Hi, As the first step, I would recommend to activate -Djavax.net.debug=all JVM property, you will get a bit more information about error.
You can also check if server requires client authentication using OpenSSL, there are some hints regarding that: https://security.stackexchange.com/questions/101511/determine-if-a-server-is-asking-for-a-client-certificate-using-openssl-s-client. Regards, Andrei. > -----Original Message----- > From: Arek R. [mailto:[email protected]] > Sent: Dienstag, 27. Juni 2017 10:15 > To: [email protected] > Subject: Re: 2way ssl > > I had to switch the idea and ssl terminates at jetty server. So I had to > configure > things like keystore etc. At the same time I've setup ssl configuration like > keystore etc and link to the HttpConduit. Also added <sec:clientAuthenticayion > required='true' want='true'/> But don't understand how these 2 configs are > working together and I had an impression that cxf config is ignored Don't know > how to proof that server requests for the client certificate > > 2017-06-23 23:11 GMT+02:00 Christian Schneider <[email protected]>: > > > If your client needs to call the nginx proxy instead of the service > > then the proxy must provide all the server side ssl setup including > > the 2 way ssl rules which client certs are allowed to connect. > > > > Christian > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[email protected]>: > > > > > 1. I've a requirement to implement 2 way ssl. I'm using > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test > > > via https. 1 way ssl is working. > > > Now want to add a client certificate cause there's an error in the > > > server log like 'client sent no required SSL certificate while > > > reading client request headers' but cannot find any good example how > > > to do it. Any hint > > ? > > > > > > 2. If ssl terminates at nginx server am I able to recognize the > > > client on the web server ? > > > I guess no and in such case I should handle ssl at jetty/cxf level. > > Please > > > confirm. > > > Or the only way is to sign the messages and then it doesn't matter > > > where ssl is handled. > > > > > > > > > > > -- > > -- > > Christian Schneider > > http://www.liquid-reality.de > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7 > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de> > > > > Open Source Architect > > http://www.talend.com > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7 > > e > > 46&URL=http%3a%2f%2fwww.talend.com> > >
