Hi, I have debugged the code, In OCSPverifier line no 84 ocspResponse.getStatus() returns integer 6 which is defined as OCSPRespStatus.UNAUTHORIZED. According to ietf<http://www.ietf.org/rfc/rfc2560.txt>this is because the client is not authorized to make the query to the server.
On Fri, Mar 21, 2014 at 10:20 PM, Sudheera Palihakkara <sudhe...@wso2.com>wrote: > Yeah I've added the url, cert param have these extentions at the runtime > > Certificate Extensions: 2 > [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false > AuthorityInfoAccess [ > [ > accessMethod: ocsp > accessLocation: URIName: http://ocsp.digicert.com > ] > ] > > [2]: ObjectId: 2.5.29.31 Criticality=false > CRLDistributionPoints [ > [DistributionPoint: > [URIName: http://crl3.digicert.com/ca3-g17.crl] > ]] > > > I'll try debugging. :) > > > > On Fri, Mar 21, 2014 at 9:48 PM, Jeewantha Dharmaparakrama < > jeewan...@wso2.com> wrote: > >> Well first ESB tries with OCSP. If the CA does not support OCSP it tries >> with CRL. Both protocols do the same thing but OCSP is newer. Thats why ESB >> tries OCSP first. >> >> Did you add the OCSP url in the certificate properly? IINM Digicert >> should support OCSP. If OCSP url is added properly, try to debug the code >> and find where it get fails. >> >> Jeewantha. >> >> >> On Fri, Mar 21, 2014 at 9:57 AM, Sudheera Palihakkara >> <sudhe...@wso2.com>wrote: >> >>> Hi Jeewantha, >>> >>> I have created CA and client certificates like you asked. And using curl >>> did the request. Here's what I got at the server log. >>> >>> INFO - CacheManager OCSPCache Cache Manager Started >>> INFO - CacheManager CRLCache Cache Manager Started >>> INFO - RevocationVerificationManager OCSPVerifier failed. >>> INFO - CRLVerifier Trying to get CRL for URL: >>> http://crl3.digicert.com/ca3-g17.crl >>> INFO - CRLCache Before set- HashMap size 0 >>> INFO - CRLCache After set - HashMap size 1 >>> INFO - PathChecker Certificate status is: Good >>> INFO - CertificatePathValidator Certificate path validated >>> INFO - RevocationVerificationManager Path verification Successful. Took >>> 1075 ms. >>> >>> >>> looks like OCSPVerifier has failed, what do you think? is it because a >>> issue in the source or the certificate created by me? >>> >>> >>> On Thu, Mar 20, 2014 at 11:01 PM, Jeewantha Dharmaparakrama < >>> jeewan...@wso2.com> wrote: >>> >>>> +1. >>>> >>>> So when you invoke the HTTPS service with client auth enabled, the >>>> connection should be rejected since there is no OCSP/CRL information in the >>>> client certificate. >>>> >>>> But we should test this with some custom made certificates. Create a >>>> self signed *CA certificate* and a *User certificate* signed by that >>>> CA. You can use the tool *openssl* for this. (No need to create an >>>> intermediate CA cert) [1]. Before giving the Certificate signing >>>> request(CSR) to the CA you have to give the proper X509Extensions >>>> *Authority >>>> Information Access* [2] and *Crl Distribution Points* [3] so that the >>>> URLs for OCSP and CRL servers will be added to the certificate you create. >>>> You will have to create an *openssl.cnf* file with the following >>>> information to be given to *openssl* with the CSR as an extension file. >>>> >>>> authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com >>>> crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl >>>> >>>> >>>> >>>> The above urls are from the CA which has signed WSO2 certificates >>>> (Digicert). Please check the certificate. Now you can add the created >>>> certificates to wso2carbon.jks (Both keystore and truststore) : see online >>>> resources on how to do that. Once configured, call the HTTPS service with >>>> client auth enabled. Use curl to send the getQuote request. >>>> >>>> curl -X POST -H 'Content-Type: text/xml; charset=UTF-8' -H 'SOAPAction: >>>> "urn:getQuote"' -d @request_file.xml --cacert ca.crt --cert user.crt -v >>>> https://localhost:8243 >>>> >>>> >>>> >>>> >>>> Now the ESB should do OCSP/CRL validations and since there are no >>>> revocation information with Digicert on the certificate you created, the >>>> HTTPS connection should be established. >>>> >>>> Please ask if you have any questions. >>>> >>>> [1] >>>> http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ >>>> [2] >>>> http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html >>>> [3] http://stackoverflow.com/a/12023746/1411653 >>>> >>>> Thanks, >>>> Jeewantha >>>> >>>> >>>> On Wed, Mar 19, 2014 at 10:50 PM, Sudheera Palihakkara < >>>> sudhe...