2way ssl

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

2way ssl

Arek R.
1. I've a requirement to implement 2 way ssl. I'm using
JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
https. 1 way ssl is working.
Now want to add a client certificate cause there's an error in the server
log like 'client sent no required SSL certificate while reading client
request headers' but cannot find any good example how to do it. Any hint ?

2. If ssl terminates at nginx server am I able to recognize the client on
the web server ?
I guess no and in such case I should handle ssl at jetty/cxf level. Please
confirm.
Or the only way is to sign the messages and then it doesn't matter where
ssl is handled.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2way ssl

cschneider
If your client needs to call the nginx proxy instead of the service then
the proxy must provide all the server side ssl setup including the 2 way
ssl rules which client certs are allowed to connect.

Christian

2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:

> 1. I've a requirement to implement 2 way ssl. I'm using
> JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
> https. 1 way ssl is working.
> Now want to add a client certificate cause there's an error in the server
> log like 'client sent no required SSL certificate while reading client
> request headers' but cannot find any good example how to do it. Any hint ?
>
> 2. If ssl terminates at nginx server am I able to recognize the client on
> the web server ?
> I guess no and in such case I should handle ssl at jetty/cxf level. Please
> confirm.
> Or the only way is to sign the messages and then it doesn't matter where
> ssl is handled.
>



--
--
Christian Schneider
http://www.liquid-reality.de
<https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e46&URL=http%3a%2f%2fwww.liquid-reality.de>

Open Source Architect
http://www.talend.com
<https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e46&URL=http%3a%2f%2fwww.talend.com>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2way ssl

Arek R.
I had to switch the idea and ssl terminates at jetty server. So I had to
configure things like keystore etc. At the same time I've setup ssl
configuration like keystore etc and link to the HttpConduit. Also added
<sec:clientAuthenticayion required='true' want='true'/>
But don't understand how these 2 configs are working together and I had an
impression that cxf config is ignored
Don't know how to proof that server requests for the client certificate

2017-06-23 23:11 GMT+02:00 Christian Schneider <[hidden email]>:

> If your client needs to call the nginx proxy instead of the service then
> the proxy must provide all the server side ssl setup including the 2 way
> ssl rules which client certs are allowed to connect.
>
> Christian
>
> 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
>
> > 1. I've a requirement to implement 2 way ssl. I'm using
> > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
> > https. 1 way ssl is working.
> > Now want to add a client certificate cause there's an error in the server
> > log like 'client sent no required SSL certificate while reading client
> > request headers' but cannot find any good example how to do it. Any hint
> ?
> >
> > 2. If ssl terminates at nginx server am I able to recognize the client on
> > the web server ?
> > I guess no and in such case I should handle ssl at jetty/cxf level.
> Please
> > confirm.
> > Or the only way is to sign the messages and then it doesn't matter where
> > ssl is handled.
> >
>
>
>
> --
> --
> Christian Schneider
> http://www.liquid-reality.de
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e
> 46&URL=http%3a%2f%2fwww.liquid-reality.de>
>
> Open Source Architect
> http://www.talend.com
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e
> 46&URL=http%3a%2f%2fwww.talend.com>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: 2way ssl

Andrei Shakirin
Hi,

As the first step, I would recommend to activate -Djavax.net.debug=all JVM property, you will get a bit more information about error.

You can also check if server requires client authentication using OpenSSL, there are some hints regarding that: https://security.stackexchange.com/questions/101511/determine-if-a-server-is-asking-for-a-client-certificate-using-openssl-s-client.

Regards,
Andrei.

> -----Original Message-----
> From: Arek R. [mailto:[hidden email]]
> Sent: Dienstag, 27. Juni 2017 10:15
> To: [hidden email]
> Subject: Re: 2way ssl
>
> I had to switch the idea and ssl terminates at jetty server. So I had to configure
> things like keystore etc. At the same time I've setup ssl configuration like
> keystore etc and link to the HttpConduit. Also added <sec:clientAuthenticayion
> required='true' want='true'/> But don't understand how these 2 configs are
> working together and I had an impression that cxf config is ignored Don't know
> how to proof that server requests for the client certificate
>
> 2017-06-23 23:11 GMT+02:00 Christian Schneider <[hidden email]>:
>
> > If your client needs to call the nginx proxy instead of the service
> > then the proxy must provide all the server side ssl setup including
> > the 2 way ssl rules which client certs are allowed to connect.
> >
> > Christian
> >
> > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> >
> > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test
> > > via https. 1 way ssl is working.
> > > Now want to add a client certificate cause there's an error in the
> > > server log like 'client sent no required SSL certificate while
> > > reading client request headers' but cannot find any good example how
> > > to do it. Any hint
> > ?
> > >
> > > 2. If ssl terminates at nginx server am I able to recognize the
> > > client on the web server ?
> > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > Please
> > > confirm.
> > > Or the only way is to sign the messages and then it doesn't matter
> > > where ssl is handled.
> > >
> >
> >
> >
> > --
> > --
> > Christian Schneider
> > http://www.liquid-reality.de
> >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> >
> > Open Source Architect
> > http://www.talend.com
> >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > e
> > 46&URL=http%3a%2f%2fwww.talend.com>
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2way ssl

