Yeah I've added the url, cert param have these extentions at the runtime
Certificate Extensions: 2
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
]
]
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ca3-g17.crl]
]]
I'll try debugging. :)
On Fri, Mar 21, 2014 at 9:48 PM, Jeewantha Dharmaparakrama <
[email protected]> wrote:
> Well first ESB tries with OCSP. If the CA does not support OCSP it tries
> with CRL. Both protocols do the same thing but OCSP is newer. Thats why ESB
> tries OCSP first.
>
> Did you add the OCSP url in the certificate properly? IINM Digicert should
> support OCSP. If OCSP url is added properly, try to debug the code and find
> where it get fails.
>
> Jeewantha.
>
>
> On Fri, Mar 21, 2014 at 9:57 AM, Sudheera Palihakkara
> <[email protected]>wrote:
>
>> Hi Jeewantha,
>>
>> I have created CA and client certificates like you asked. And using curl
>> did the request. Here's what I got at the server log.
>>
>> INFO - CacheManager OCSPCache Cache Manager Started
>> INFO - CacheManager CRLCache Cache Manager Started
>> INFO - RevocationVerificationManager OCSPVerifier failed.
>> INFO - CRLVerifier Trying to get CRL for URL:
>> http://crl3.digicert.com/ca3-g17.crl
>> INFO - CRLCache Before set- HashMap size 0
>> INFO - CRLCache After set - HashMap size 1
>> INFO - PathChecker Certificate status is: Good
>> INFO - CertificatePathValidator Certificate path validated
>> INFO - RevocationVerificationManager Path verification Successful. Took
>> 1075 ms.
>>
>>
>> looks like OCSPVerifier has failed, what do you think? is it because a
>> issue in the source or the certificate created by me?
>>
>>
>> On Thu, Mar 20, 2014 at 11:01 PM, Jeewantha Dharmaparakrama <
>> [email protected]> wrote:
>>
>>> +1.
>>>
>>> So when you invoke the HTTPS service with client auth enabled, the
>>> connection should be rejected since there is no OCSP/CRL information in the
>>> client certificate.
>>>
>>> But we should test this with some custom made certificates. Create a
>>> self signed *CA certificate* and a *User certificate* signed by that
>>> CA. You can use the tool *openssl* for this. (No need to create an
>>> intermediate CA cert) [1]. Before giving the Certificate signing
>>> request(CSR) to the CA you have to give the proper X509Extensions *Authority
>>> Information Access* [2] and *Crl Distribution Points* [3] so that the
>>> URLs for OCSP and CRL servers will be added to the certificate you create.
>>> You will have to create an *openssl.cnf* file with the following
>>> information to be given to *openssl* with the CSR as an extension file.
>>>
>>> authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com
>>> crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl
>>>
>>>
>>> The above urls are from the CA which has signed WSO2 certificates
>>> (Digicert). Please check the certificate. Now you can add the created
>>> certificates to wso2carbon.jks (Both keystore and truststore) : see online
>>> resources on how to do that. Once configured, call the HTTPS service with
>>> client auth enabled. Use curl to send the getQuote request.
>>>
>>> curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction:
>>> "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v
>>> https://localhost:8243
>>>
>>>
>>>
>>> Now the ESB should do OCSP/CRL validations and since there are no
>>> revocation information with Digicert on the certificate you created, the
>>> HTTPS connection should be established.
>>>
>>> Please ask if you have any questions.
>>>
>>> [1]
>>> http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
>>> [2]
>>> http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html
>>> [3] http://stackoverflow.com/a/12023746/1411653
>>>
>>> Thanks,
>>> Jeewantha
>>>
>>>
>>> On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara <
>>> [email protected]> wrote:
>>>
>>>> Hi Jeewantha,
>>>>
>>>> I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from
>>>> /transport/nhttp/config/ to /transport/http/config/ because those two
>>>> classed are common to both nhttp and passthru transports.
>>>>
>>>> Here are the diff files of the two files that I edited.
>>>>
>>>> I used an online tool to generate ServerConnFactoryBuilder.diff because
>>>> I did not committed the changes after I moved the file to http directory so
>>>> the format of the diff file may different.
>>>>
>>>> thanks.
>>>>
>>>>
>>>>
>>>> On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama <
>>>> [email protected]> wrote:
>>>>
>>>>> [Adding @dev]
>>>>>
>>>>> Hi Sudheera,
>>>>>
>>>>> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder
>>>>> from the source and added the changed classes again? Its difficult to see
>>>>> which lines have changed in the patch file.
>>>>> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder
>>>>> from your local source, svn up again, and then do the changes in those
>>>>> files and create the patch file.
>>>>>
>>>>> Thanks,
>>>>> Jeewantha
>>>>>
>>>>>
>>>>> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hi ayya,
>>>>>>
>>>>>> I have done some coding ServerSSLSetupHander.java and
>>>>>> ServerConnFactoryBuilder.java as they did in the backend side. I think
>>>>>> the
>>>>>> logic is ok but it's hard to test since we don't have certificate chain
>>>>>> that signed by a CA. I used wso2carbon.jks for client and the request get
>>>>>> failed since both ocsp and crl verification get failed for
>>>>>> wso2carbon.jks .
