+1. That explains it :). Since you've created the Custom certificates I guess we can write an integration test so that we are done done with this feature. Please talk to Kasun about the integration test.
Note: I dont think I have handled all the OSCP response status values in the code. If you have time try to do some research on how to deal with response statuses like *tryLater*, *sigRequired* and *unauthorized.* Jeewantha On Fri, Mar 21, 2014 at 11:28 AM, Sudheera Palihakkara <sudhe...@wso2.com>wrote: > Hi, > > I have debugged the code, In OCSPverifier line no 84 > ocspResponse.getStatus() returns integer 6 which is defined as > OCSPRespStatus.UNAUTHORIZED. According to > ietf<http://www.ietf.org/rfc/rfc2560.txt>this is because the client is not > authorized to make the query to the > server. > > > > > > On Fri, Mar 21, 2014 at 10:20 PM, Sudheera Palihakkara > <sudhe...@wso2.com>wrote: > >> Yeah I've added the url, cert param have these extentions at the runtime >> >> Certificate Extensions: 2 >> [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false >> AuthorityInfoAccess [ >> [ >> accessMethod: ocsp >> accessLocation: URIName: http://ocsp.digicert.com >> ] >> ] >> >> [2]: ObjectId: 2.5.29.31 Criticality=false >> CRLDistributionPoints [ >> [DistributionPoint: >> [URIName: http://crl3.digicert.com/ca3-g17.crl] >> ]] >> >> >> I'll try debugging. :) >> >> >> >> On Fri, Mar 21, 2014 at 9:48 PM, Jeewantha Dharmaparakrama < >> jeewan...@wso2.com> wrote: >> >>> Well first ESB tries with OCSP. If the CA does not support OCSP it tries >>> with CRL. Both protocols do the same thing but OCSP is newer. Thats why ESB >>> tries OCSP first. >>> >>> Did you add the OCSP url in the certificate properly? IINM Digicert >>> should support OCSP. If OCSP url is added properly, try to debug the code >>> and find where it get fails. >>> >>> Jeewantha. >>> >>> >>> On Fri, Mar 21, 2014 at 9:57 AM, Sudheera Palihakkara <sudhe...@wso2.com >>> > wrote: >>> >>>> Hi Jeewantha, >>>> >>>> I have created CA and client certificates like you asked. And using >>>> curl did the request. Here's what I got at the server log. >>>> >>>> INFO - CacheManager OCSPCache Cache Manager Started >>>> INFO - CacheManager CRLCache Cache Manager Started >>>> INFO - RevocationVerificationManager OCSPVerifier failed. >>>> INFO - CRLVerifier Trying to get CRL for URL: >>>> http://crl3.digicert.com/ca3-g17.crl >>>> INFO - CRLCache Before set- HashMap size 0 >>>> INFO - CRLCache After set - HashMap size 1 >>>> INFO - PathChecker Certificate status is: Good >>>> INFO - CertificatePathValidator Certificate path validated >>>> INFO - RevocationVerificationManager Path verification Successful. Took >>>> 1075 ms. >>>> >>>> >>>> looks like OCSPVerifier has failed, what do you think? is it because a >>>> issue in the source or the certificate created by me? >>>> >>>> >>>> On Thu, Mar 20, 2014 at 11:01 PM, Jeewantha Dharmaparakrama < >>>> jeewan...@wso2.com> wrote: >>>> >>>>> +1. >>>>> >>>>> So when you invoke the HTTPS service with client auth enabled, the >>>>> connection should be rejected since there is no OCSP/CRL information in >>>>> the >>>>> client certificate. >>>>> >>>>> But we should test this with some custom made certificates. Create a >>>>> self signed *CA certificate* and a *User certificate* signed by that >>>>> CA. You can use the tool *openssl* for this. (No need to create an >>>>> intermediate CA cert) [1]. Before giving the Certificate signing >>>>> request(CSR) to the CA you have to give the proper X509Extensions >>>>> *Authority >>>>> Information Access* [2] and *Crl Distribution Points* [3] so that >>>>> the URLs for OCSP and CRL servers will be added to the certificate you >>>>> create. You will have to create an *openssl.cnf* file with the >>>>> following information to be given to *openssl* with the CSR as an >>>>> extension file. >>>>> >>>>> authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com >>>>> crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl >>>>> >>>>> >>>>> >>>>> >>>>> The above urls are from the CA which has signed WSO2 certificates >>>>> (Digicert). Please check the certificate. Now you can add the created >>>>> certificates