@wso2.com> wrote: >>>> >>>>> Hi Jeewantha, >>>>> >>>>> I have moved ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>> from /transport/nhttp/config/ to /transport/http/config/ because those >>>>> two >>>>> classed are common to both nhttp and passthru transports. >>>>> >>>>> Here are the diff files of the two files that I edited. >>>>> >>>>> I used an online tool to generate ServerConnFactoryBuilder.diff >>>>> because I did not committed the changes after I moved the file to http >>>>> directory so the format of the diff file may different. >>>>> >>>>> thanks. >>>>> >>>>> >>>>> >>>>> On Wed, Mar 19, 2014 at 8:57 PM, Jeewantha Dharmaparakrama < >>>>> jeewan...@wso2.com> wrote: >>>>> >>>>>> [Adding @dev] >>>>>> >>>>>> Hi Sudheera, >>>>>> >>>>>> Did you remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>>> from the source and added the changed classes again? Its difficult to see >>>>>> which lines have changed in the patch file. >>>>>> Please remove ServerConnFactoryBuilder and ClientConnFactoryBuilder >>>>>> from your local source, svn up again, and then do the changes in those >>>>>> files and create the patch file. >>>>>> >>>>>> Thanks, >>>>>> Jeewantha >>>>>> >>>>>> >>>>>> On Wed, Mar 19, 2014 at 3:00 AM, Sudheera Palihakkara < >>>>>> sudhe...@wso2.com> wrote: >>>>>> >>>>>>> Hi ayya, >>>>>>> >>>>>>> I have done some coding ServerSSLSetupHander.java and >>>>>>> ServerConnFactoryBuilder.java as they did in the backend side. I think >>>>>>> the >>>>>>> logic is ok but it's hard to test since we don't have certificate chain >>>>>>> that signed by a CA. I used wso2carbon.jks for client and the request >>>>>>> get >>>>>>> failed since both ocsp and crl verification get failed for >>>>>>> wso2carbon.jks . >>>>>>> I have attached the diff file. Can you take a look. >>>>>>> >>>>>>> >>>>>>> thanks. >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 19, 2014 at 11:43 AM, Sudheera Palihakkara < >>>>>>> sudhe...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi ayya, >>>>>>>> >>>>>>>> In ServerConnFactoryBuilder.java file line 202 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> * ServerSSLSetupHandler sslSetupHandler = >>>>>>>> (clientAuth != null || httpsProtocols != >>>>>>>> null) ? new >>>>>>>> ServerSSLSetupHandler(clientAuth,httpsProtocols) : null;* >>>>>>>> >>>>>>>> it seems like if SSLVerifyClient parameter not defined then >>>>>>>> *ServerSSLSetupHandler()* isn't get invoked. Do we need this >>>>>>>> "SSLVerifyClient" parameter set to "required" in order to verify ocsp >>>>>>>> and >>>>>>>> crl ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Mar 15, 2014 at 12:20 AM, Jeewantha Dharmaparakrama < >>>>>>>> jeewan...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi Sudheera, >>>>>>>>> >>>>>>>>> You don't need SSL Profiles to talk to HTTPS backends. SSL >>>>>>>>> profiles are to define different SSL configurations (Trust stores, >>>>>>>>> Keystores) to different backends. And according to the logs, the >>>>>>>>> connection >>>>>>>>> is not made to an HTTPS backend. Error occurs during SSL handshake. >>>>>>>>> >>>>>>>>> To make an HTTPS connection just host your service in some server >>>>>>>>> (doesnt matter which) and in the ESB define the endpoint to connect >>>>>>>>> to the >>>>>>>>> https port with the correct HTTPS endpoint URL. >>>>>>>>> >>>>>>>>> However to test OCSP/CRL you cant use a