Re: service over https
Thanks, Fred!
Your openssl trick worked a treat. I imported the certificate into the key
store and can process transactions now. I guess, now I need not forget to
do the same for production :-)
Thanks,
Alex.
On Dec 16, 2007 10:08 PM, Fred Dushin <[EMAIL PROTECTED]> wrote:
>
> You don't necessarily need to use keytool. You can now use a plain
> PEM file, containing the CA's X.509 certificate:
>
> {{{
>
>
>
>
>
>
> .*
> .*_DH_anon_.*
>
>
>
> }}}
>
> You'll need to get a hold of this certificate, if you don't already
> have it. Here is the information about the peer you can get through
> openssl:
>
> 15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com -
> port 443
> CONNECTED(0004)
> depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
> Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
> Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
> aa.sandbox.paypal.com
> i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB
> ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
> aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
> dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
> SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
> NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG
> A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh
> eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE
> CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw
> IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB
> AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5
> vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz
> 75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID
> AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7
> oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h
> bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
> BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG
> SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr
> BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw
> X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP
> gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm
> MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn
> t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D
> dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee
> fOE4
> -END CERTIFICATE-
> subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
> Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
> aa.sandbox.paypal.com
> issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
> Ref. LIABILITY LTD.(c)97 VeriSign
> ---
> Acceptable client certificate CA names
> /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/
> CN=sandbox_camerchapi/[EMAIL PROTECTED]
> ---
> SSL handshake has read 3379 bytes and written 334 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher: DHE-RSA-AES256-SHA
> Session-ID:
> 85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F
> Session-ID-ctx:
> Master-Key:
> C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1
> 2971A54CA42805A4940785D0
> Key-Arg : None
> Start Time: 1197838663
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate
> chain)
> ---
>
> So it looks like you'll need one of those 2 verisign certs.
>
> -Fred
>
>
> On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote:
>
> > Hi, Fred!
> >
> > On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote:
> >>
> >> You need to specify a trust store containing the appropriate
> >> certificate authority to be used when performing the hands
Re: service over https
You don't necessarily need to use keytool. You can now use a plain
PEM file, containing the CA's X.509 certificate:
{{{
.*
.*_DH_anon_.*
}}}
You'll need to get a hold of this certificate, if you don't already
have it. Here is the information about the peer you can get through
openssl:
15:57:32 spock:~> openssl s_client -host api-aa.sandbox.paypal.com -
port 443
CONNECTED(0004)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-BEGIN CERTIFICATE-
MIIEfzCCA+igAwIBAgIQLSP23WPvaFBTi2w3DtahojANBgkqhkiG9w0BAQUFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
NjAzMDcwMDAwMDBaFw0wODAzMDYyMzU5NTlaMIHDMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBh
eXBhbCwgSW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEzMDEGA1UE
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMSIw
IAYDVQQDFBlhcGktYWEuc2FuZGJveC5wYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDGgeP8JtZJp8/pP4xkPFWkK+ZGskDW2S8NFbk+zoGOnNN5
vFwvrd2AqtU7bBqgVUfjqjGoUY03f/taNpdjfGcjWIPgjQzr9DUOF6dvh+/DBpCz
75lecSiyrVi70VqbxnrDFoBisbErMsJul5gzKiLwAzdLCja2sNcRFZmg06qHNwID
AQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7
oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25h
bFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCG
SAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEw
X6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PP
gGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lm
MA0GCSqGSIb3DQEBBQUAA4GBAApy0YfJ6u2U+dtaRIAqnwqdYeeYk85C3AAWTYjn
t6meV1fjVNCkA1uHNW12qoTgpaposI/B/TEzi4oVzV7icki7jqpx+KdFOukoMn8D
dVbGOCZ+wh867qkrgypiSESxTbnCPLKXxk5iHyVH07Aid9NEFcicwvflay5bZVee
fOE4
-END CERTIFICATE-
subject=/C=US/ST=California/L=San Jose/O=Paypal, Inc./OU=Information
Systems/OU=Terms of use at www.verisign.com/rpa (c)00/CN=api-
aa.sandbox.paypal.com
issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=sandbox_certs/
CN=sandbox_camerchapi/[EMAIL PROTECTED]
---
SSL handshake has read 3379 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID:
85E1D239A982C834730D359EBD5D009F1D64705CD2F44192E6081CF7A55CA88F
Session-ID-ctx:
Master-Key:
C7C10F6A3503C174C2B276FBE109F6C249B4C2B252BA45AFAFA157EB920B10DEB80BD9B1
2971A54CA42805A4940785D0
Key-Arg : None
Start Time: 1197838663
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---
So it looks like you'll need one of those 2 verisign certs.