to wso2carbon.jks (Both keystore and truststore) : see online >>>>> resources on how to do that. Once configured, call the HTTPS service with >>>>> client auth enabled. Use curl to send the getQuote request. >>>>> >>>>> curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: >>>>> "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v >>>>> https://localhost:8243 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Now the ESB should do OCSP/CRL validations and since there are no >>>>> revocation information with Digicert on the certificate you created, the >>>>> HTTPS connection should be established. >>>>> >>>>> Please ask if you have any questions. >>>>> >>>>> [1] >>>>> http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ >>>>> [2] >>>>> http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html >>>>> [3] http://stackoverflow.com/a/12023746/1411653 >>>>> >>>>> Thanks, >>>>> Jeewantha >>>>> >>>>> >>>>> On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara < >>>>> sudhe...@wso2.com> wrote: >>>>> >>>>>> Hi Jeewantha, >>>>>> >>>>>> I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>>> from /transport/nhttp/config/ to /transport/http/config/ because those >>>>>> two >>>>>> classed are common to both nhttp and passthru transports. >>>>>> >>>>>> Here are the diff files of the two files that I edited. >>>>>> >>>>>> I used an online tool to generate ServerConnFactoryBuilder.diff >>>>>> because I did not committed the changes after I moved the file to http >>>>>> directory so the format of the diff file may different. >>>>>> >>>>>> thanks. >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama < >>>>>> jeewan...@wso2.com> wrote: >>>>>> >>>>>>> [Adding @dev] >>>>>>> >>>>>>> Hi Sudheera, >>>>>>> >>>>>>> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>>>> from the source and added the changed classes again? Its difficult to >>>>>>> see >>>>>>> which lines have changed in the patch file. >>>>>>> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>>>> from your local source, svn up again, and then do the changes in those >>>>>>> files and create the patch file. >>>>>>> >>>>>>> Thanks, >>>>>>> Jeewantha >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara < >>>>>>> sudhe...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi ayya, >>>>>>>> >>>>>>>> I have done some coding ServerSSLSetupHander.java and >>>>>>>> ServerConnFactoryBuilder.java as they did in the backend side. I think >>>>>>>> the >>>>>>>> logic is ok but it's hard to test since we don't have certificate chain >>>>>>>> that signed by a CA. I used wso2carbon.jks for client and the request >>>>>>>> get >>>>>>>> failed since both ocsp and crl verification get failed for >>>>>>>> wso2carbon.jks . >>>>>>>> I have attached the diff file. Can you take a look. >>>>>>>> >>>>>>>> >>>>>>>> thanks. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara < >>>>>>>> sudhe...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi ayya, >>>>>>>>> >>>>>>>>> In ServerConnFactoryBuilder.java file line 202 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> * ServerSSLSetupHandler sslSetupHandler = >>>>>>>>> (clientAuth != null || httpsProtocols >>>>>>>>> != >>>>>>>>> null) ? new >>>>>>>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;* >>>>>>>>> >>>>>>>>> it seems like if SSLVerifyClient parameter not defined then >>>>>>>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this >>>>>>>>> "SSLVerifyClient" parameter set to "required" in order to verify >>>>>>>>> ocsp and >>>>>>>>> crl ? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama < >>>>>>>>> jeewan...