Hi, Griffin, Asankha, I don't know SSL at the "javax.net.debug=all" level! But it looks like a great trace you've got there...
If we could get the output of "java -jar not-yet-commons-ssl-0.3.7.jar", that might also help. It will definitely reveal anything obvious. So please provide output from that tool, especially any stacktraces, if you don't mind! You can download it here: http://juliusdavies.ca/commons-ssl/download.html Or you can look for it inside SOAP-UI - they use not-yet-commons-ssl-0.3.4.jar. If nothing interesting comes out of the "java -jar not-yet-commons-ssl-0.3.7.jar" output, I think we should get Oleg involved. yours, Julius On 3/9/07, Michael Griffin <[EMAIL PROTECTED]> wrote:
Unfortuneatly the endpoint is not mine. It is a commercial endpoint of an actual service I need to call. My hope is that I can use synapse to deal with all of the HTTPS stuff that my main application platform does not have to deal with it. Seems like a perfect fit for synapse :-) -----Original Message----- From: Asankha C. Perera [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 3:55 PM To: [email protected] Cc: [EMAIL PROTECTED] Subject: Re: Outbound HTTPS with Client Certificate Hi Griffin Hmmm.. this seems interesting and I am copying this to Julius for his expert views on what seems to be going wrong here. Is your endpoint a test endpoint accessible over the Internet? If so maybe I could give it a try? asankha Michael Griffin wrote: > asankha, > > I did some more analysis with the javax.net.debug=all turned on. Basically > I have found that betwen the two clients SOAPUI and Synapse there is a > difference during the ClientKeyExchange step. The difference is as follows: > > For the SOAPUI test client (this one works) > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 > Random Secret: { .... } > [write] MD5 and SHA1 hashes: len = 134 > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 134 > A1 [Raw write]: length = 139 > SESSION KEYGEN: > PreMaster Secret: > CONNECTION KEYGEN: > Client Nonce: > Server Nonce: > Master Secret: > Client MAC write Secret: > Server MAC write Secret: > Client write key: > Server write key: > ... no IV for cipher > pool-1-thread-1, WRITE: TLSv1 Change Cipher Spec, length = 1 > B1 [Raw write]: length = 6 > *** Finished > verify_data: { 107, 203, 92, 131, 85, 121, 87, 171, 96, 206, 238, 30 } > *** > [write] MD5 and SHA1 hashes: len = 16 > Padded plaintext before ENCRYPTION: len = 32 > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 32 > A2 > B2 > [Raw write]: length = 37 > [Raw read]: length = 5 > [Raw read]: length = 1 > pool-1-thread-1, READ: TLSv1 Change Cipher Spec, length = 1 > [Raw read]: length = 5 > [Raw read]: length = 32 > pool-1-thread-1, READ: TLSv1 Handshake, length = 32 > Padded plaintext after DECRYPTION: len = 32 > *** Finished > verify_data: { 40, 93, 34, 17, 33, 112, 112, 78, 161, 7, 217, 136 } > *** > %% Didn't cache non-resumable client session: [Session-1, > SSL_RSA_WITH_RC4_128_MD5] > > For Synapse the A1 and B1 are in a different place > > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 > Random Secret: { .... } > [write] MD5 and SHA1 hashes: len = 134 > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 134 > A1 > SESSION KEYGEN: > PreMaster Secret: > CONNECTION KEYGEN: > Client Nonce: > Server Nonce: > Master Secret: > Client MAC write Secret: > Server MAC write Secret: > Client write key: > Server write key: > ... no IV for cipher > I/O reactor worker thread, WRITE: TLSv1 Change Cipher Spec, length = 1 > B1 > *** Finished > verify_data: { 61, 90, 82, 31, 54, 31, 45, 19, 5, 78, 129, 203 } > *** > [write] MD5 and SHA1 hashes: len = 16 > Padded plaintext before ENCRYPTION: len = 32 > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 32 > A2 [Raw write]: length = 139 > B2 [Raw write]: length = 6 > [Raw write]: length = 37 > [Raw read]: length = 5 > [Raw read]: length = 1 > I/O reactor worker thread, READ: TLSv1 Change Cipher Spec, length = 1 > [Raw read]: length = 5 > [Raw read]: length = 32 > I/O reactor worker thread, READ: TLSv1 Handshake, length = 32 > Padded plaintext after DECRYPTION: len = 32 > *** Finished > verify_data: { 128, 51, 223, 64, 166, 195, 190, 199, 81, 87, 82, 197 } > *** > %% Didn't cache non-resumable client session: [Session-1, > SSL_RSA_WITH_RC4_128_MD5] > > The two 6 byte writes contain the same data, the 139 byte writes are > different. > > In both cases, I am using the same to keystore and trustore and the same > javax.net.debug setting. Both run on the same server and use the same VM > instance. I don't know enough about SSL to provide any additional insight > into what I think the problem is. > > regards, > griffin > >
-- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
