[
https://issues.apache.org/jira/browse/CXF-5652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14067629#comment-14067629
]
Andrei Shakirin commented on CXF-5652:
--------------------------------------
Hi Vjacheslav,
I think I found the reason of the problem with JVM parameters. CXF also uses
URL.openConnection() to get HttpsUrlConnection. However CXF additionally
creates SSLContext and wraps it's socketFactory to enable certain cipher
suites. This socket factory will be set into the
HttpsURLConnection.setSSLSocketFactory(). See
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
for details.
Here is the problem: if the keyManager and trustManager are not provided, the
SSLContext will be initialized as context.init(null, null, null). In this case
the error "fatal error: 42: null cert chain" occurs even if JVM keyStore and
trustStore properties are set.
If you don't set socketFactory in HttpsURLConnection at all, or properly
initialize SSLContext with keyManager and trustManager - client authentication
scenario works.
I have reproduced that in simple test case based on URL.getConnection()
(attached). If you uncomment line "context.init(kmf.getKeyManagers(),
tmf.getTrustManagers(), null);" and comment "context.init(null, null, null);" -
client authentication scenario works. Otherwise server sends mentioned error 42
even with JVM properties. (but both options work if client authentication is
deactivated). Could you please check it on your environment?
Regarding solution: I think we can check if keyManagers and trustManagers are
null and initialize them from JVM properties (if they are set). This will fix
client authentication scenario with JVM properties. However I don't think that
it helps with instability problem you mentioned - I am afraid further analysis
here will be necessary.
Regards,
Andrei.
> WebClient with SSL: javax.net.ssl.SSLHandshakeException handshake_failure
> -------------------------------------------------------------------------
>
> Key: CXF-5652
> URL: https://issues.apache.org/jira/browse/CXF-5652
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 3.0.0-milestone2
> Reporter: Vjacheslav Borisov
> Assignee: Andrei Shakirin
> Priority: Minor
>
> I got error when using WebClient with SSL using client certificate:
> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
> I found a way to fix this error
> KeyStore keyStore = KeyStore.getInstance("JKS");
> String trustpass = "chageit";
> File truststore = new
> File("/home/slavb/.java/deployment/security/trusted.clientcerts");
> keyStore.load(new FileInputStream(truststore),
> trustpass.toCharArray());
> KeyStore ts = KeyStore.getInstance("JKS");
> truststore = new File("/etc/ssl/certs/trusted.cacerts");
> ts.load(new FileInputStream(truststore), "".toCharArray());
> Client client = ClientBuilder.newBuilder().keyStore(keyStore,
> trustpass).
> trustStore(ts).build();
> And I have question, why WebClient is not working like embedded in java
> URLConnection or
> apache http client when I specify system properties
> -Djavax.net.ssl.trustStore=/etc/ssl/certs/trusted.cacerts
> -Djavax.net.ssl.keyStore=/home/slavb/.java/deployment/security/trusted.clientcerts
>
> -Djavax.net.ssl.keyStorePassword=changeit
> (i got error javax.net.ssl.SSLHandshakeException: Received fatal alert:
> handshake_failure when using SSL web client)
> Why it is need to configure ssl in code?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