Arek R.
I cannot get it working. The server says that client doesn't send the
certificate.
My client keystore contains only the client key/cert pair and this is
working in SoapUi project but not in pure java

Here is the log

main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 830289587105151256207749267013
20321981505124484199856534866410300374616735045
  public y coord: 332067304039254916257006573681
82738242939062461168510217069674332072760548082
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48,
83, 140, 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49,
13, 143, 160, 102, 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190,
73, 37, 118, 127, 252, 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97,
230, 175, 12, 103, 4, 8 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: C2 9D 01 D3 06 E1 C3 C4   E5 C0 68 95 D1 1E A3 1C  ..........h.....
0010: 09 7F C1 0F C5 B8 92 A5   6D A2 AA 46 B8 C6 03 DA  ........m..F....
CONNECTION KEYGEN:
Client Nonce:
0000: 59 55 FF E2 DD 56 BB 05   D3 4E 0D 72 98 86 F6 02  YU...V...N.r....
0010: 71 76 CF EC C7 5F CC 4B   6C CE EE 53 DF AE E6 10  qv..._.Kl..S....
Server Nonce:
0000: DA E6 A8 95 F7 E3 89 4F   19 1A AB B5 23 F1 3A B4  .......O....#.:.
0010: 58 76 21 FC 95 0A 8D FE   3F FD 4B 1E D3 CC D5 F3  Xv!.....?.K.....
Master Secret:
0000: DE 99 96 B0 F8 B8 4D C0   8D 9D D0 4E D1 7A F1 6E  ......M....N.z.n
0010: A4 4A 68 7A CB E6 1F 51   68 C8 1D ED F9 76 40 CE  .Jhz...Qh....v@.
0020: FB 4C 1B D3 FF 1B ED 27   0C 2C 3F 1C 89 D8 5F CD  .L.....'.,?..._.
... no MAC keys used for this cipher
Client write key:
0000: 4E 9D 81 E6 5F 84 FD 57   C0 36 A0 9B 62 C3 42 C3  N..._..W.6..b.B.
Server write key:
0000: 45 E7 4B 02 85 0A D3 05   D8 5F 25 7D EE 0D E9 9E  E.K......_%.....
Client write IV:
0000: 81 92 DF AE                                        ....
Server write IV:
0000: AB 27 F3 37                                        .'.7
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 289
main, WRITE: TLSv1.2 Application Data, length = 200

There's no CertificateVerify message

Java code is quite typical

factory = new JaxWsProxyFactoryBean();
factory.setAddress("https://xxx");

factory.setServiceClass(XXX.class);
XXX xxx = (XXX) factory.create();

Client client = ClientProxy.getClient(xxx);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
httpConduit.setTlsClientParameters(Utils.getTlsParams());

and tls params I set only the keystore. I learnt the server cert is
registered in Comodo

tlsParams.setDisableCNCheck(true);
tlsParams.setSecureSocketProtocol("TLS");
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, trustpass.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);

Not sure it's about the cert - but soapui is working or it's about the java
code
cxf 3.0.12 and cannot be upgraded

2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[hidden email]>:

> Hi,
>
> As the first step, I would recommend to activate -Djavax.net.debug=all JVM
> property, you will get a bit more information about error.
>
> You can also check if server requires client authentication using OpenSSL,
> there are some hints regarding that: https://security.
> stackexchange.com/questions/101511/determine-if-a-server-
> is-asking-for-a-client-certificate-using-openssl-s-client.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Arek R. [mailto:[hidden email]]
> > Sent: Dienstag, 27. Juni 2017 10:15
> > To: [hidden email]
> > Subject: Re: 2way ssl
> >
> > I had to switch the idea and ssl terminates at jetty server. So I had to
> configure
> > things like keystore etc. At the same time I've setup ssl configuration
> like
> > keystore etc and link to the HttpConduit. Also added
> <sec:clientAuthenticayion
> > required='true' want='true'/> But don't understand how these 2 configs
> are
> > working together and I had an impression that cxf config is ignored
> Don't know
> > how to proof that server requests for the client certificate
> >
> > 2017-06-23 23:11 GMT+02:00 Christian Schneider <[hidden email]
> >:
> >
> > > If your client needs to call the nginx proxy instead of the service
> > > then the proxy must provide all the server side ssl setup including
> > > the 2 way ssl rules which client certs are allowed to connect.
> > >
> > > Christian
> > >
> > > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> > >
> > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test
> > > > via https. 1 way ssl is working.
> > > > Now want to add a client certificate cause there's an error in the
> > > > server log like 'client sent no required SSL certificate while
> > > > reading client request headers' but cannot find any good example how
> > > > to do it. Any hint
> > > ?
> > > >
> > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > client on the web server ?
> > > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > > Please
> > > > confirm.
> > > > Or the only way is to sign the messages and then it doesn't matter
> > > > where ssl is handled.
> > > >
> > >
> > >
> > >
> > > --
> > > --
> > > Christian Schneider
> > > http://www.liquid-reality.de
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > >
> > > Open Source Architect
> > > http://www.talend.com
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e
> > > 46&URL=http%3a%2f%2fwww.talend.com>
> > >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: 2way ssl

Andrei Shakirin
Hi,

You need to configure keyManager and trustManager on client side.
The keystore have to contain server certificate for trustManager and public/private key pair for the keyManager.

