1) It looks like the server cert is a self-signed certificate:
Issuer: [EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
SerialNumber: [ 01]
You have to add their server certificate into your cacerts file to "trust" them
keytool -import -trustcacerts -keystore <path>/cacerts -file <servercert> -alias <alias_you_define>
2) You need the debug output much earlier than the one below to prove to yourself that your keystore is being loaded.
Here's what I get ( JDK 1.4.2_04 on Solaris8 ):
keyStore is : /export/livedata/GW-soft2/allClientCerts.jks
keyStore type is : JKS
init keystore
init keymanager of type SunX509
***
found key for : eis preconfig 37's telstra research laboratories id
chain [0] = [
[
Version: V1
Subject: SERIALNUMBER=38895284 + CN=EIS Preconfig 37 + [EMAIL PROTECTED], DNQ=TRL Demo Customer, C=AU
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
< ..... snip ..... >
*** *** found key for : 2 chain [0] = [ [ Version: V1 Subject: CN=smsoar_10073_default, OU=customers, O=smsoar, C=gb Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
< ..... snip ..... >
*** *** found key for : 1 chain [0] = [ [ Version: V1 Subject: CN=smsoar_10091_default, OU=customers, O=smsoar, C=gb Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
< ..... snip ..... >
***
***
found key for : mykey
chain [0] = [
[
Version: V1
Subject: CN=Jesus M. Salvo Jr., OU=IT, O=Mobile Internet Group Pty. Ltd., L=North Sydney, ST=NSW, C=AU
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
< ..... snip ..... >
*** trustStore is: /usr/j2sdk1.4.2_04/jre/lib/security/cacerts trustStore type is : jks init truststore adding as trusted cert:
John
Tim Wild wrote:
I'm using JDK 1.4.2. I turned debug on, and I can see the server cert and my CA cert being sent to the client, but it doesn't look like a client cert is being presented.
The output is quite verbose, but i've included it in case you can see anything obvious in it. I've removed most of the hex output from it to make it shorter. I've included the 3 lines from my sample program too.
HttpClient httpclient = new HttpClient();
GetMethod httpget = new GetMethod("https://machinename//index.txt";);
httpclient.executeMethod(httpget);
jdk1.4.2_03\bin\javaw.exe -Djava.net.ssl.keyStore=C:/Projects/.keystore -Djava.net.ssl.keyStorePassword=password -Djava.net.ssl.keyStoreType=JKS -Djavax.net.debug=all Test1
trigger seeding of SecureRandom
done seeding SecureRandom
setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1068619367 bytes = { 30, 135, 31, 112, 113, 241, 134, 95, 221, 9, 63, 21, 239, 194, 9, 35, 19, 150, 248, 155, 245, 153, 87, 0, 79, 1, 104, 176 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
(snip)
main, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
(snip)
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 42
*** ServerHello, TLSv1
RandomCookie: GMT: 1068619367 bytes = { 250, 109, 255, 201, 149, 191, 165, 33, 170, 225, 228, 40, 2, 162, 137, 105, 20, 252, 215, 176, 14, 151, 188, 86, 69, 242, 205, 223 }
Session ID: {}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 42
0000: 02 00 00 26 03 01 40 B2 D6 67 FA 6D FF C9 95 BF ...&[EMAIL PROTECTED]
0010: A5 21 AA E1 E4 28 02 A2 89 69 14 FC D7 B0 0E 97 .!...(...i......
0020: BC 56 45 F2 CD DF 00 00 04 00 .VE.......
main, READ: TLSv1 Handshake, length = 1909
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: [EMAIL PROTECTED], CN=wlg-dev-dsk04, OU=Development, O=SolNet Solutions Ltd, C=NZ
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
(snip)
Validity: [From: Wed May 19 13:44:25 NZST 2004,
To: Thu May 19 13:44:25 NZST 2005]
Issuer: [EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
SerialNumber: [ 01]
Certificate Extensions: 4 [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene 0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat 0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 52 CD DC EF 82 3F C7 B5 04 09 F9 8E 2E 3A 97 B6 R....?.......:.. 0010: EA 91 AD 5F ..._ ] ]
[3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: EF 18 F6 1E F7 5D 25 86 B5 D6 C6 F9 C5 C5 82 B6 .....]%......... 0010: 4B 2C DB 84 K,.. ]
[EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ]
SerialNumber: [ 00]
]
[4]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ]
] Algorithm: [MD5withRSA] Signature: (snip)
]
chain [1] = [
[
Version: V3
Subject: [EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
be28a824 de59b306 167821cf 7228e2fd c3914df8 6021cf0d 0673198a 6a13ad71
504e0337 68d5e451 71455a1f f4cd4b22 6d26af58 8b844eb7 0f1a352b f44be9ad
efb5b6e6 b464465b 9ff60a29 9b3ad451 daa9a45b ed2531e7 66a73e97 fe1e4c8c
75e193b8 cad32073 eb44741d fe3cf347 df3d4e2b 7cb08efb 9e5c885c 73f51219
Validity: [From: Wed May 19 13:28:22 NZST 2004,
To: Thu May 19 13:28:22 NZST 2005]
Issuer: [EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
SerialNumber: [ 00]
Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: EF 18 F6 1E F7 5D 25 86 B5 D6 C6 F9 C5 C5 82 B6 .....]%......... 0010: 4B 2C DB 84 K,.. ] ]
[2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: EF 18 F6 1E F7 5D 25 86 B5 D6 C6 F9 C5 C5 82 B6 .....]%......... 0010: 4B 2C DB 84 K,.. ]
[EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ]
SerialNumber: [ 00]
]
[3]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ]
] Algorithm: [MD5withRSA] Signature: (snip)
]
***
[read] MD5 and SHA1 hashes: len = 1909
0000: 0B 00 07 71 00 07 6E 00 03 C3 30 82 03 BF 30 82 ...q..n...0...0.
