I removed the ciperSuiteFilters, I get further now but now receive this: default-workqueue-1, handling exception: java.net.SocketException: Connection reset %% Invalidated: [Session-2, SSL_RSA_WITH_RC4_128_MD5] default-workqueue-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
I don't think this is Camel specific anymore, but if anyone would know the answer... :) On Wed, Jun 19, 2013 at 1:00 PM, Nico Mommaerts <nico.mommae...@gmail.com>wrote: > Ok thanks, that explains a lot. > > Unfortunately, I still don't get it to work. When I look at the > javax.net.debug output and compare to > http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated%5FTLS%5Fhandshake, > I don't see *CertificateVerify* coming along, only the steps from one way > SSL are shown (and are succesfull). So the server responds with a 403 > forbidden, client auth required message. > > My config looks like this (using the wildcard because else it wouldn't > match, disabled cncheck to avoid those problems): > * <http:conduit name="*.http-conduit"> * > * <http:tlsClientParameters disableCNCheck="true">* > * <sec:keyManagers keyPassword="mysecret">* > * <sec:keyStore type="JKS" password="mysecret" > file="/data/tomcat/serv03/keystore/.keystore" />* > * </sec:keyManagers>* > * <sec:cipherSuitesFilter>* > * <sec:include>.*_EXPORT_.*</sec:include>* > * <sec:include>.*_EXPORT1024_.*</sec:include>* > * <sec:include>.*_WITH_DES_.*</sec:include>* > * <sec:include>.*_WITH_NULL_.*</sec:include>* > * <sec:exclude>.*_DH_anon_.*</sec:exclude>* > * </sec:cipherSuitesFilter>* > * </http:tlsClientParameters>* > * </http:conduit> * > > I don't have a trustManager configured as the server is using real certs > (vs self-signed), and I can see in the javax.net.debug logging that the > servers certificate is found and trusted. > The .keystore contains our self-signed certificate which is also imported > on the server side (IIS7). > > Do I need to do anything else to enable client-authentication? Can I see > in the javax.net.debug output if the server even requests client auth? > > > On Tue, Jun 18, 2013 at 1:28 PM, Aki Yoshida <elak...@gmail.com> wrote: > >> these are two different things (the inbound side configuration you already >> have and the outbound side configuration you asked for) and depending on >> what you need at each side, you can configure them independently. >> >> >> >> 2013/6/17 Nico Mommaerts <nico.mommae...@gmail.com> >> >> > Ok thanks! Had already read that but wasn't sure if that was needed if >> ssl >> > is also defined in Tomcat itself (is it harmful to also configure it >> > there?) >> > >> > On Mon, Jun 17, 2013 at 4:35 PM, Aki Yoshida <elak...@gmail.com> wrote: >> > >> > > you configure the ssl setting at your http conduit configuration. >> > > and this is explained in this cxf's online documentation: >> > > >> > > >> > >> http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-ConfiguringSSLSupport >> > > >> > > regards, aki >> > > >> > > >> > > 2013/6/17 Nico Mommaerts <nico.mommae...@gmail.com> >> > > >> > > > Hey, >> > > > >> > > > I'm trying to setup a Camel CXF proxy with two way ssl (message gets >> > sent >> > > > to camel app over http, camel forwards to an external customer over >> > > https, >> > > > 2 way). >> > > > My Camel app is running on Tomcat (without Jetty running for CXF, >> I'm >> > > using >> > > > the CXFServlet). I have experience in setting up Tomcat for 2 way >> ssl >> > > with >> > > > Spring Webservices, but for Camel/CXF I see some literature about >> http >> > > > conduits and keystores. >> > > > So I'm not sure how to set this up for Camel/CXF, is it enough to >> > > configure >> > > > this on Tomcat level, like I do for normal Spring webservices, or >> do I >> > > need >> > > > to use the http conduit element in my configuration? >> > > > >> > > > Thanks in advance, >> > > > Nicolas Mommaerts >> > > > >> > > >> > >> > >
