Can you try the client with a more recent version of CXF. We added better support for using the default SSL things relatively recently and thus it may already be fixed in a newer version of CXF. With 2.2.x, you'll likely need to use the API's you found.
Dan On Tuesday, February 21, 2012 1:52:57 PM Thomas Gueze wrote: > Hi, > > I'm currently working on a web service with a two way SSL authentification. > I achieve to make it work with CXF code but I ran into an issue that I > couldn't figure out. > I have generated the keystores and trustores for both the client and server > (i'm in control of both the client and the web service) > > I made a client web service call using java code like described here : > https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html > #ClientHTTPTransport%28includingSSLsupport%29-HowtoconfiguretheHTTPConduitfo > rtheSOAPClient%3F And I also include the setup of TLSClientParameters using > the default SSLContext : > HTTPConduit http = (HTTPConduit) client.getConduit(); > TLSClientParameters params = new TLSClientParameters(); > > params.setSSLSocketFactory(SSLContext.getDefault().getSocketFactory()); > http.setTlsClientParameters(params); > > The client keystore and trustore are passed using the -Djavax.net.ssl. > properties and it work > > However when I remove this piece of code or that I write a JAX WS standard > client (even with setting up : > HttpsURLConnection.setDefaultSSLSocketFactory(SSLContext.getDefault().getSoc > ketFactory());) it doesn't work > > Debugging the ssl handshake, I spot the difference when the client receive > the CertRequest for his certificate. > In the case it work, the ssl layer found an alias with a matching > certificate and send it to the server (client side log) : > *** CertificateRequest > Cert Types: RSA, DSS > Cert Authorities: > <My DN> > *** ServerHelloDone > matching alias: myAlias > *** Certificate chain > chain [0] = [ > ... > > In the other case, the ssl layer seem to found nothing and doesn't no send > the certificate, and the server return an error (server side log) : > [INFO] [talledLocalContainer] *** Certificate chain > [INFO] [talledLocalContainer] *** > [INFO] [talledLocalContainer] http-18043-1, SEND TLSv1 ALERT: fatal, > description = bad_certificate > [INFO] [talledLocalContainer] http-18043-1, WRITE: TLSv1 Alert, length = 2 > [INFO] [talledLocalContainer] http-18043-1, called closeSocket() > [INFO] [talledLocalContainer] http-18043-1, handling exception: > javax.net.ssl.SSLHandshakeException: null cert chain > > In both case, i rely on the default SSLContext setup. I search through the > tls setup code in cxf but I couldn't figured out what could make it work, > neither why it doesn't work in pure JAX WS code. > > Any idea ? > > I'm using cxf 2.2.12 , and jdk 1.6.0_29 (hotspot) -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