(snip)
0760: 73 6B AC 6F 75 C5 A2 31 DF 0C 70 42 2F 97 54 A2 sk.ou..1..pB/.T.
0770: AB 43 DA 01 19 .C...
main, READ: TLSv1 Handshake, length = 170
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<[EMAIL PROTECTED], CN=Tims CA, OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ>
[read] MD5 and SHA1 hashes: len = 166
0000: 0D 00 00 A2 02 01 02 00 9D 00 9B 30 81 98 31 0B ...........0..1.
(snip)
0070: 54 69 6D 73 20 43 41 31 2D 30 2B 06 09 2A 86 48 Tims CA1-0+..*.H
0080: 86 F7 0D 01 09 01 16 1E 74 69 6D 2E 77 69 6C 64 ........tim.wild
0090: 40 73 6F 6C 6E 65 74 73 6F 6C 75 74 69 6F 6E 73 @solnetsolutions
00A0: 2E 63 6F 2E 6E 7A .co.nz
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 19, 49, 122, 163, 243, 76, 221, 155, 77, 25, 251, 230, 32, 148, 220, 73, 203, 245, 7, 152, 212, 104, 4, 216, 178, 106, 73, 230, 196, 226, 151, 60, 25, 216, 247, 114, 33, 105, 73, 45, 97, 127, 109, 247, 100, 64 }
[write] MD5 and SHA1 hashes: len = 141
(snip)
main, WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
(snip)
CONNECTION KEYGEN:
Client Nonce:
0000: 40 B2 D6 67 1E 87 1F 70 71 F1 86 5F DD 09 3F 15 @..g...pq.._..?.
0010: EF C2 09 23 13 96 F8 9B F5 99 57 00 4F 01 68 B0 ...#......W.O.h.
Server Nonce:
0000: 40 B2 D6 67 FA 6D FF C9 95 BF A5 21 AA E1 E4 28 @..g.m.....!...(
0010: 02 A2 89 69 14 FC D7 B0 0E 97 BC 56 45 F2 CD DF ...i.......VE...
Master Secret:
0000: 4E A0 E3 58 14 B8 2B 72 A4 19 DB DC FE A2 5B 36 N..X..+r......[6
0010: 1E 7C A3 2C 1C 77 18 A4 F1 69 EA 38 1A 18 4B 6D ...,.w...i.8..Km
0020: F9 09 DE F7 7B 30 00 77 AE F3 84 5F 65 9E 82 CB .....0.w..._e...
Client MAC write Secret:
0000: 1E BD 25 C5 56 1F 27 D0 4E 38 6F FF F7 0E 39 76 ..%.V.'.N8o...9v
Server MAC write Secret:
0000: AF 6C F6 1B C8 DA FD 08 D1 38 66 0E 79 B9 67 EE .l.......8f.y.g.
Client write key:
0000: 1C D8 F6 A3 37 25 4B 71 7B 00 30 1F A1 49 1F 95 ....7%Kq..0..I..
Server write key:
0000: ED 7D 46 D3 BF A7 2D 72 00 E7 FE 52 0A CF 9D 15 ..F...-r...R....
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 92, 132, 157, 55, 235, 50, 252, 229, 185, 29, 124, 106 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 5C 84 9D 37 EB 32 FC E5 B9 1D 7C 6A ....\..7.2.....j
Plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 5C 84 9D 37 EB 32 FC E5 B9 1D 7C 6A ....\..7.2.....j
0010: BE 03 CD 88 09 C8 C4 CD A6 D3 70 A7 97 F3 64 C1 ..........p...d.
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1368)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:799)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2277)
at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2657)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1093)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:675)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:529)
at Test1.testHttpClient(Test1.java:50) at Test1.main(Test1.java:33) Process terminated with exit code 0
Jesus M. Salvo Jr. wrote:
Tim Wild wrote:
Thanks Jesus,
I gave this a try, but I think I missed something, as it didn't work - I got a SSLHandshakeException: with the message handshake_failure, indicating that the client certificate hadn't been presented.
What JDK are you using ?
If you are using JDK 1.3, then you have to add java.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol to your system property
Also, add javax.net.debug=all to your system property so that at least you can see what's happening.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-- Jesus M. Salvo Jr. Mobile Internet Group Pty Ltd (formerly Softgame International Pty Ltd) M: +61 409 126699 T: +61 2 94604777 F: +61 2 94603677
PGP Public key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0BA5348
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
