Re: [Dev] SSLHandShake issue when invoking https endpoint from ESB

Vijitha Ekanayake Mon, 15 Dec 2014 08:19:45 -0800

Hi all,

Thanks for the responses.


@malaka: tried importing certificate using the mentioned command. but still
getting the same results.

@waruna : i have debugged the sslhandshake. as i understood when server
asked for an RSA or DSS certificate signed by CA authorities, and the
client replied by sending an empty certificate chain.  is that mean, my
keystore doesn't have required certificates? is there a way overcome such
issue? or please correct me if i got it wrong.

**** CertificateRequest*

*Cert Types: RSA, DSS*

*Cert Authorities:*

*<OU=Equifax Secure Certificate Authority, O=Equifax, C=US>*

*<CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c)
1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US>*

*<CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US>*

*etc .......*


*handshake get failed from here*

*HTTPS-Listener I/O dispatcher-2, READ: TLSv1 Handshake, length = 141*

**** Certificate chain*

*****

*HTTPS-Listener I/O dispatcher-2, fatal error: 42: null cert chain*

*javax.net.ssl.SSLHandshakeException: null cert chain*

*HTTPS-Listener I/O dispatcher-2, SEND TLSv1 ALERT:  fatal, description =
bad_certificate*

*CONNECTION KEYGEN:*

*Client Nonce:*

*HTTPS-Listener I/O dispatcher-2, WRITE: TLSv1 Alert, length = 2*

*0000: 54 8E A6 25 36 17 43 5B   94 05 AC E9 17 DC E5 DE  T..%6.C[........*

*0010: 7E C2 HTTPS-Listener I/O dispatcher-2, fatal: engine already
closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain*

*7A 22 1F 51 39 BE   AC 9D 4C 90 DC 34 34 C2  ..z".Q9...L..44.*

*Server Nonce:*

*0000: 54 8E A6 25 EA 6F 85 0F   AE 7E 35 DC 7D E3 14 BA  T..%.o....5.....*

*0010: A6 AE E6 9D 07 BC 51 5D   05 4C DB 2B 4E 51 61 93  ......Q].L.+NQa.*

*Master Secret:*

*0000: CD 52 6A A6 A1 88 E7 13   5E 3A 5C CF D2 4A 35 E7  .Rj.....^:\..J5.*

*0010: 7D A0 36 66 2E 91 06 79   B7 EC AE 8D 0C 7B AB 38  ..6f...y.......8*

*0020: E9 23 6C 6F 83 DF 94 FD   AF 62 25 B6 67 0A 29 9F  .#lo.....b%.g.).*

*Client MAC write Secret:*

*0000: 94 B6 13 8C D1 D6 1B D9   C9 53 0C A6 D2 E4 C6 F4  .....[2014-12-15
14:43:09,400] ERROR - SourceHandler I/O error: null cert chain*

*javax.net.ssl.SSLHandshakeException: null cert chain*

* at
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)*

* at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)*

* at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1108)*

* at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1080)*


Thanks.

On Mon, Dec 15, 2014 at 6:43 PM, Malaka Silva <[email protected]> wrote:
>
> Hi Vijitha,
>
> Try importing the keystore into client truststore using the following
> command.
>
> Similar is also done in [1]
>
>    1.
>
>     keytool -importcert -file <certificate file> -keystore 
> <ESB>/repository/resources/security/client-truststore.jks -alias 
> "TrustCertImport"
>
>    2.
>
>    Restart the server.
>
> [1]
> https://github.com/wso2-dev/esb-connectors/blob/master/basecamp/basecamp-connector/basecamp-connector-1.0.0/README.txt
>
> On Mon, Dec 15, 2014 at 11:37 AM, Waruna Perera <[email protected]> wrote:
>>
>> Hi Vijitha,
>>
>> Pls try debug using *-Djavax.net.debug=all* and see the output.
>>
>> Thanks,
>>
>> On Mon, Dec 15, 2014 at 11:34 AM, Vijitha Ekanayake <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>>  i was trying to invoke a HTTPS endpoint using ESB proxy service. it
>>> gives following SSLHandShakeException. If i call the endpoint directly
>>> from advanced rest client tool provided by google chrome, I am able to get
>>> the successful response. i used [1] as a reference material.
>>>
>>> Steps i followed
>>> 1. generated a custom certificate using keytool
>>> 2. configured web server (tomcat) with created keystore.
>>> 3. exported public certificate to .crt file
>>> 4. added .crt to wso2carbon.jks and client-truststore.jks
>>> 5. change axis2.xml parameter as <parameter
>>> name="HostnameVerifier">AllowAll</parameter>
>>>
>>> Can anyone help me to sort out this issue?
>>>
>>> following exception printed out in the terminal
>>>
>>> [2014-12-15 08:40:04,243] ERROR - SourceHandler I/O error: null cert
>>> chain
>>>
>>> javax.net.ssl.SSLHandshakeException: null cert chain
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1108)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1080)
>>>
>>> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
>>>
>>> at
>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:220)
>>>
>>> at
>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:254)
>>>
>>> at
>>> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:380)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:118)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:160)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:342)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:320)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
>>>
>>> at
>>> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)
>>>
>>> at java.lang.Thread.run(Thread.java:695)
>>>
>>> Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
>>>
>>> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1447)
>>>
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
>>>
>>> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1372)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:160)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
>>>
>>> at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
>>>
>>> at java.security.AccessController.doPrivileged(Native Method)
>>>
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
>>>
>>> at
>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:238)
>>>
>>> at
>>> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:270)
>>> [1]
>>> http://sahanlm.blogspot.com/2013/10/wso2-esb-exposing-secure-backend.html
>>>
>>> --
>>> Vijitha Ekanayake
>>> Software Engineer*, *WSO2, Inc.; http://wso2.com/
>>> Mobile : +94 777 24 73 39 | +94 718 74 44 08
>>> lean.enterprise.middleware
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> [email protected]
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>> --
>> Waruna Perera
>> Senior Software Engineer - Test Automation
>> Mobile: +94 77 3867037
>> WSO2, Inc.; http://wso2.com/
>> lean . enterprise . middlewear.
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> --
>
> Best Regards,
>
> Malaka Silva
> Senior Tech Lead
> M: +94 777 219 791
> Tel : 94 11 214 5345
> Fax :94 11 2145300
> Skype : malaka.sampath.silva
> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
> Blog : http://mrmalakasilva.blogspot.com/
>
> WSO2, Inc.
> lean . enterprise . middleware
> http://www.wso2.com/
> http://www.wso2.com/about/team/malaka-silva/
> <http://wso2.com/about/team/malaka-silva/>
>
> Save a tree -Conserve nature & Save the world for your future. Print this
> email only if it is absolutely necessary.
>


-- 
Vijitha Ekanayake
Software Engineer*, *WSO2, Inc.; http://wso2.com/
Mobile : +94 777 24 73 39 | +94 718 74 44 08
lean.enterprise.middleware

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SSLHandShake issue when invoking https endpoint from ESB

Reply via email to