Take a look this integration test: https://github.com/apache/cxf/blob/master/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
Method prepareTLSParams().

Regards,
Andrei.

> -----Original Message-----
> From: Arek R. [mailto:[hidden email]]
> Sent: Freitag, 30. Juni 2017 09:54
> To: [hidden email]
> Subject: Re: 2way ssl
>
> I cannot get it working. The server says that client doesn't send the certificate.
> My client keystore contains only the client key/cert pair and this is working in
> SoapUi project but not in pure java
>
> Here is the log
>
> main, READ: TLSv1.2 Handshake, length = 333
> *** ECDH ServerKeyExchange
> Signature Algorithm SHA512withRSA
> Server key: Sun EC public key, 256 bits
>   public x coord: 830289587105151256207749267013
> 20321981505124484199856534866410300374616735045
>   public y coord: 332067304039254916257006573681
> 82738242939062461168510217069674332072760548082
>   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
> main, READ: TLSv1.2 Handshake, length = 4
> *** ServerHelloDone
> *** ECDHClientKeyExchange
> ECDH Public value:  { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48, 83, 140,
> 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143, 160, 102,
> 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118, 127, 252,
> 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4, 8 } main,
> WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> PreMaster Secret:
> 0000: C2 9D 01 D3 06 E1 C3 C4   E5 C0 68 95 D1 1E A3 1C  ..........h.....
> 0010: 09 7F C1 0F C5 B8 92 A5   6D A2 AA 46 B8 C6 03 DA  ........m..F....
> CONNECTION KEYGEN:
> Client Nonce:
> 0000: 59 55 FF E2 DD 56 BB 05   D3 4E 0D 72 98 86 F6 02  YU...V...N.r....
> 0010: 71 76 CF EC C7 5F CC 4B   6C CE EE 53 DF AE E6 10  qv..._.Kl..S....
> Server Nonce:
> 0000: DA E6 A8 95 F7 E3 89 4F   19 1A AB B5 23 F1 3A B4  .......O....#.:.
> 0010: 58 76 21 FC 95 0A 8D FE   3F FD 4B 1E D3 CC D5 F3  Xv!.....?.K.....
> Master Secret:
> 0000: DE 99 96 B0 F8 B8 4D C0   8D 9D D0 4E D1 7A F1 6E  ......M....N.z.n
> 0010: A4 4A 68 7A CB E6 1F 51   68 C8 1D ED F9 76 40 CE  .Jhz...Qh....v@.
> 0020: FB 4C 1B D3 FF 1B ED 27   0C 2C 3F 1C 89 D8 5F CD  .L.....'.,?..._.
> ... no MAC keys used for this cipher
> Client write key:
> 0000: 4E 9D 81 E6 5F 84 FD 57   C0 36 A0 9B 62 C3 42 C3  N..._..W.6..b.B.
> Server write key:
> 0000: 45 E7 4B 02 85 0A D3 05   D8 5F 25 7D EE 0D E9 9E  E.K......_%.....
> Client write IV:
> 0000: 81 92 DF AE                                        ....
> Server write IV:
> 0000: AB 27 F3 37                                        .'.7
> main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> *** Finished
> verify_data:  { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
> ***
> main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change
> Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40
> *** Finished
> verify_data:  { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> ***
> %% Cached client session: [Session-1,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2
> Application Data, length = 200
>
> There's no CertificateVerify message
>
> Java code is quite typical
>
> factory = new JaxWsProxyFactoryBean();
> factory.setAddress("https://xxx");
>
> factory.setServiceClass(XXX.class);
> XXX xxx = (XXX) factory.create();
>
> Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit =
> (HTTPConduit) client.getConduit();
> httpConduit.setTlsClientParameters(Utils.getTlsParams());
>
> and tls params I set only the keystore. I learnt the server cert is registered in
> Comodo
>
> tlsParams.setDisableCNCheck(true);
> tlsParams.setSecureSocketProtocol("TLS");
> KeyManagerFactory keyFactory =
> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km =
> keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
>
> Not sure it's about the cert - but soapui is working or it's about the java code
> cxf 3.0.12 and cannot be upgraded
>
> 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[hidden email]>:
>
> > Hi,
> >
> > As the first step, I would recommend to activate -Djavax.net.debug=all
> > JVM property, you will get a bit more information about error.
> >
> > You can also check if server requires client authentication using
> > OpenSSL, there are some hints regarding that: https://security.
> > stackexchange.com/questions/101511/determine-if-a-server-
> > is-asking-for-a-client-certificate-using-openssl-s-client.
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Arek R. [mailto:[hidden email]]
> > > Sent: Dienstag, 27. Juni 2017 10:15
> > > To: [hidden email]
> > > Subject: Re: 2way ssl
> > >
> > > I had to switch the idea and ssl terminates at jetty server. So I
> > > had to
> > configure
> > > things like keystore etc. At the same time I've setup ssl
> > > configuration
> > like
> > > keystore etc and link to the HttpConduit. Also added
> > <sec:clientAuthenticayion
> > > required='true' want='true'/> But don't understand how these 2
> > > configs
> > are
> > > working together and I had an impression that cxf config is ignored
> > Don't know
> > > how to proof that server requests for the client certificate
> > >
> > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > ><[hidden email]
> > >:
> > >
> > > > If your client needs to call the nginx proxy instead of the
> > > > service then the proxy must provide all the server side ssl setup
> > > > including the 2 way ssl rules which client certs are allowed to connect.
> > > >
> > > > Christian
> > > >
> > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> > > >
> > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a
> > > > > test via https. 1 way ssl is working.
> > > > > Now want to add a client certificate cause there's an error in
> > > > > the server log like 'client sent no required SSL certificate
> > > > > while reading client request headers' but cannot find any good
> > > > > example how to do it. Any hint
> > > > ?
> > > > >
> > > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > > client on the web server ?
> > > > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > > > Please
> > > > > confirm.
> > > > > Or the only way is to sign the messages and then it doesn't
> > > > > matter where ssl is handled.
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > --
> > > > Christian Schneider
> > > > http://www.liquid-reality.de
> > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > a7
> > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > >
> > > > Open Source Architect
> > > > http://www.talend.com
> > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > a7
> > > > e
> > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > >
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2way ssl

