Well first ESB tries with OCSP. If the CA does not support OCSP it tries with CRL. Both protocols do the same thing but OCSP is newer. Thats why ESB tries OCSP first.
Did you add the OCSP url in the certificate properly? IINM Digicert should support OCSP. If OCSP url is added properly, try to debug the code and find where it get fails. Jeewantha. On Fri, Mar 21, 2014 at 9:57 AM, Sudheera Palihakkara <sudhe...@wso2.com>wrote: > Hi Jeewantha, > > I have created CA and client certificates like you asked. And using curl > did the request. Here's what I got at the server log. > > INFO - CacheManager OCSPCache Cache Manager Started > INFO - CacheManager CRLCache Cache Manager Started > INFO - RevocationVerificationManager OCSPVerifier failed. > INFO - CRLVerifier Trying to get CRL for URL: > http://crl3.digicert.com/ca3-g17.crl > INFO - CRLCache Before set- HashMap size 0 > INFO - CRLCache After set - HashMap size 1 > INFO - PathChecker Certificate status is: Good > INFO - CertificatePathValidator Certificate path validated > INFO - RevocationVerificationManager Path verification Successful. Took > 1075 ms. > > > looks like OCSPVerifier has failed, what do you think? is it because a > issue in the source or the certificate created by me? > > > On Thu, Mar 20, 2014 at 11:01 PM, Jeewantha Dharmaparakrama < > jeewan...@wso2.com> wrote: > >> +1. >> >> So when you invoke the HTTPS service with client auth enabled, the >> connection should be rejected since there is no OCSP/CRL information in the >> client certificate. >> >> But we should test this with some custom made certificates. Create a self >> signed *CA certificate* and a *User certificate* signed by that CA. You >> can use the tool *openssl* for this. (No need to create an intermediate >> CA cert) [1]. Before giving the Certificate signing request(CSR) to the CA >> you have to give the proper X509Extensions *Authority Information Access*[2] >> and *Crl >> Distribution Points* [3] so that the URLs for OCSP and CRL servers will >> be added to the certificate you create. You will have to create an >> *openssl.cnf* file with the following information to be given to >> *openssl* with the CSR as an extension file. >> >> authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com >> crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl >> >> The above urls are from the CA which has signed WSO2 certificates >> (Digicert). Please check the certificate. Now you can add the created >> certificates to wso2carbon.jks (Both keystore and truststore) : see online >> resources on how to do that. Once configured, call the HTTPS service with >> client auth enabled. Use curl to send the getQuote request. >> >> curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: >> "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v >> https://localhost:8243 >> >> >> Now the ESB should do OCSP/CRL validations and since there are no >> revocation information with Digicert on the certificate you created, the >> HTTPS connection should be established. >> >> Please ask if you have any questions. >> >> [1] >> http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ >> [2] >> http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html >> [3] http://stackoverflow.com/a/12023746/1411653 >> >> Thanks, >> Jeewantha >> >> >> On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara <sudhe...@wso2.com >> > wrote: >> >>> Hi Jeewantha, >>> >>> I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder from >>> /transport/nhttp/config/ to /transport/http/config/ because those two >>> classed are common to both nhttp and passthru transports. >>> >>> Here are the diff files of the two files that I edited. >>> >>> I used an online tool to generate ServerConnFactoryBuilder.diff because >>> I did not committed the changes after I moved the file to http directory so >>> the format of the diff file may different. >>> >>> thanks. >>> >>> >>> >>> On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama < >>> jeewan...@wso2.com> wrote: >>> >>>> [Adding @dev] >>>> >>>> Hi Sudheera, >>>> >>>> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>> from the source and added the changed classes again? Its difficult to see >>>> which lines have changed in the patch file. >>>> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>> from your local source, svn up again, and then do the changes in those >>>> files and create the patch file. >>>> >>>> Thanks, >>>> Jeewantha >>>> >>>> >>>> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara < >>>> sudhe...@wso2.com> wrote: >>>> >>>>> Hi ayya, >>>>> >>>>> I have done some coding ServerSSLSetupHander.java and >>>>> ServerConnFactoryBuilder.java as they did in the backend side. I think the >>>>> logic is ok but it's hard to test since we don't have certificate chain >>>>> that signed by a CA. I used wso2carbon.jks for client and the request get >>>>> failed since both ocsp and crl verification get failed for wso2carbon.jks >>>>> . >>>>> I have attached the diff file. Can you take a look. >>>>> >>>>> >>>>> thanks. >>>>> >>>>> >>>>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara < >>>>> sudhe...