Hi, You need to configure keyManager and trustManager on client side. The keystore have to contain server certificate for trustManager and public/private key pair for the keyManager.
Take a look this integration test: https://github.com/apache/cxf/blob/master/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java Method prepareTLSParams(). Regards, Andrei. > -----Original Message----- > From: Arek R. [mailto:[email protected]] > Sent: Freitag, 30. Juni 2017 09:54 > To: [email protected] > Subject: Re: 2way ssl > > I cannot get it working. The server says that client doesn't send the > certificate. > My client keystore contains only the client key/cert pair and this is working > in > SoapUi project but not in pure java > > Here is the log > > main, READ: TLSv1.2 Handshake, length = 333 > *** ECDH ServerKeyExchange > Signature Algorithm SHA512withRSA > Server key: Sun EC public key, 256 bits > public x coord: 830289587105151256207749267013 > 20321981505124484199856534866410300374616735045 > public y coord: 332067304039254916257006573681 > 82738242939062461168510217069674332072760548082 > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) > main, READ: TLSv1.2 Handshake, length = 4 > *** ServerHelloDone > *** ECDHClientKeyExchange > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48, 83, > 140, > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143, 160, > 102, > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118, 127, 252, > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4, 8 } > main, > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN: > PreMaster Secret: > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h..... > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F.... > CONNECTION KEYGEN: > Client Nonce: > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r.... > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S.... > Server Nonce: > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:. > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K..... > Master Secret: > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@. > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._. > ... no MAC keys used for this cipher > Client write key: > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B. > Server write key: > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%..... > Client write IV: > 0000: 81 92 DF AE .... > Server write IV: > 0000: AB 27 F3 37 .'.7 > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 > *** Finished > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 } > *** > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change > Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40 > *** Finished > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 } > *** > %% Cached client session: [Session-1, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2 > Application Data, length = 200 > > There's no CertificateVerify message > > Java code is quite typical > > factory = new JaxWsProxyFactoryBean(); > factory.setAddress("https://xxx";); > > factory.setServiceClass(XXX.class); > XXX xxx = (XXX) factory.create(); > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit = > (HTTPConduit) client.getConduit(); > httpConduit.setTlsClientParameters(Utils.getTlsParams()); > > and tls params I set only the keystore. I learnt the server cert is > registered in > Comodo > > tlsParams.setDisableCNCheck(true); > tlsParams.setSecureSocketProtocol("TLS"); > KeyManagerFactory keyFactory = > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); > keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km = > keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km); > > Not sure it's about the cert - but soapui is working or it's about the java > code > cxf 3.0.12 and cannot be upgraded > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[email protected]>: > > > Hi, > > > > As the first step, I would recommend to activate -Djavax.net.debug=all > > JVM property, you will get a bit more information about error. > > > > You can also check if server requires client authentication using > > OpenSSL, there are some hints regarding that: https://security. > > stackexchange.com/questions/101511/determine-if-a-server- > > is-asking-for-a-client-certificate-using-openssl-s-client. > > > > Regards, > > Andrei. > > > > > -----Original Message----- > > > From: Arek R. [mailto:[email protected]] > > > Sent: Dienstag, 27. Juni 2017 10:15 > > > To: [email protected] > > > Subject: Re: 2way ssl > > > > > > I had to switch the idea and ssl terminates at jetty server. So I > > > had to > > configure > > > things like keystore etc. At the same time I've setup ssl > > > configuration > > like > > > keystore etc and link to the HttpConduit. Also added > > <sec:clientAuthenticayion > > > required='true' want='true'/> But don't understand how these 2 > > > configs > > are > > > working together and I had an impression that cxf config is ignored > > Don't know > > > how to proof that server requests for the client certificate > > > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider > > ><[email protected] > > >: > > > > > > > If your client needs to call the nginx proxy instead of the > > > > service then the proxy must provide all the server side ssl setup > > > > including the 2 way ssl rules which client certs are allowed to connect. > > > > > > > > Christian > > > > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[email protected]>: > > > > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a > > > > > test via https. 1 way ssl is working. > > > > > Now want to add a client certificate cause there's an error in > > > > > the server log like 'client sent no required SSL certificate > > > > > while reading client request headers' but cannot find any good > > > > > example how to do it. Any hint > > > > ? > > > > > > > > > > 2. If ssl terminates at nginx server am I able to recognize the > > > > > client on the web server ? > > > > > I guess no and in such case I should handle ssl at jetty/cxf level. > > > > Please > > > > > confirm. > > > > > Or the only way is to sign the messages and then it doesn't > > > > > matter where ssl is handled. > > > > > > > > > > > > > > > > > > > > > -- > > > > -- > > > > Christian Schneider > > > > http://www.liquid-reality.de > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > a7 > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de> > > > > > > > > Open Source Architect > > > > http://www.talend.com > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > a7 > > > > e > > > > 46&URL=http%3a%2f%2fwww.talend.com> > > > > > >