Arek R.
I believe  I did it properly. I've got to the point where it's working if
client is run on java7, but don't work with java8
On server side I can find SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
know it's sth with the certificate chain, with the cert itself, server
configuration


2017-07-04 18:53 GMT+02:00 Andrei Shakirin <[hidden email]>:

> Hi,
>
> You need to configure keyManager and trustManager on client side.
> The keystore have to contain server certificate for trustManager and
> public/private key pair for the keyManager.
>
> Take a look this integration test: https://github.com/apache/cxf/
> blob/master/services/sts/systests/basic/src/test/java/
> org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> Method prepareTLSParams().
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Arek R. [mailto:[hidden email]]
> > Sent: Freitag, 30. Juni 2017 09:54
> > To: [hidden email]
> > Subject: Re: 2way ssl
> >
> > I cannot get it working. The server says that client doesn't send the
> certificate.
> > My client keystore contains only the client key/cert pair and this is
> working in
> > SoapUi project but not in pure java
> >
> > Here is the log
> >
> > main, READ: TLSv1.2 Handshake, length = 333
> > *** ECDH ServerKeyExchange
> > Signature Algorithm SHA512withRSA
> > Server key: Sun EC public key, 256 bits
> >   public x coord: 830289587105151256207749267013
> > 20321981505124484199856534866410300374616735045
> >   public y coord: 332067304039254916257006573681
> > 82738242939062461168510217069674332072760548082
> >   parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> (1.2.840.10045.3.1.7)
> > main, READ: TLSv1.2 Handshake, length = 4
> > *** ServerHelloDone
> > *** ECDHClientKeyExchange
> > ECDH Public value:  { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48,
> 83, 140,
> > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143,
> 160, 102,
> > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> 127, 252,
> > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4,
> 8 } main,
> > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > PreMaster Secret:
> > 0000: C2 9D 01 D3 06 E1 C3 C4   E5 C0 68 95 D1 1E A3 1C  ..........h.....
> > 0010: 09 7F C1 0F C5 B8 92 A5   6D A2 AA 46 B8 C6 03 DA  ........m..F....
> > CONNECTION KEYGEN:
> > Client Nonce:
> > 0000: 59 55 FF E2 DD 56 BB 05   D3 4E 0D 72 98 86 F6 02  YU...V...N.r....
> > 0010: 71 76 CF EC C7 5F CC 4B   6C CE EE 53 DF AE E6 10  qv..._.Kl..S....
> > Server Nonce:
> > 0000: DA E6 A8 95 F7 E3 89 4F   19 1A AB B5 23 F1 3A B4  .......O....#.:.
> > 0010: 58 76 21 FC 95 0A 8D FE   3F FD 4B 1E D3 CC D5 F3  Xv!.....?.K.....
> > Master Secret:
> > 0000: DE 99 96 B0 F8 B8 4D C0   8D 9D D0 4E D1 7A F1 6E  ......M....N.z.n
> > 0010: A4 4A 68 7A CB E6 1F 51   68 C8 1D ED F9 76 40 CE  .Jhz...Qh....v@
> .
> > 0020: FB 4C 1B D3 FF 1B ED 27   0C 2C 3F 1C 89 D8 5F CD  .L.....'.,?..._.
> > ... no MAC keys used for this cipher
> > Client write key:
> > 0000: 4E 9D 81 E6 5F 84 FD 57   C0 36 A0 9B 62 C3 42 C3  N..._..W.6..b.B.
> > Server write key:
> > 0000: 45 E7 4B 02 85 0A D3 05   D8 5F 25 7D EE 0D E9 9E  E.K......_%.....
> > Client write IV:
> > 0000: 81 92 DF AE                                        ....
> > Server write IV:
> > 0000: AB 27 F3 37                                        .'.7
> > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > *** Finished
> > verify_data:  { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
> > ***
> > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change
> > Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40
> > *** Finished
> > verify_data:  { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > ***
> > %% Cached client session: [Session-1,
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2
> > Application Data, length = 200
> >
> > There's no CertificateVerify message
> >
> > Java code is quite typical
> >
> > factory = new JaxWsProxyFactoryBean();
> > factory.setAddress("https://xxx");
> >
> > factory.setServiceClass(XXX.class);
> > XXX xxx = (XXX) factory.create();
> >
> > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit =
> > (HTTPConduit) client.getConduit();
> > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> >
> > and tls params I set only the keystore. I learnt the server cert is
> registered in
> > Comodo
> >
> > tlsParams.setDisableCNCheck(true);
> > tlsParams.setSecureSocketProtocol("TLS");
> > KeyManagerFactory keyFactory =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> > keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km =
> > keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> >
> > Not sure it's about the cert - but soapui is working or it's about the
> java code
> > cxf 3.0.12 and cannot be upgraded
> >
> > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[hidden email]>:
> >
> > > Hi,
> > >
> > > As the first step, I would recommend to activate -Djavax.net.debug=all
> > > JVM property, you will get a bit more information about error.
> > >
> > > You can also check if server requires client authentication using
> > > OpenSSL, there are some hints regarding that: https://security.
> > > stackexchange.com/questions/101511/determine-if-a-server-
> > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Arek R. [mailto:[hidden email]]
> > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > To: [hidden email]
> > > > Subject: Re: 2way ssl
> > > >
> > > > I had to switch the idea and ssl terminates at jetty server. So I
> > > > had to
> > > configure
> > > > things like keystore etc. At the same time I've setup ssl
> > > > configuration
> > > like
> > > > keystore etc and link to the HttpConduit. Also added
> > > <sec:clientAuthenticayion
> > > > required='true' want='true'/> But don't understand how these 2
> > > > configs
> > > are
> > > > working together and I had an impression that cxf config is ignored
> > > Don't know
> > > > how to proof that server requests for the client certificate
> > > >
> > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > ><[hidden email]
> > > >:
> > > >
> > > > > If your client needs to call the nginx proxy instead of the
> > > > > service then the proxy must provide all the server side ssl setup
> > > > > including the 2 way ssl rules which client certs are allowed to
> connect.
> > > > >
> > > > > Christian
> > > > >
> > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> > > > >
> > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a
> > > > > > test via https. 1 way ssl is working.
> > > > > > Now want to add a client certificate cause there's an error in
> > > > > > the server log like 'client sent no required SSL certificate
> > > > > > while reading client request headers' but cannot find any good
> > > > > > example how to do it. Any hint
> > > > > ?
> > > > > >
> > > > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > > > client on the web server ?
> > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> level.
> > > > > Please
> > > > > > confirm.
> > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > matter where ssl is handled.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > --
> > > > > Christian Schneider
> > > > > http://www.liquid-reality.de
> > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > a7
> > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > >
> > > > > Open Source Architect
> > > > > http://www.talend.com
> > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > a7
> > > > > e
> > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > >
> > >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: 2way ssl

