I cannot get it working. The server says that client doesn't send the
certificate.
My client keystore contains only the client key/cert pair and this is
working in SoapUi project but not in pure java
Here is the log
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 830289587105151256207749267013
20321981505124484199856534866410300374616735045
public y coord: 332067304039254916257006573681
82738242939062461168510217069674332072760548082
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48,
83, 140, 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49,
13, 143, 160, 102, 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190,
73, 37, 118, 127, 252, 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97,
230, 175, 12, 103, 4, 8 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h.....
0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F....
CONNECTION KEYGEN:
Client Nonce:
0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r....
0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S....
Server Nonce:
0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:.
0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K.....
Master Secret:
0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n
0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@.
0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._.
... no MAC keys used for this cipher
Client write key:
0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B.
Server write key:
0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%.....
Client write IV:
0000: 81 92 DF AE ....
Server write IV:
0000: AB 27 F3 37 .'.7
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 289
main, WRITE: TLSv1.2 Application Data, length = 200
There's no CertificateVerify message
Java code is quite typical
factory = new JaxWsProxyFactoryBean();
factory.setAddress("https://xxx";);
factory.setServiceClass(XXX.class);
XXX xxx = (XXX) factory.create();
Client client = ClientProxy.getClient(xxx);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
httpConduit.setTlsClientParameters(Utils.getTlsParams());
and tls params I set only the keystore. I learnt the server cert is
registered in Comodo
tlsParams.setDisableCNCheck(true);
tlsParams.setSecureSocketProtocol("TLS");
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, trustpass.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);
Not sure it's about the cert - but soapui is working or it's about the java
code
cxf 3.0.12 and cannot be upgraded
2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[email protected]>:
> Hi,
>
> As the first step, I would recommend to activate -Djavax.net.debug=all JVM
> property, you will get a bit more information about error.
>
> You can also check if server requires client authentication using OpenSSL,
> there are some hints regarding that: https://security.
> stackexchange.com/questions/101511/determine-if-a-server-
> is-asking-for-a-client-certificate-using-openssl-s-client.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Arek R. [mailto:[email protected]]
> > Sent: Dienstag, 27. Juni 2017 10:15
> > To: [email protected]
> > Subject: Re: 2way ssl
> >
> > I had to switch the idea and ssl terminates at jetty server. So I had to
> configure
> > things like keystore etc. At the same time I've setup ssl configuration
> like
> > keystore etc and link to the HttpConduit. Also added
> <sec:clientAuthenticayion
> > required='true' want='true'/> But don't understand how these 2 configs
> are
> > working together and I had an impression that cxf config is ignored
> Don't know
> > how to proof that server requests for the client certificate
> >
> > 2017-06-23 23:11 GMT+02:00 Christian Schneider <[email protected]
> >:
> >
> > > If your client needs to call the nginx proxy instead of the service
> > > then the proxy must provide all the server side ssl setup including
> > > the 2 way ssl rules which client certs are allowed to connect.
> > >
> > > Christian
> > >
> > > 2017-06-23 15:30 GMT+02:00 Arek R. <[email protected]>:
> > >
> > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test
> > > > via https. 1 way ssl is working.
> > > > Now want to add a client certificate cause there's an error in the
> > > > server log like 'client sent no required SSL certificate while
> > > > reading client request headers' but cannot find any good example how
> > > > to do it. Any hint
> > > ?
> > > >
> > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > client on the web server ?
> > > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > > Please
> > > > confirm.
> > > > Or the only way is to sign the messages and then it doesn't matter
> > > > where ssl is handled.
> > > >
> > >
> > >
> > >
> > > --
> > > --
> > > Christian Schneider
> > > http://www.liquid-reality.de
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > >
> > > Open Source Architect
> > > http://www.talend.com
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e
> > > 46&URL=http%3a%2f%2fwww.talend.com>
> > >
>