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Sudheera, >>>>>>>>>> >>>>>>>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL >>>>>>>>>> profiles are to define different SSL configurations (Trust stores, >>>>>>>>>> Keystores) to different backends. And according to the logs, the >>>>>>>>>> connection >>>>>>>>>> is not made to an HTTPS backend. Error occurs during SSL handshake. >>>>>>>>>> >>>>>>>>>> To make an HTTPS connection just host your service in some server >>>>>>>>>> (doesnt matter which) and in the ESB define the endpoint to connect >>>>>>>>>> to the >>>>>>>>>> https port with the correct HTTPS endpoint URL. >>>>>>>>>> >>>>>>>>>> However to test OCSP/CRL you cant use a carbon server which runs >>>>>>>>>> in your local macine. The reason is, the certificates defined in the >>>>>>>>>> Carbon >>>>>>>>>> Servers are fake (Self signed). That's why the web browser says >>>>>>>>>> "Untrusted >>>>>>>>>> connection" when you try connect to the management console of a >>>>>>>>>> locally >>>>>>>>>> running carbon server. And in those fake certificates, the CRL/OCSP >>>>>>>>>> urls >>>>>>>>>> are not defined. So you cant test OCSP/CRL feature that way. >>>>>>>>>> >>>>>>>>>> So don't run the backend in your local machine. Instead, use some >>>>>>>>>> HTTPS backend like https://www.facebook.com or if you need a >>>>>>>>>> webservice use the echo service in Stratos Live[1] . Stratos live >>>>>>>>>> uses >>>>>>>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its >>>>>>>>>> OCSP/CRL servers running[2]. >>>>>>>>>> >>>>>>>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl >>>>>>>>>> [2] http://www.digicert.com/ >>>>>>>>>> >>>>>>>>>> If you have more questions please ask on @Dev to be more visible >>>>>>>>>> to the public. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Jeewantha >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara < >>>>>>>>>> sudhe...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi ayya. >>>>>>>>>>> >>>>>>>>>>> I'm trying to invoke the already implemented ocsp at the >>>>>>>>>>> transport sender and get an idea about the flow. But I'm having some >>>>>>>>>>> difficulties during the process. here's what I've done >>>>>>>>>>> >>>>>>>>>>> 1 . followed this >>>>>>>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>] >>>>>>>>>>> document to create the SSL profiles. (used same axis2.xml with >>>>>>>>>>> password as >>>>>>>>>>> *wso2carbon* ) >>>>>>>>>>> 2. Started a separate DSS with clientAuth="true" in >>>>>>>>>>> catalina-server.xml >>>>>>>>>>> 3. created a proxy service in ESB to invoke *echo service*deployed >>>>>>>>>>> at DSS with use of >>>>>>>>>>> *https* in the endppoint. >>>>>>>>>>> >>>>>>>>>>> When I invoked the proxy service I'm getting this error >>>>>>>>>>> >>>>>>>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error: >>>>>>>>>>> Unrecognized SSL message, plaintext connection?* >>>>>>>>>>> >>>>>>>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>]. >>>>>>>>>>> >>>>>>>>>>> Can you help me out please. I there any other way to test this, >>>>>>>>>>> I might need something similar for transport listener too. thank you >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html >>>>>>>>>>> [2] http://pastebin.com/5VMK4cnT >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Jeewantha Dharmaparakrama >>>>>>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>>>>>> Phone : (+94) 774726790 >>>>>>>>>> Skype : prasad.jeewantha >>>>>>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>>>>>> Twitter: https://twitter.com/jeewamp >>>>>>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jeewantha Dharmaparakrama >>>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>>> Phone : (+94) 774726790 >>>>>>> Skype : prasad.jeewantha >>>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>>> Twitter: https://twitter.com/jeewamp >>>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Jeewantha Dharmaparakrama >>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>> Phone : (+94) 774726790 >>>>> Skype : prasad.jeewantha >>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>> Twitter: https://twitter.com/jeewamp >>>>> Blog: http://jeewanthad.blogspot.com/ >>>>> >>>> >>>> >>> >>> >>> -- >>> Jeewantha Dharmaparakrama >>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>> Phone : (+94) 774726790 >>> Skype : prasad.jeewantha >>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>> Twitter: https://twitter.com/jeewamp >>> Blog: http://jeewanthad.blogspot.com/ >>> >> >> > -- Jeewantha Dharmaparakrama Software Engineer; WSO2, Inc.; http://wso2.com/ Phone : (+94) 774726790 Skype : prasad.jeewantha LinkedIn : http://www.linkedin.com/in/jeewanthad Twitter: https://twitter.com/jeewamp Blog: http://jeewanthad.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
