Re: Re: Help on client authentication

[Patrick Cardinal]

Sorry for the delay. Typically in an SSL transaction the client 
wants to authenticate the server (validating server certificates). 
However in the case of mutual client authentication the server 
also authenticates the client (using client certificates) in 
addition to the client authenticating the server .  Checkout 
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html 
and 
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/samples/sockets/client/SSLSocketClientWithClientAuth.java 
 for more info on this.

My problem relates to a SocketException when I run a custom ssl 
socket factory with client authentication.

In a previous release of http client, the HttpClient class had a 
setSSLSocketFactory method. So we used to be able to create a 
custom SSLSocketFactory that supported client Authentication and 
set it to be used with an instance HttpClient class.  Something 
like->

HttpClient hc = new HttpClient();
try
{
        SSLContext ctx;
        KeyManagerFactory kmf;
        KeyStore ks;
        char[] passphrase = "passphrase".toCharArray();
        ctx = SSLContext.getInstance("TLS");
        kmf = KeyManagerFactory.getInstance("SunX509");
        ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream("testkeystore"), 
passphrase);

        kmf.init(ks, passphrase);
        ctx.init(kmf.getKeyManagers(), null, null);
        SSLSocketFactory factory = ctx.getSocketFactory();

        hc.setSSLSocketFactory(factory);
}
catch (Exception e)
{
        throw new IOException(e.getMessage());
}
Then use get and PostMethod...

In HttpClient 2.0 beta1, I tried to create a
CustomSocketFactory on similar lines to 
EasySSLProtocolSocketFactory example provided at
http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/contrib/org/apache/commons/httpclient/contrib/ssl/

Something like..

class MyFactory implements SecureProtocolSocketFactory
{
       private  javax.net.ssl.SSLSocketFactory factory;

       MyFactory()
       {
                mFactory = getFactoryWithClientAuth();
       }

       private static SSLSocketFactory 
getFactoryWithClientAuth()
        {

        .......//same way as in Jsse example
       }
    public Socket createSocket(Socket socket,String host,
                               int port,   boolean autoClose)
                throws IOException,UnknownHostException
        {
                return mFactory.createSocket( socket, host, 
port,
                                                 autoClose);
       }

// implement the rest of  createSocket Methods similarly as 
above
        .....

}

I then used to post stuff.

"
PostMethod post = new PostMethod(postServerUrl);
post.setRequestBody("Test http client");
post.setRequestHeader("Content-type", "text/plain");

Protocol strictHttps = new Protocol(   "https", new MyFactory(), 
443);

HttpClient client = new HttpClient();

HostConfiguration hostc = new HostConfiguration();
hostc.setHost("ServerUrl",443,strictHttps);
client.executeMethod(hostc,post);
"
When I ran the second example against 2.0 Beta1, the protocol 
interactions in the out seem to be correct,
I saw all the SSL handshake stuff work correctly...
*** ClientHello, v3.1
*** ServerHello, v3.1
*** Certificate chain
*** CertificateRequest
*** ServerHelloDone
*** ClientKeyExchange
*** CertificateVerify
*** Finished, v3.1

except just after the last stage when its about to  the actual 
post I get

*** Finished, v3.1
verify_data:  { 98, 86, 46, 20, 159, 191, 251, 102, 9, 201, 95, 
201 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 62 56 2E 14   9F BF FB 66 09 C9 5F C9  
....bV.....f.._.
Plaintext before ENCRYPTION:  len = 32
0000: 14 00 00 0C 62 56 2E 14   9F BF FB 66 09 C9 5F C9  
....bV.....f.._.
0010: A2 FE 98 4F 4D E1 1B AD   0D 74 DD 5A 44 54 E9 3D  
...OM....t.ZDT.=
main, WRITE:  SSL v3.1 Handshake, length = 32
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.close()
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.closeSockedAndStreams()
main, SEND SSL v3.1 ALERT:  warning, description = close_notify
Plaintext before ENCRYPTION:  len = 18
0000: 01 00 AB 04 44 A2 B3 5D   A4 89 16 62 F8 11 47 D6  
....D..]...b..G.
0010: A6 E4                                              ..
main, WRITE:  SSL v3.1 Alert, length = 18
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.close()
2003/05/30 01:02:59:124 EDT [TRACE] HttpConnection - -enter 
HttpConnection.closeSockedAndStreams()
java.net.SocketException: Software caused connection abort: 
JVM_recv in socket input stream read
        at java.net.SocketInputStream.socketRead0(Native 
Method)
        at 
java.net.SocketInputStream.read(SocketInputStream.java:116)
        at 
com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
        at 
com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
        at 
org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1347)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
        at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)

        at 
org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:782)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2173)
        at 
org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2528)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1065)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:526)
        at PostXML1.main(PostXML1.java:130)
Exception in thread "main"

This exception occurs only when I wanna do ssl transactions with 
client authentication. Has any one else encountered this problem? 
Just FYI, this didnot  happen in the previous release of 
httpclient.. Any suggestions will be greatly appreciated..

Patrick

On Thu, 29 May 2003 Michael Becke wrote :
Hello Patrick,

What exactly do you mean by "SSL with mutual client 
authentication"? Could you provide a simple example of what you 
are trying and what specifically does not work.  A stack trace 
and logs would be helpful.

http://jakarta.apache.org/commons/httpclient/logging.html

Mike

Patrick Cardinal wrote:
I use httpclient to do SSL. We have been having problems using 
the 2.0 beta-1 (even alpha3 ) release of httpclient to do SSL 
with mutual client authentication using Keystores and JSSE. This 
used to work in a previous release of http client. I need to 
upgrade to 2.0 version for a bug fix.

Does anyone know if SSL with mutual client authentication has 
ever been tested with http client?..

Can anyone provide me with sample code to do client 
authentication using httpclient in 2.0?

Any help will be appreciated on this count...

Patrick
___________________________________________________
Get email that means BUSINESS! me @ mycompany.com.
Just Rs.1499/year.
To start, click http://www.rediffmailpro.com
---------------------------------------------------------------------
To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: 
[EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: 
[EMAIL PROTECTED]

___________________________________________________
Get email that means BUSINESS! me @ mycompany.com.
Just Rs.1499/year.
To start, click http://www.rediffmailpro.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]