signed by that CA. You > can use the tool *openssl* for this. (No need to create an intermediate > CA cert) [1]. Before giving the Certificate signing request(CSR) to the CA > you have to give the proper X509Extensions *Authority Information Access*[2] > and *Crl > Distribution Points* [3] so that the URLs for OCSP and CRL servers will > be added to the certificate you create. You will have to create an > *openssl.cnf* file with the following information to be given to > *openssl*with the CSR as an extension file. > > authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com > crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl > > The above urls are from the CA which has signed WSO2 certificates > (Digicert). Please check the certificate. Now you can add the created > certificates to wso2carbon.jks (Both keystore and truststore) : see online > resources on how to do that. Once configured, call the HTTPS service with > client auth enabled. Use curl to send the getQuote request. > > curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: > "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v > https://localhost:8243 > > Now the ESB should do OCSP/CRL validations and since there are no > revocation information with Digicert on the certificate you created, the > HTTPS connection should be established. > > Please ask if you have any questions. > > [1] > http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ > [2] > http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html > [3] http://stackoverflow.com/a/12023746/1411653 > > Thanks, > Jeewantha > > > On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara > <[email protected]>wrote: > >> Hi Jeewantha, >> >> I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from >> /transport/nhttp/config/ to /transport/http/config/ because those two >> classed are common to both nhttp and passthru transports. >> >> Here are the diff files of the two files that I edited. >> >> I used an online tool to generate ServerConnFactoryBuilder.diff because I >> did not committed the changes after I moved the file to http directory so >> the format of the diff file may different. >> >> thanks. >> >> >> >> On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama < >> [email protected]> wrote: >> >>> [Adding @dev] >>> >>> Hi Sudheera, >>> >>> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>> from the source and added the changed classes again? Its difficult to see >>> which lines have changed in the patch file. >>> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder from >>> your local source, svn up again, and then do the changes in those files and >>> create the patch file. >>> >>> Thanks, >>> Jeewantha >>> >>> >>> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara <[email protected] >>> > wrote: >>> >>>> Hi ayya, >>>> >>>> I have done some coding ServerSSLSetupHander.java and >>>> ServerConnFactoryBuilder.java as they did in the backend side. I think the >>>> logic is ok but it's hard to test since we don't have certificate chain >>>> that signed by a CA. I used wso2carbon.jks for client and the request get >>>> failed since both ocsp and crl verification get failed for wso2carbon.jks . >>>> I have attached the diff file. Can you take a look. >>>> >>>> >>>> thanks. >>>> >>>> >>>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara < >>>> [email protected]> wrote: >>>> >>>>> Hi ayya, >>>>> >>>>> In ServerConnFactoryBuilder.java file line 202 >>>>> >>>>> >>>>> >>>>> * ServerSSLSetupHandler sslSetupHandler = >>>>> (clientAuth != null || httpsProtocols != >>>>> null) ? new >>>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;* >>>>> >>>>> it seems like if SSLVerifyClient parameter not defined then >>>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this >>>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp and >>>>> crl ? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Sudheera, >>>>>> >>>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL profiles >>>>>> are to define different SSL configurations (Trust stores, Keystores) to >>>>>> different backends. And according to the logs, the connection is not made >>>>>> to an HTTPS backend. Error occurs during SSL handshake. >>>>>> >>>>>> To make an HTTPS connection just host your service in some server >>>>>> (doesnt matter which) and in the ESB define the endpoint to connect to >>>>>> the >>>>>> https port with the correct HTTPS endpoint URL. >>>>>> >>>>>> However to test OCSP/CRL you cant use a carbon server which runs in >>>>>> your local macine. The reason is, the certificates defined in the Carbon >>>>>> Servers are fake (Self signed). That's why the web browser says >>>>>> "Untrusted >>>>>> connection" when you try connect to the management console of a locally >>>>>> running carbon server. And in those fake certificates, the CRL/OCSP urls >>>>>> are not defined. So you cant test OCSP/CRL feature that way. >>>>>> >>>>>> So don't run the backend in your local machine. Instead, use some >>>>>> HTTPS backend like https://www.facebook.com or if you need a >>>>>> webservice use the echo service in Stratos Live[1] . Stratos live uses >>>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its >>>>>> OCSP/CRL servers running[2]. >>>>>> >>>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl >>>>>> [2] http://www.digicert.com/ >>>>>> >>>>>> If you have more questions please ask on @Dev to be more visible to >>>>>> the public. >>>>>> >>>>>> Thanks, >>>>>> Jeewantha >>>>>> >>>>>> >>>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi ayya. >>>>>>> >>>>>>> I'm trying to invoke the already implemented ocsp at the transport >>>>>>> sender and get an idea about the flow. But I'm having some difficulties >>>>>>> during the process. here's what I've done >>>>>>> >>>>>>> 1 . followed this >>>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>] >>>>>>> document to create the SSL profiles. (used same axis2.xml with password >>>>>>> as >>>>>>> *wso2carbon* ) >>>>>>> 2. Started a separate DSS with clientAuth="true" in >>>>>>> catalina-server.xml >>>>>>> 3. created a proxy service in ESB to invoke *echo service* deployed >>>>>>> at DSS with use of *https* in the endppoint. >>>>>>> >>>>>>> When I invoked the proxy service I'm getting this error >>>>>>> >>>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error: >>>>>>> Unrecognized SSL message, plaintext connection?* >>>>>>> >>>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>]. >>>>>>> >>>>>>> Can you help me out please. I there any other way to test this, I >>>>>>> might need something similar for transport listener too. thank you >>>>>>> >>>>>>> >>>>>>> [1] >>>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html >>>>>>> [2] http://pastebin.com/5VMK4cnT >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Jeewantha Dharmaparakrama >>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>> Phone : (+94) 774726790 >>>>>> Skype : prasad.jeewantha >>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>> Twitter: https://twitter.com/jeewamp >>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>> >>>>> >>>>> >>>> >>> >>> >>> -- >>> Jeewantha Dharmaparakrama >>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>> Phone : (+94) 774726790 >>> Skype : prasad.jeewantha >>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>> Twitter: https://twitter.com/jeewamp >>> Blog: http://jeewanthad.blogspot.com/ >>> >> >> > > > -- > Jeewantha Dharmaparakrama > Software Engineer; WSO2, Inc.; http://wso2.com/ > Phone : (+94) 774726790 > Skype : prasad.jeewantha > LinkedIn : http://www.linkedin.com/in/jeewanthad > Twitter: https://twitter.com/jeewamp > Blog: http://jeewanthad.blogspot.com/ >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
