Hi Michel, thank you for this information! It strengthens my view that this behaviour has something to do with Webtest or an underlying library, and not with our setup. I know that R1812 uses version 4 of Commons HttpClient, which has been completely reworked compared to version 3. Maybe this is the cause of the failure, but I have yet to find a way to debug this deep into Webtest.
Best regards, Stefan -----Ursprüngliche Nachricht----- Von: Racic Michel (KSPF 821) [mailto:[email protected]] Gesendet: Montag, 12. Dezember 2011 17:56 An: [email protected]; Bueche, Stefan Betreff: RE: [Webtest] Client Authentication in R_1812 Hi Stefan I have the same issues with R1812 but didn't had enough time to really investigate into it. R1811 works fine with it but HTMLUnit was upgraded in R1812... Something introduced in R1812 must be the cause of it. For my test of this I run the same testcases but using different WebTest base versions to exclude server related issues. Will post an update if I find more information. Best regards Michel -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bueche, Stefan Sent: Monday, December 12, 2011 12:15 PM To: '[email protected]' Subject: [Webtest] Client Authentication in R_1812 Hello everybody, we use Webtest for an Java application requiring client authentication with a client certificate. The whole process ist set up correctly, at least from my limited understanding of the issue, and it is running with R_1804. Now we want to upgrade to R_1812, because we have some issues with JavaScript and would like to see if the new release can handle them. Unfortunately, R_1812 doesn't seem to send the client certificate to the server. Configuration: - keystore-client.jks containing the client's key - truststore-client.jks containing the server's certificate and the chain to the root CA - keystore-server.jks containing the server's key - truststore-server.jks containing the client's certificate and the chain to the root CA Run with R_1804: Basically runs, but with lots of JavaScript errors. Run with R_1812: DEBUG [wire] << "HTTP/1.1 403 A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate). I don't think the problem lies on the server side, as the tests run in principle with R_1804 and the application can be accessed if I point my browser to it and show the certificate we use for our web tests. Do you have any hints about how Webtest needs to be configured in order to get Client Authentication running with R_1812? Your help is very much appreciated. Best regards, Stefan And, at last, the trace, truncated for readability: [...] trigger seeding of SecureRandom done seeding SecureRandom [INFO] Started Jetty Server matching alias: localhost [...] 11:37:43,914 DEBUG [DefaultClientConnectionOperator] Connecting to localhost:9443 15582013@qtp-33156000-0 - Acceptor0 [email protected]:9443, setSoTimeout(60000) called 11137488@qtp-33156000-2, READ: SSL v2, contentType = Handshake, translated length = 73 *** ClientHello, TLSv1 RandomCookie: GMT: 1306843511 bytes = { 56, 196, 206, 0, 111, 73, 134, 118, 8, 160, 247, 69, 106, 117, 103, 76, 5, 14, 88, 150, 126, 24, 1, 127, 89, 72, 180, 1 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5] *** ServerHello, TLSv1 RandomCookie: GMT: 1306843511 bytes = { 52, 169, 220, 150, 8, 25, 141, 5, 48, 35, 251, 38, 154, 99, 195, 154, 146, 158, 201, 202, 0, 49, 137, 26, 82, 193, 244, 169 } Session ID: {78, 229, 217, 119, 73, 113, 217, 152, 22, 39, 138, 111, 136, 138, 75, 153, 88, 82, 203, 175, 246, 208, 222, 229, 202, 78, 162, 83, 64, 103, 18, 203} Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 *** Cipher suite: SSL_RSA_WITH_RC4_128_MD5 