-Fred
On Dec 16, 2007, at 3:53 PM, Alex Shneyderman wrote:
Hi, Fred!
On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote:
You need to specify a trust store containing the appropriate
certificate authority to be used when performing the handshake with
the paypal service.
Could you explain this step in a bit more details. I guess I have
to use
something like keytool but I am not sure what "appropriate certificate
authority" means ? Where do I get it, how do I deal with it ? I
have tried
to search PayPal's docs nothing of relevance turned up.
Thanks,
Alex.
Re: service over https
Hi, Fred! On Dec 16, 2007 8:49 PM, Fred Dushin <[EMAIL PROTECTED]> wrote: > > You need to specify a trust store containing the appropriate > certificate authority to be used when performing the handshake with > the paypal service. Could you explain this step in a bit more details. I guess I have to use something like keytool but I am not sure what "appropriate certificate authority" means ? Where do I get it, how do I deal with it ? I have tried to search PayPal's docs nothing of relevance turned up. Thanks, Alex.
Re: service over https
You need to specify a trust store containing the appropriate certificate authority to be used when performing the handshake with the paypal service. In the case where you are specifying a cxf.xml file, be sure to include the right trustManagers stanza, as in https://svn.apache.org/repos/asf/incubator/cxf/trunk/distribution/src/ main/release/samples/wsdl_first_https/WibbleClient.cxf In the case where you are not using a cxf.xml file, the conduit is failing to initialize because it has not been configured to use SSL. -Fred On Dec 16, 2007, at 2:10 PM, Alex Shneyderman wrote: I am new to web service or CXF, so forgive me if this is somehow obvious for everyone. I have been trying to figure out how to utilize paypal's WS. Here is their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is interested). At the end of the file there is ports section that looks like so: https://api-aa.sandbox.paypal.com/ 2.0/"/> port named PayPalAPIAA talks over https. I have written some code to process direct payments and if I provide cxf.xml on my classpath of the following content: There is a an error I get back: Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suites have not been configured, falling back to cipher suite filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suite filters have not been configured, falling back to default filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersFromList INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit prepare INFO: AutoRedirect is turned on. Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept INFO: Interceptor has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Received fatal alert: handshake_failure at org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writePart s(AbstractOutDatabindingInterceptor.java:75) at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage (BareOutInterceptor.java:68) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept (PhaseInterceptorChain.java:207) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205) ... If I do not provide cxf.xml I get an error stating: Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept .. Caused by: java.io.IOException: Illegal Protocol https for HTTP URLConnection Factory. at org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConne ction(HttpURLConnectionFactoryImpl.java:44) at org.apache.cxf.transport.http.HTTPConduit.prepare (HTTPConduit.java:474) at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage (MessageSenderInterceptor.java:46) ... 12 more Any ideas. BTW if I simply connect to the URL I can connect and get content fine, so default java https connectivity works (I run java 6). Somehow CXF screws stuff up for me. Any ideas of what I am to fix here? -- Thanks, Alex.
service over https
I am new to web service or CXF, so forgive me if this is somehow obvious for everyone. I have been trying to figure out how to utilize paypal's WS. Here is their WSDL http://www.paypal.com/wsdl/PayPalSvc.wsdl (if anyone is interested). At the end of the file there is ports section that looks like so: https://api-aa.sandbox.paypal.com/2.0/"/> port named PayPalAPIAA talks over https. I have written some code to process direct payments and if I provide cxf.xml on my classpath of the following content: There is a an error I get back: Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suites have not been configured, falling back to cipher suite filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersuites INFO: The cipher suite filters have not been configured, falling back to default filters. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.https.SSLUtils getCiphersFromList INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5. Dec 16, 2007 7:18:30 PM org.apache.cxf.transport.http.HTTPConduit prepare INFO: AutoRedirect is turned on. Dec 16, 2007 7:18:31 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept INFO: Interceptor has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Received fatal alert: handshake_failure at org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor.writeParts(AbstractOutDatabindingInterceptor.java:75) at org.apache.cxf.interceptor.BareOutInterceptor.handleMessage(BareOutInterceptor.java:68) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:207) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:205) ... If I do not provide cxf.xml I get an error stating: Dec 16, 2007 8:01:42 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept .. Caused by: java.io.IOException: Illegal Protocol https for HTTP URLConnection Factory. at org.apache.cxf.transport.http.HttpURLConnectionFactoryImpl.createConnection(HttpURLConnectionFactoryImpl.java:44) at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:474) at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46) ... 12 more Any ideas. BTW if I simply connect to the URL I can connect and get content fine, so default java https connectivity works (I run java 6). Somehow CXF screws stuff up for me. Any ideas of what I am to fix here? -- Thanks, Alex.