Andrei Shakirin
Strange.

Could you trace both working client under java 7 and "problem" client under java 8 using -Djavax.net.debug=all and compare these traces?
Perhaps you can see the difference on early stage.

Regards,
Andrei.


> -----Original Message-----
> From: Arek R. [mailto:[hidden email]]
> Sent: Montag, 10. Juli 2017 19:55
> To: [hidden email]
> Subject: Re: 2way ssl
>
> I believe  I did it properly. I've got to the point where it's working if client is run
> on java7, but don't work with java8 On server side I can find SSL: TLSv1.2,
> cipher: "ECDHE-RSA-AES256-SHA384
> TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
> know it's sth with the certificate chain, with the cert itself, server configuration
>
>
> 2017-07-04 18:53 GMT+02:00 Andrei Shakirin <[hidden email]>:
>
> > Hi,
> >
> > You need to configure keyManager and trustManager on client side.
> > The keystore have to contain server certificate for trustManager and
> > public/private key pair for the keyManager.
> >
> > Take a look this integration test: https://github.com/apache/cxf/
> > blob/master/services/sts/systests/basic/src/test/java/
> > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> > Method prepareTLSParams().
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Arek R. [mailto:[hidden email]]
> > > Sent: Freitag, 30. Juni 2017 09:54
> > > To: [hidden email]
> > > Subject: Re: 2way ssl
> > >
> > > I cannot get it working. The server says that client doesn't send
> > > the
> > certificate.
> > > My client keystore contains only the client key/cert pair and this
> > > is
> > working in
> > > SoapUi project but not in pure java
> > >
> > > Here is the log
> > >
> > > main, READ: TLSv1.2 Handshake, length = 333
> > > *** ECDH ServerKeyExchange
> > > Signature Algorithm SHA512withRSA
> > > Server key: Sun EC public key, 256 bits
> > >   public x coord: 830289587105151256207749267013
> > > 20321981505124484199856534866410300374616735045
> > >   public y coord: 332067304039254916257006573681
> > > 82738242939062461168510217069674332072760548082
> > >   parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> > (1.2.840.10045.3.1.7)
> > > main, READ: TLSv1.2 Handshake, length = 4
> > > *** ServerHelloDone
> > > *** ECDHClientKeyExchange
> > > ECDH Public value:  { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151,
> > > 48,
> > 83, 140,
> > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13,
> > > 143,
> > 160, 102,
> > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> > 127, 252,
> > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103,
> > > 4,
> > 8 } main,
> > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > > PreMaster Secret:
> > > 0000: C2 9D 01 D3 06 E1 C3 C4   E5 C0 68 95 D1 1E A3 1C  ..........h.....
> > > 0010: 09 7F C1 0F C5 B8 92 A5   6D A2 AA 46 B8 C6 03 DA  ........m..F....
> > > CONNECTION KEYGEN:
> > > Client Nonce:
> > > 0000: 59 55 FF E2 DD 56 BB 05   D3 4E 0D 72 98 86 F6 02  YU...V...N.r....
> > > 0010: 71 76 CF EC C7 5F CC 4B   6C CE EE 53 DF AE E6 10  qv..._.Kl..S....
> > > Server Nonce:
> > > 0000: DA E6 A8 95 F7 E3 89 4F   19 1A AB B5 23 F1 3A B4  .......O....#.:.
> > > 0010: 58 76 21 FC 95 0A 8D FE   3F FD 4B 1E D3 CC D5 F3  Xv!.....?.K.....
> > > Master Secret:
> > > 0000: DE 99 96 B0 F8 B8 4D C0   8D 9D D0 4E D1 7A F1 6E  ......M....N.z.n
> > > 0010: A4 4A 68 7A CB E6 1F 51   68 C8 1D ED F9 76 40 CE  .Jhz...Qh....v@
> > .
> > > 0020: FB 4C 1B D3 FF 1B ED 27   0C 2C 3F 1C 89 D8 5F CD  .L.....'.,?..._.
> > > ... no MAC keys used for this cipher Client write key:
> > > 0000: 4E 9D 81 E6 5F 84 FD 57   C0 36 A0 9B 62 C3 42 C3  N..._..W.6..b.B.
> > > Server write key:
> > > 0000: 45 E7 4B 02 85 0A D3 05   D8 5F 25 7D EE 0D E9 9E  E.K......_%.....
> > > Client write IV:
> > > 0000: 81 92 DF AE                                        ....
> > > Server write IV:
> > > 0000: AB 27 F3 37                                        .'.7
> > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > > *** Finished
> > > verify_data:  { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32
> > > }
> > > ***
> > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2
> > > Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length
> > > = 40
> > > *** Finished
> > > verify_data:  { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > > ***