carbon server which runs >>>>>>>>> in your local macine. The reason is, the certificates defined in the >>>>>>>>> Carbon >>>>>>>>> Servers are fake (Self signed). That's why the web browser says >>>>>>>>> "Untrusted >>>>>>>>> connection" when you try connect to the management console of a >>>>>>>>> locally >>>>>>>>> running carbon server. And in those fake certificates, the CRL/OCSP >>>>>>>>> urls >>>>>>>>> are not defined. So you cant test OCSP/CRL feature that way. >>>>>>>>> >>>>>>>>> So don't run the backend in your local machine. Instead, use some >>>>>>>>> HTTPS backend like https://www.facebook.com or if you need a >>>>>>>>> webservice use the echo service in Stratos Live[1] . Stratos live uses >>>>>>>>> valid WSO2 certificates signed by Digicert, a valid CA which has its >>>>>>>>> OCSP/CRL servers running[2]. >>>>>>>>> >>>>>>>>> [1] https://stratoslive.wso2.com/services/echo?wsdl >>>>>>>>> [2] http://www.digicert.com/ >>>>>>>>> >>>>>>>>> If you have more questions please ask on @Dev to be more visible >>>>>>>>> to the public. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Jeewantha >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Mar 14, 2014 at 2:09 AM, Sudheera Palihakkara < >>>>>>>>> sudhe...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi ayya. >>>>>>>>>> >>>>>>>>>> I'm trying to invoke the already implemented ocsp at the >>>>>>>>>> transport sender and get an idea about the flow. But I'm having some >>>>>>>>>> difficulties during the process. here's what I've done >>>>>>>>>> >>>>>>>>>> 1 . followed this >>>>>>>>>> [1<http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html>] >>>>>>>>>> document to create the SSL profiles. (used same axis2.xml with >>>>>>>>>> password as >>>>>>>>>> *wso2carbon* ) >>>>>>>>>> 2. Started a separate DSS with clientAuth="true" in >>>>>>>>>> catalina-server.xml >>>>>>>>>> 3. created a proxy service in ESB to invoke *echo service*deployed >>>>>>>>>> at DSS with use of >>>>>>>>>> *https* in the endppoint. >>>>>>>>>> >>>>>>>>>> When I invoked the proxy service I'm getting this error >>>>>>>>>> >>>>>>>>>> *[2014-03-14 13:11:10,725] ERROR - TargetHandler I/O error: >>>>>>>>>> Unrecognized SSL message, plaintext connection?* >>>>>>>>>> >>>>>>>>>> Full error log[2 <http://pastebin.com/5VMK4cnT>]. >>>>>>>>>> >>>>>>>>>> Can you help me out please. I there any other way to test this, I >>>>>>>>>> might need something similar for transport listener too. thank you >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> http://pathberiya.blogspot.com/2010/07/ssl-profiles-in-wso2-esb.html >>>>>>>>>> [2] http://pastebin.com/5VMK4cnT >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Jeewantha Dharmaparakrama >>>>>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>>>>> Phone : (+94) 774726790 >>>>>>>>> Skype : prasad.jeewantha >>>>>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>>>>> Twitter: https://twitter.com/jeewamp >>>>>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Jeewantha Dharmaparakrama >>>>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>>>> Phone : (+94) 774726790 >>>>>> Skype : prasad.jeewantha >>>>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>>>> Twitter: https://twitter.com/jeewamp >>>>>> Blog: http://jeewanthad.blogspot.com/ >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Jeewantha Dharmaparakrama >>>> Software Engineer; WSO2, Inc.; http://wso2.com/ >>>> Phone : (+94) 774726790 >>>> Skype : prasad.jeewantha >>>> LinkedIn : http://www.linkedin.com/in/jeewanthad >>>> Twitter: https://twitter.com/jeewamp >>>> Blog: http://jeewanthad.blogspot.com/ >>>> >>> >>> >> >> >> -- >> Jeewantha Dharmaparakrama >> Software Engineer; WSO2, Inc.; http://wso2.com/ >> Phone : (+94) 774726790 >> Skype : prasad.jeewantha >> LinkedIn : http://www.linkedin.com/in/jeewanthad >> Twitter: https://twitter.com/jeewamp >> Blog: http://jeewanthad.blogspot.com/ >> > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