>>>>>> I have attached the diff file. Can you take a look.
>>>>>>
>>>>>>
>>>>>> thanks.
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hi ayya,
>>>>>>>
>>>>>>> In ServerConnFactoryBuilder.java file line 202
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> * ServerSSLSetupHandler sslSetupHandler =
>>>>>>> (clientAuth != null || httpsProtocols !=
>>>>>>> null) ? new
>>>>>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;*
>>>>>>>
>>>>>>> it seems like if SSLVerifyClient parameter not defined then
>>>>>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this
>>>>>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp
>>>>>>> and
>>>>>>> crl ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi Sudheera,
>>>>>>>>
>>>>>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL profiles
>>>>>>>> are to define different SSL configurations (Trust stores, Keystores) to
>>>>>>>> different backends. And according to the logs, the connection is not
>>>>>>>> made
>>>>>>>> to an HTTPS backend. Error occurs during SSL handshake.
>>>>>>>>
>>>>>>>> To make an HTTPS connection just host your service in some server
>>>>>>>> (doesnt matter which) and in the ESB define the endpoint to connect to
>>>>>>>> the
>>>>>>>> https port with the correct HTTPS endpoint URL.
>>>>>>>>
>>>>>>>> However to test OCSP/CRL you cant use a carbon server which runs in
>>>>>>>> your local macine. The reason is, the certificates defined in the
>>>>>>>> Carbon
>>>>>>>> Servers are fake (Self signed). That's why the web browser says
>>>>>>>> "Untrusted
>>>>>>>> connection" when you try connect to the management console of a locally
>>>>>>>> running carbon server. And in those fake certificates, the CRL/OCSP
>>>>>>>> urls
>>>>>>>> are not defined. So you cant test OCSP/CRL feature that way.
>>>>>>>>
>>>>>>>> So don't run the backend in your local machine. Instead, use some
>>>>>>>> HTTPS backend like https://www.facebook.com or if you need a
>>>>>>>> webservice use the echo service in Stratos Live[1] . Stratos live uses
>>>>>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its
>>>>>>>> OCSP/CRL servers running[2].
>>>>>>>>
>>>>>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl
>>>>>>>> [2] http://www.digicert.com/
>>>>>>>>
>>>>>>>> If you have more questions please ask on @Dev to be more visible to
>>>>>>>> the public.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Jeewantha
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara <
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Hi ayya.
>>>>>>>>>
>>>>>>>>> I'm trying to invoke the already implemented ocsp at the transport
>>>>>>>>> sender and get an idea about the flow. But I'm having some
>>>>>>>>> difficulties
>>>>>>>>> during the process. here's what I've done
>>>>>>>>>
>>>>>>>>> 1 . followed this
>>>>>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>]
>>>>>>>>> document to create the SSL profiles. (used same axis2.xml with
>>>>>>>>> password as
>>>>>>>>> *wso2carbon* )
>>>>>>>>> 2. Started a separate DSS with clientAuth="true" in
>>>>>>>>> catalina-server.xml
>>>>>>>>> 3. created a proxy service in ESB to invoke *echo service*deployed at
>>>>>>>>> DSS with use of
>>>>>>>>> *https* in the endppoint.
>>>>>>>>>
>>>>>>>>> When I invoked the proxy service I'm getting this error
>>>>>>>>>
>>>>>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error:
>>>>>>>>> Unrecognized SSL message, plaintext connection?*
>>>>>>>>>
>>>>>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>].
>>>>>>>>>
>>>>>>>>> Can you help me out please. I there any other way to test this, I
>>>>>>>>> might need something similar for transport listener too. thank you
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [1]
>>>>>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html
>>>>>>>>> [2] http://pastebin.com/5VMK4cnT
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jeewantha Dharmaparakrama
>>>>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>>>>>>> Phone : (+94) 774726790
>>>>>>>> Skype : prasad.jeewantha
>>>>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad
>>>>>>>> Twitter: https://twitter.com/jeewamp
>>>>>>>> Blog: http://jeewanthad.blogspot.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jeewantha Dharmaparakrama
>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>>>> Phone : (+94) 774726790
>>>>> Skype : prasad.jeewantha
>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad
>>>>> Twitter: https://twitter.com/jeewamp
>>>>> Blog: http://jeewanthad.blogspot.com/
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jeewantha Dharmaparakrama
>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>> Phone : (+94) 774726790
>>> Skype : prasad.jeewantha
>>> LinkedIn : http://www.linkedin.com/in/jeewanthad
>>> Twitter: https://twitter.com/jeewamp
>>> Blog: http://jeewanthad.blogspot.com/
>>>
>>
>>
>
>
> --
> Jeewantha Dharmaparakrama
> Software Engineer; WSO2, Inc.; http://wso2.com/
> Phone : (+94) 774726790
> Skype : prasad.jeewantha
> LinkedIn : http://www.linkedin.com/in/jeewanthad
> Twitter: https://twitter.com/jeewamp
> Blog: http://jeewanthad.blogspot.com/
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