> > > %% Cached client session: [Session-1,
> > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE:
> > > TLSv1.2 Application Data, length = 200
> > >
> > > There's no CertificateVerify message
> > >
> > > Java code is quite typical
> > >
> > > factory = new JaxWsProxyFactoryBean();
> > > factory.setAddress("https://xxx");
> > >
> > > factory.setServiceClass(XXX.class);
> > > XXX xxx = (XXX) factory.create();
> > >
> > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit
> > > =
> > > (HTTPConduit) client.getConduit();
> > > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> > >
> > > and tls params I set only the keystore. I learnt the server cert is
> > registered in
> > > Comodo
> > >
> > > tlsParams.setDisableCNCheck(true);
> > > tlsParams.setSecureSocketProtocol("TLS");
> > > KeyManagerFactory keyFactory =
> > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(
> > > )); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[]
> > > km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> > >
> > > Not sure it's about the cert - but soapui is working or it's about
> > > the
> > java code
> > > cxf 3.0.12 and cannot be upgraded
> > >
> > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[hidden email]>:
> > >
> > > > Hi,
> > > >
> > > > As the first step, I would recommend to activate
> > > > -Djavax.net.debug=all JVM property, you will get a bit more information
> about error.
> > > >
> > > > You can also check if server requires client authentication using
> > > > OpenSSL, there are some hints regarding that: https://security.
> > > > stackexchange.com/questions/101511/determine-if-a-server-
> > > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > > > -----Original Message-----
> > > > > From: Arek R. [mailto:[hidden email]]
> > > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > > To: [hidden email]
> > > > > Subject: Re: 2way ssl
> > > > >
> > > > > I had to switch the idea and ssl terminates at jetty server. So
> > > > > I had to
> > > > configure
> > > > > things like keystore etc. At the same time I've setup ssl
> > > > > configuration
> > > > like
> > > > > keystore etc and link to the HttpConduit. Also added
> > > > <sec:clientAuthenticayion
> > > > > required='true' want='true'/> But don't understand how these 2
> > > > > configs
> > > > are
> > > > > working together and I had an impression that cxf config is
> > > > > ignored
> > > > Don't know
> > > > > how to proof that server requests for the client certificate
> > > > >
> > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > > ><[hidden email]
> > > > >:
> > > > >
> > > > > > If your client needs to call the nginx proxy instead of the
> > > > > > service then the proxy must provide all the server side ssl
> > > > > > setup including the 2 way ssl rules which client certs are
> > > > > > allowed to
> > connect.
> > > > > >
> > > > > > Christian
> > > > > >
> > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> > > > > >
> > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run
> > > > > > > a test via https. 1 way ssl is working.
> > > > > > > Now want to add a client certificate cause there's an error
> > > > > > > in the server log like 'client sent no required SSL
> > > > > > > certificate while reading client request headers' but cannot
> > > > > > > find any good example how to do it. Any hint
> > > > > > ?
> > > > > > >
> > > > > > > 2. If ssl terminates at nginx server am I able to recognize
> > > > > > > the client on the web server ?
> > > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> > level.
> > > > > > Please
> > > > > > > confirm.
> > > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > > matter where ssl is handled.
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > --
> > > > > > Christian Schneider
> > > > > > http://www.liquid-reality.de
> > > > > >
> > > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > a7
> > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > > >
> > > > > > Open Source Architect
> > > > > > http://www.talend.com
> > > > > >
> > > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > a7
> > > > > > e
> > > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > > >
> > > >
> >
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 2way ssl