@wso2.com> wrote: >>>>> >>>>>> Hi ayya, >>>>>> >>>>>> In ServerConnFactoryBuilder.java file line 202 >>>>>> >>>>>> >>>>>> >>>>>> * ServerSSLSetupHandler sslSetupHandler = >>>>>> (clientAuth != null || httpsProtocols != >>>>>> null) ? new >>>>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;* >>>>>> >>>>>> it seems like if SSLVerifyClient parameter not defined then >>>>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this >>>>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp >>>>>> and >>>>>> crl ? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama < >>>>>> jeewan...@wso2.com> wrote: >>>>>> >>>>>>> Hi Sudheera, >>>>>>> >>>>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL profiles >>>>>>> are to define different SSL configurations (Trust stores, Keystores) to >>>>>>> different backends. And according to the logs, the connection is not >>>>>>> made >>>>>>> to an HTTPS backend. Error occurs during SSL handshake. >>>>>>> >>>>>>> To make an HTTPS connection just host your service in some server >>>>>>> (doesnt matter which) and in the ESB define the endpoint to connect to >>>>>>> the >>>>>>> https port with the correct HTTPS endpoint URL. >>>>>>> >>>>>>> However to test OCSP/CRL you cant use a carbon server which runs in >>>>>>> your local macine. The reason is, the certificates defined in the Carbon >>>>>>> Servers are fake (Self signed). That's why the web browser says >>>>>>> "Untrusted >>>>>>> connection" when you try connect to the management console of a locally >>>>>>> running carbon server. And in those fake certificates, the CRL/OCSP urls >>>>>>> are not defined. So you cant test OCSP/CRL feature that way. >>>>>>> >>>>>>> So don't run the backend in your local machine. Instead, use some >>>>>>> HTTPS backend like https://www.facebook.com or if you need a >>>>>>> webservice use the echo service in Stratos Live[1] . Stratos live uses >>>>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its >>>>>>> OCSP/CRL servers running[2]. >>>>>>> >>>>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl >>>>>>> [2] http://www.digicert.com/ >>>>>>> >>>>>>> If you have more questions please ask on @Dev to be more visible to >>>>>>> the public. >>>>>>> >>>>>>> Thanks, >>>>>>> Jeewantha >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara < >>>>>>> sudhe...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi ayya. >>>>>>>> >>>>>>>> I'm trying to invoke the already implemented ocsp at the transport >>>>>>>> sender and get an idea about the flow. But I'm having some difficulties >>>>>>>> during the process. here's what I've done >>>>>>>> >>>>>>>> 1 . followed this >>>>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>] >>>>>>>> document to create the SSL profiles. (used same axis2.xml with >>>>>>>> password as >>>>>>>> *wso2carbon* ) >>>>>>>> 2. Started a separate DSS with clientAuth="true" in >>>>>>>> catalina-server.xml >>>>>>>> 3. created a proxy service in ESB to invoke *echo service*deployed at >>>>>>>> DSS with use of >>>>>>>> *https* in the endppoint. >>>>>>>> >>>>>>>> When I invoked the proxy service I'm getting this error >>>>>>>> >>>>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error: >>>>>>>> Unrecognized SSL message, plaintext connection?* >>>>>>>> >>>>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>]. >>>>>>>> >>>>>>>> Can you help me out please. I there any other way to test this, I >>>>>>>> might need something similar for transport listener too. thank you >>>>>>>> >>>>>>>> >>>>>>>> [1] >>>>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html >>>>>>>> [2] http://pastebin.com/5VMK4cnT >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Jeewantha Dharmaparakrama >>>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>>> Phone : (+94) 774726790 >>>>>>> Skype : prasad.jeewantha >>>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>>> Twitter: https://twitter.com/jeewamp >>>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Jeewantha Dharmaparakrama >>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>> Phone : (+94) 774726790 >>>> Skype : prasad.jeewantha >>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>> Twitter: https://twitter.com/jeewamp >>>> Blog: http://jeewanthad.blogspot.com/ >>>> >>> >>> >> >> >> -- >> Jeewantha Dharmaparakrama >> Software Engineer; WSO2, Inc.; http://wso2.com/ >> Phone : (+94) 774726790 >> Skype : prasad.jeewantha >> LinkedIn : http://www.linkedin.com/in/jeewanthad >> Twitter: https://twitter.com/jeewamp >> Blog: http://jeewanthad.blogspot.com/ >> > > -- Jeewantha Dharmaparakrama Software Engineer; WSO2, Inc.; http://wso2.com/ Phone : (+94) 774726790 Skype : prasad.jeewantha LinkedIn : http://www.linkedin.com/in/jeewanthad Twitter: https://twitter.com/jeewamp Blog: http://jeewanthad.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
