I'm not really sure what's happening. Can you check the Client Hello token
sent and make sure the cipher suites that are being sent to the server are OK?
You cipherSuitesFilter thing looks a bit strange, but it just may be the mail
client doing something. Normally, they would look like:
<sec:include>.*_EXPORT_.*</sec:include>
without all the { and } thing in there. That said, I would have still
expected a key to be sent of some sort so I'm not sure if the keyManager
thing is working correctly. Could you try some variout things like putting
the p12 into the "current" directory and just setting the file attribute to
"test.eyeappts.com.p12". Maybe the \ things are confusing it. Not sure
what else to suggest at this point.
Dan
On Thu February 11 2010 12:25:05 pm Jim Schneider wrote:
> CXF 2.2.4 client trying to access an Axis2 soap web service over SSL
>
> I can't get my CXF client to get past the SSL handshake, but the sample
> Axis2 client from the web service developer works fine. Here's my config:
>
> <http:conduit name="*.http-conduit">
>
> <http:tlsClientParameters secureSocketProtocol="SSL"
> disableCNCheck="true">
> <sec:keyManagers >
> <sec:keyStore type="PKCS12" password="testing"
> file="C:\projects\hit-ws\Epp\test.eyeappts.com.p12"
> />
> </sec:keyManagers>
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="trustword"
> file="C:\projects\hit-ws\Epp\truststore"
> />
> </sec:trustManagers>
> <sec:cipherSuitesFilter>
> <sec:include>.*{_}WITH_3DES{_}{*}*.*</sec:include>
> <sec:include>.*{_}EXPORT{_}{*}*.*</sec:include>
> <sec:include>.*{_}EXPORT1024{_}{*}*.*</sec:include>
> <sec:include>.*{_}WITH_DES{_}{*}*.*</sec:include>
> <sec:include>SSL_RSA_WITH_RC4_128_MD5</sec:include>
> <sec:include>SSL_RSA_WITH_RC4_128_SHA</sec:include>
> <sec:exclude>.*{_}WITH_NULL{_}{*}*.*</sec:exclude>
> <sec:exclude>.*{_}DH_anon{_}{*}*.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
>
> I'm logging/tracing the SSL for both the successful Axis2 client and
> unsuccessful CXF client and I see the ServerHelloDone message on both.
> Then, on the Axis2 client, I see a "Certificate chain" message with a
> single entry right before the ClientKeyExchange. On the CXF client, I see
> the
> "Certificate chain" header, but no entry.
>
> Then, for the ClientKeyExchange, the Axis2 client sends 2 - 926 byte
> messages, whereas the CXF client sends 2 - 141 byte messages. The Axis2
> client finishes the SSL handshake successfully and moves on to the
> application data. The CXF client has a failed handshake and then restarts
> the ClientHello phase again.
>
> I'm stuck. Any help is appreciated. I can send complete SSL outputs for
> both if that would help.
--
Daniel Kulp
[email protected]
http://www.dankulp.com/blog
