Hi, Using client-certificates with Restlet 1.1 is not well supported (in fact, it's not supported at all, but there are workarounds to make it work in some cases). I'd suggest upgrade to Restlet 2; there might still be bugs with some connectors, but the Apache HTTP client and the Net connector (default java.net package classes) seem to work fine.
If you can't upgrade to Restlet 2, you could try a few things: - Using the Net connector and the same settings. - You might also want to try to have the keystore have the same password as the key itself. - I would also avoid to use the same keystore for the client and the server. Either have one common keystore file for the truststore (to recognise your CAs) and two separate keystore keystores (one for the client, one for the server, with their respective private keys); or import the CA certificates into both client and server keystores. - You could also try the Apache HTTP client connector, using the workaround described in this comment <http://restlet.tigris.org/issues/show_bug.cgi?id=586#desc4> (not very clean). Best wishes, Bruno. [email protected] wrote: > Hi, > > I'm trying to use the Simple HTTPS library to set up a HTTPS connection with > mutual PKI authentication, after successful server-only authentication. > > For the server-only authentication, I created a JKS keystore and modified the > client/server samples in > src\org.restlet.example\org\restlet\example\book\restlet\ch11\{BasicHttpsServer.java,BasicHttpsClient.java} > to load that store. > The client GET request returned the 200 OK. > > For the mutual authentication, the BasicHttpsServer.java becomes: > > System.setProperty("javax.net.ssl.trustStore", > keystoreFile.getAbsolutePath()); > System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); > > // Component declaring only one HTTPS server connector. > Component component = new Component(); > Server server = component.getServers().add(Protocol.HTTPS, 8182); > component.getDefaultHost().attach("/helloWorld", restlet); > > // Update server's context with keystore parameters. > server.getContext().getParameters().add("keystorePath", > keystoreFile.getAbsolutePath()); > server.getContext().getParameters().add("keystorePassword", > "changeit"); > server.getContext().getParameters().add("keyPassword", "server"); > server.getContext().getParameters().add("needClientAuthentication", > "true"); > > > and the BasicHttpsClient.java becomes: > > System.setProperty("javax.net.ssl.trustStore", > keystoreFile.getAbsolutePath()); > System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); > > Component component = new Component(); > Client client = component.getClients().add(Protocol.HTTPS); > client.getContext().getParameters().add("keystorePath", > keystoreFile.getAbsolutePath()); > client.getContext().getParameters().add("keystorePassword", > "changeit"); > client.getContext().getParameters().add("keyPassword", "server"); > > which is very similar to the server. I used the same jks keystore file for > both client and server to make sure they have the same CA. However, the > client GET request returns this error status: > > Communication Error (1001) - Software caused connection abort: recv failed > > I also tried to load client side keystore with these: > > System.setProperty("javax.net.ssl.keyStore", > keystoreFile.getAbsolutePath()); > System.setProperty("javax.net.ssl.keyStorePassword", "changeit"); > > But I got an error status: > Communication Error (1001) - Default SSL context init failed: Cannot recover > key > > I suspect the client would not find the key from the keystore because Java > does not provide such property "javax.net.ssl.keyPassword". > > Does anyone know what is wrong? > > For mutual authentication, how do I set up the trustStore on the server side, > and how do I set up the keystore on the client side? > > Thanks a lot. > > Li > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2430830 > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2430857