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=localhost, OU=xyz.com, O=Servers, L=London, ST=London, C=GB Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 108179520582626822638263617848905027511161983397035334859586617940396503 275226297314419112641429673772815414154588185689450086794418126380116469 876447746116876526529296927698475792482523613734425774095991267658995448 239701473099823977872960073463698471939264453180732791079663625225376172 627320425821382416099 public exponent: 65537 Validity: [From: Wed Jan 19 13:32:08 CET 2011, To: Fri Jan 18 13:32:08 CET 2013] Issuer: OU=xyz SubCA6, O=xyz.com SerialNumber: [ 0173a1] ] Finalizer, called close() Finalizer, called closeInternal(true) Finalizer, SEND TLSv1 ALERT: warning, description = close_notify chain [1] = [ [ Version: V3 Subject: OU=xyz SubCA6, O=xyz.com Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 210771796149809245528555479268457950825037349626486157383747075643949667 713124876993446687306314509060540021052180905827994761556171059067111058 543914776929834267659052854810045818150974577491389654132261948024448913 342132601543303889693193716384519357864314740203282887959260938861566023 914684172747168856913887016946662183353049100710208021958636709088567122 169667234236108756012750389479934788883307832933202800904170259364865520 487060504515471704898480819113078077767994059839280743857163457694573276 355405814998082530607864058300735740961801652051790316919731271152751085 78539472757566984943643155472507783162351 public exponent: 65537 Validity: [From: Mon Oct 27 17:31:04 CET 2008, To: Sun Oct 27 17:31:04 CET 2013] Issuer: OU=xyz.com Root CA, O=xyz.com SerialNumber: [ 0b] ] Finalizer, WRITE: TLSv1 Alert, length = 2 chain [2] = [ [ Version: V3 Subject: OU=xyz.com Root CA, O=xyz.com Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 250447310120546452826179975871351086982210914499461140469655594098383539 646033788939471904166493356717871154863012582406011195494605125072142133 493094637475551301186233218036087786250089294682774263515671386349288861 113705940144459097738075612462299522649961532150968479996573516782556615 355777558927649531052182101801091306558952965828743886662252050575293020 110926693899857439830028524285419260684736653969909667013772990662607457 910870635716894607644598619606849534348477453379831857804069384928322648 333315321267947638866787072902935478904273369157948201372245068168809650 27470649206975301006854620635705104491821 public exponent: 65537 Validity: [From: Thu Feb 01 12:28:27 CET 2001, To: Tue Feb 02 12:28:27 CET 2016] Issuer: OU=xyz.com Root CA, O=xyz.com SerialNumber: [ 00] ] *** *** CertificateRequest Cert Types: RSA, DSS, Cert Authorities: <OU=xyz SubCA6, O=xyz.com> <CN=g-hm-testuser-dev, OU=people, O=xyz.com> <OU=xyz.com Root CA, O=xyz.com> *** ServerHelloDone 11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length = 3153 11137488@qtp-33156000-2, READ: TLSv1 Handshake, length = 141 *** Certificate chain *** RSA PreMasterSecret version: TLSv1 *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 Random Secret: { 3, 1, 168, 147, 30, 214, 196, 68, 30, 168, 72, 187, 203, 126, 95, 236, 0, 99, 112, 166, 185, 35, 182, 232, 232, 129, 193, 134, 42, 196, 183, 31, 71, 47, 170, 109, 34, 80, 242, 154, 164, 52, 88, 236, 178, 67, 79, 14 } SESSION KEYGEN: PreMaster Secret: 0000: 03 01 A8 93 1E D6 C4 44 1E A8 48 BB CB 7E 5F EC .......D..H..._. 0010: 00 63 70 A6 B9 23 B6 E8 E8 81 C1 86 2A C4 B7 1F .cp..#......*... 0020: 47 2F AA 6D 22 50 F2 9A A4 34 58 EC B2 43 4F 0E G/.m"P...4X..CO. CONNECTION KEYGEN: Client Nonce: 0000: 4E E5 D9 77 38 C4 CE 00 6F 49 86 76 08 A0 F7 45 N..w8...oI.v...E 0010: 6A 75 67 4C 05 0E 58 96 7E 18 01 7F 59 48 B4 01 jugL..X.....YH.. Server Nonce: 0000: 4E E5 D9 77 34 A9 DC 96 08 19 8D 05 30 23 FB 26 N..w4.......0#.