Arek R.
I think I found it. There's a bug in java 1.8 that disables SNI and I've
multiple ssl servers on the same ip
And as I know client uses ibm message broker which is running on java 1.6,
probably it won't work

2017-07-12 22:43 GMT+02:00 Andrei Shakirin <[hidden email]>:

> Strange.
>
> Could you trace both working client under java 7 and "problem" client
> under java 8 using -Djavax.net.debug=all and compare these traces?
> Perhaps you can see the difference on early stage.
>
> Regards,
> Andrei.
>
>
> > -----Original Message-----
> > From: Arek R. [mailto:[hidden email]]
> > Sent: Montag, 10. Juli 2017 19:55
> > To: [hidden email]
> > Subject: Re: 2way ssl
> >
> > I believe  I did it properly. I've got to the point where it's working
> if client is run
> > on java7, but don't work with java8 On server side I can find SSL:
> TLSv1.2,
> > cipher: "ECDHE-RSA-AES256-SHA384
> > TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
> > know it's sth with the certificate chain, with the cert itself, server
> configuration
> >
> >
> > 2017-07-04 18:53 GMT+02:00 Andrei Shakirin <[hidden email]>:
> >
> > > Hi,
> > >
> > > You need to configure keyManager and trustManager on client side.
> > > The keystore have to contain server certificate for trustManager and
> > > public/private key pair for the keyManager.
> > >
> > > Take a look this integration test: https://github.com/apache/cxf/
> > > blob/master/services/sts/systests/basic/src/test/java/
> > > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> > > Method prepareTLSParams().
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Arek R. [mailto:[hidden email]]
> > > > Sent: Freitag, 30. Juni 2017 09:54
> > > > To: [hidden email]
> > > > Subject: Re: 2way ssl
> > > >
> > > > I cannot get it working. The server says that client doesn't send
> > > > the
> > > certificate.
> > > > My client keystore contains only the client key/cert pair and this
> > > > is
> > > working in
> > > > SoapUi project but not in pure java
> > > >
> > > > Here is the log
> > > >
> > > > main, READ: TLSv1.2 Handshake, length = 333
> > > > *** ECDH ServerKeyExchange
> > > > Signature Algorithm SHA512withRSA
> > > > Server key: Sun EC public key, 256 bits
> > > >   public x coord: 830289587105151256207749267013
> > > > 20321981505124484199856534866410300374616735045
> > > >   public y coord: 332067304039254916257006573681
> > > > 82738242939062461168510217069674332072760548082
> > > >   parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> > > (1.2.840.10045.3.1.7)
> > > > main, READ: TLSv1.2 Handshake, length = 4
> > > > *** ServerHelloDone
> > > > *** ECDHClientKeyExchange
> > > > ECDH Public value:  { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151,
> > > > 48,
> > > 83, 140,
> > > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13,
> > > > 143,
> > > 160, 102,
> > > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> > > 127, 252,
> > > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103,
> > > > 4,
> > > 8 } main,
> > > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > > > PreMaster Secret:
> > > > 0000: C2 9D 01 D3 06 E1 C3 C4   E5 C0 68 95 D1 1E A3 1C
> ..........h.....
> > > > 0010: 09 7F C1 0F C5 B8 92 A5   6D A2 AA 46 B8 C6 03 DA
> ........m..F....
> > > > CONNECTION KEYGEN:
> > > > Client Nonce:
> > > > 0000: 59 55 FF E2 DD 56 BB 05   D3 4E 0D 72 98 86 F6 02
> YU...V...N.r....
> > > > 0010: 71 76 CF EC C7 5F CC 4B   6C CE EE 53 DF AE E6 10
> qv..._.Kl..S....
> > > > Server Nonce:
> > > > 0000: DA E6 A8 95 F7 E3 89 4F   19 1A AB B5 23 F1 3A B4
> .......O....#.:.
> > > > 0010: 58 76 21 FC 95 0A 8D FE   3F FD 4B 1E D3 CC D5 F3
> Xv!.....?.K.....
> > > > Master Secret:
> > > > 0000: DE 99 96 B0 F8 B8 4D C0   8D 9D D0 4E D1 7A F1 6E
> ......M....N.z.n
> > > > 0010: A4 4A 68 7A CB E6 1F 51   68 C8 1D ED F9 76 40 CE
> .Jhz...Qh....v@
> > > .
> > > > 0020: FB 4C 1B D3 FF 1B ED 27   0C 2C 3F 1C 89 D8 5F CD
> .L.....'.,?..._.
> > > > ... no MAC keys used for this cipher Client write key:
> > > > 0000: 4E 9D 81 E6 5F 84 FD 57   C0 36 A0 9B 62 C3 42 C3
> N..._..W.6..b.B.
> > > > Server write key:
> > > > 0000: 45 E7 4B 02 85 0A D3 05   D8 5F 25 7D EE 0D E9 9E
> E.K......_%.....
> > > > Client write IV:
> > > > 0000: 81 92 DF AE                                        ....
> > > > Server write IV:
> > > > 0000: AB 27 F3 37                                        .'.7
> > > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > > > *** Finished
> > > > verify_data:  { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32
> > > > }
> > > > ***
> > > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2
> > > > Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length
> > > > = 40
> > > > *** Finished
> > > > verify_data:  { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > > > ***
> > > > %% Cached client session: [Session-1,
> > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE:
> > > > TLSv1.2 Application Data, length = 200
> > > >
> > > > There's no CertificateVerify message
> > > >
> > > > Java code is quite typical
> > > >
> > > > factory = new JaxWsProxyFactoryBean();
> > > > factory.setAddress("https://xxx");
> > > >
> > > > factory.setServiceClass(XXX.class);
> > > > XXX xxx = (XXX) factory.create();
> > > >
> > > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit
> > > > =
> > > > (HTTPConduit) client.getConduit();
> > > > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> > > >
> > > > and tls params I set only the keystore. I learnt the server cert is
> > > registered in
> > > > Comodo
> > > >
> > > > tlsParams.setDisableCNCheck(true);
> > > > tlsParams.setSecureSocketProtocol("TLS");
> > > > KeyManagerFactory keyFactory =
> > > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(
> > > > )); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[]
> > > > km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> > > >
> > > > Not sure it's about the cert - but soapui is working or it's about
> > > > the
> > > java code
> > > > cxf 3.0.12 and cannot be upgraded
> > > >
> > > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[hidden email]>:
> > > >
> > > > > Hi,
> > > > >
> > > > > As the first step, I would recommend to activate
> > > > > -Djavax.net.debug=all JVM property, you will get a bit more
> information
> > about error.
> > > > >
> > > > > You can also check if server requires client authentication using
> > > > > OpenSSL, there are some hints regarding that: https://security.
> > > > > stackexchange.com/questions/101511/determine-if-a-server-
> > > > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > > > >
> > > > > Regards,
> > > > > Andrei.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Arek R. [mailto:[hidden email]]
> > > > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > > > To: [hidden email]
> > > > > > Subject: Re: 2way ssl
> > > > > >
> > > > > > I had to switch the idea and ssl terminates at jetty server. So
> > > > > > I had to
> > > > > configure
> > > > > > things like keystore etc. At the same time I've setup ssl
> > > > > > configuration
> > > > > like
> > > > > > keystore etc and link to the HttpConduit. Also added
> > > > > <sec:clientAuthenticayion
> > > > > > required='true' want='true'/> But don't understand how these 2
> > > > > > configs
> > > > > are
> > > > > > working together and I had an impression that cxf config is
> > > > > > ignored
> > > > > Don't know
> > > > > > how to proof that server requests for the client certificate
> > > > > >
> > > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > > > ><[hidden email]
> > > > > >:
> > > > > >
> > > > > > > If your client needs to call the nginx proxy instead of the
> > > > > > > service then the proxy must provide all the server side ssl
> > > > > > > setup including the 2 way ssl rules which client certs are
> > > > > > > allowed to
> > > connect.
> > > > > > >
> > > > > > > Christian
> > > > > > >
> > > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[hidden email]>:
> > > > > > >
> > > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run
> > > > > > > > a test via https. 1 way ssl is working.
> > > > > > > > Now want to add a client certificate cause there's an error
> > > > > > > > in the server log like 'client sent no required SSL
> > > > > > > > certificate while reading client request headers' but cannot
> > > > > > > > find any good example how to do it. Any hint
> > > > > > > ?
> > > > > > > >
> > > > > > > > 2. If ssl terminates at nginx server am I able to recognize
> > > > > > > > the client on the web server ?
> > > > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> > > level.
> > > > > > > Please
> > > > > > > > confirm.
> > > > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > > > matter where ssl is handled.
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > --
> > > > > > > Christian Schneider
> > > > > > > http://www.liquid-reality.de
> > > > > > >
> > > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > > a7
> > > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > > > >
> > > > > > > Open Source Architect
> > > > > > > http://www.talend.com
> > > > > > >
> > > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > > a7
> > > > > > > e
> > > > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > > > >
> > > > >
> > >
>
Loading...