& 0010: 9A 63 C3 9A 92 9E C9 CA 00 31 89 1A 52 C1 F4 A9 .c.......1..R... Master Secret: 0000: D4 E9 CE 2D B9 0D 87 0E A4 14 F7 EB 3A 88 D2 79 ...-........:..y 0010: 1A 2C 38 BB DE A8 C1 E4 DB F6 E4 1E 2C 7B C4 29 .,8.........,..) 0020: 0B A0 8F E4 BF 26 EB 59 77 80 01 B1 57 17 82 0A .....&.Yw...W... Client MAC write Secret: 0000: 44 A1 DB 2B 94 6F E4 1F D5 8E 6E 16 90 2E 54 0E D..+.o....n...T. Server MAC write Secret: 0000: 15 FF 37 23 23 85 A8 3A 57 EF 83 67 AC 82 B5 1F ..7##..:W..g.... Client write key: 0000: A5 F4 93 97 7A C1 7E 5A FC 5D A2 8D 3E 1F DC CB ....z..Z.]..>... Server write key: 0000: DF 87 5C BB A5 5B 1D F7 EA 57 98 2B DF 39 56 D0 ..\..[...W.+.9V. ... no IV for cipher 11137488@qtp-33156000-2, READ: TLSv1 Change Cipher Spec, length = 1 11137488@qtp-33156000-2, READ: TLSv1 Handshake, length = 32 *** Finished verify_data: { 22, 109, 13, 249, 189, 223, 15, 199, 104, 110, 189, 65 } *** 11137488@qtp-33156000-2, WRITE: TLSv1 Change Cipher Spec, length = 1 *** Finished verify_data: { 210, 22, 171, 134, 233, 234, 125, 59, 47, 47, 106, 168 } *** 11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length = 32 %% Cached server session: [Session-1, SSL_RSA_WITH_RC4_128_MD5] 11:37:44,039 DEBUG [RequestAddCookies] CookieSpec selected: mine 11:37:44,039 DEBUG [RequestAuthCache] Auth cache not set in the context 11:37:44,039 DEBUG [DefaultHttpClient] Attempt 1 to execute request 11:37:44,039 DEBUG [DefaultClientConnection] Sending request: GET /index.html HTTP/1.1 11:37:44,039 DEBUG [wire] >> "GET /index.html HTTP/1.1[\r][\n]" 11:37:44,039 DEBUG [wire] >> "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)[\r][\n]" 11:37:44,039 DEBUG [wire] >> "Accept-Language: en-us,en;q=0.5[\r][\n]" 11:37:44,039 DEBUG [wire] >> "Accept: */*[\r][\n]" 11:37:44,039 DEBUG [wire] >> "Host: localhost:9443[\r][\n]" 11:37:44,039 DEBUG [wire] >> "Connection: Keep-Alive[\r][\n]" 11:37:44,039 DEBUG [wire] >> "[\r][\n]" 11:37:44,039 DEBUG [headers] >> GET /index.html HTTP/1.1 11:37:44,039 DEBUG [headers] >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) 11:37:44,039 DEBUG [headers] >> Accept-Language: en-us,en;q=0.5 11:37:44,039 DEBUG [headers] >> Accept: */* 11:37:44,039 DEBUG [headers] >> Host: localhost:9443 11:37:44,039 DEBUG [headers] >> Connection: Keep-Alive 11137488@qtp-33156000-2, READ: TLSv1 Application Data, length = 196 11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length = 357 11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length = 1741 11:37:44,054 DEBUG [wire] << "HTTP/1.1 403 A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate).[\r][\n]" 11:37:44,054 DEBUG [wire] << "Content-Type: text/html; charset=iso-8859-1[\r][\n]" 11:37:44,070 DEBUG [wire] << "Cache-Control: must-revalidate,no-cache,no-store[\r][\n]" 11:37:44,070 DEBUG [wire] << "Content-Length: 1725[\r][\n]" 11:37:44,070 DEBUG [wire] << "Server: Jetty(6.1.24)[\r][\n]" 11:37:44,070 DEBUG [wire] << "[\r][\n]" 11:37:44,070 DEBUG [DefaultClientConnection] Receiving response: HTTP/1.1 403 A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate). 11:37:44,070 DEBUG [headers] << HTTP/1.1 403 A client certificate is required for accessing this web application but the server's listener is not configured for mutual authentication (or the client did not provide a certificate). [...] _______________________________________________ WebTest mailing list [email protected] http://lists.canoo.com/mailman/listinfo/webtest _______________________________________________ WebTest mailing list [email protected] http://lists.canoo.com/mailman/listinfo/webtest
