Here is what I get from not-yet-commons with the following command line -t host.domain.com:443 -km keystore.pkcs12 -p password
I've changed anything specific about the server host. Cipher: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ============================================================================ ==== Writing: ============================================================================ ==== HEAD / HTTP/1.1 Host: host.domain.com Reading: ============================================================================ ==== HTTP/1.1 200 OK Date: Fri, 09 Mar 2007 22:03:10 GMT Server: Apache Content-Type: text/html Server Certificate Chain for: [host.domain.com:443] ============================================================================ ==== host.domain.com Valid: 2007/Jan/25 - 2020/Oct/03 s: [EMAIL PROTECTED], CN=host.domain.com, OU=Blah, O="Blah, Inc.", L=Blah, ST=Blah, C=US i: [EMAIL PROTECTED], CN=Blah, OU=Blah, O=Blah, L=Blah, ST=Blah, C=US -----BEGIN CERTIFICATE----- MIIDtjCCAp4CBAdbzRYwDQYJKoZIhvcNAQEFBQAwgfkxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR0wGwYD VQQKExRWZXJ0aWNhbFJlc3BvbnNlIEluYzEqMCgGA1UECxMhVmVydGljYWxSZXNw b25zZSBJbmMgQVBJIFNlcnZpY2VzMUAwPgYDVQQDEzdWZXJ0aWNhbFJlc3BvbnNl IEluYyBBUEkgU2VydmljZXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MTAwLgYJKoZI hvcNAQkBFiFhcGktc2VydmljZXNAdmVydGljYWxyZXNwb25zZS5jb20wHhcNMDcw MTI1MjE1NzQxWhcNMjAxMDAzMjE1NzQxWjCByDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHzAdBgNVBAoT FlZlcnRpY2FsUmVzcG9uc2UsIEluYy4xFzAVBgNVBAsTDlZSIEFQSSBTdXBwb3J0 MSEwHwYDVQQDExhhcGkudmVydGljYWxyZXNwb25zZS5jb20xLzAtBgkqhkiG9w0B CQEWIGFwaS1zdXBwb3J0QHZlcnRpY2FscmVzcG9uc2UuY29tMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQDMhnh8VbIYozVG0ST5chrmouoK+0C8CwXgSKhEE/u0 V4aCujT3ZZp8vEVdtQ3/rEj61jeRfPbIbctqUVAg+9oML6Z2xlMRXXZZPXcM/JnZ T7bwUzAXSJWaG/YHS2updEiyrWroajDS1wwMznFniHKhErFaIueXe+RMic67A/ym dQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAhWGLj8jR6wPXl+rNc0VXwzn6MvolB KQm1rcVSM5+pC+unKUISv2JY2hFHGEF+bDLncWiH9c0bgDhWikz2PeIK6GpcRjfV 9I4Ybk8nKiiV95iSs3tTPrA91F42i82mNh0SzhDEiBpnpcu7PVdt9s/AaE+593a7 1Q7Vg/iTx1STIH5A2do7zY1+uxbyuqEGPr9Wpjk+Pzx5PArqQCKNcLEW1yG2vnj8 99mxG6WRn+n75PoGpcEqIPnm/NtTod4VCQCiixdfW+BEiHMiZkyfuRh8CcDMqU0P wWE6zbwW5X/os9yt9gME16q00T6xmrLiywUMYFUv8iosDO6yFvepCnET -----END CERTIFICATE----- Blah Certificate Authority Valid: 2006/Dec/20 - 2034/May/07 s: [EMAIL PROTECTED], CN=Blah, OU=Blah, O=Blah, L=Blah, ST=Blah, C=US i: self-signed -----BEGIN CERTIFICATE----- MIIEcDCCA1gCCQDbK5aeug4AeTANBgkqhkiG9w0BAQUFADCB+TELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x HTAbBgNVBAoTFFZlcnRpY2FsUmVzcG9uc2UgSW5jMSowKAYDVQQLEyFWZXJ0aWNh bFJlc3BvbnNlIEluYyBBUEkgU2VydmljZXMxQDA+BgNVBAMTN1ZlcnRpY2FsUmVz cG9uc2UgSW5jIEFQSSBTZXJ2aWNlcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxMDAu BgkqhkiG9w0BCQEWIWFwaS1zZXJ2aWNlc0B2ZXJ0aWNhbHJlc3BvbnNlLmNvbTAe Fw0wNjEyMjAxODM5MjdaFw0zNDA1MDcxODM5MjdaMIH5MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsG A1UEChMUVmVydGljYWxSZXNwb25zZSBJbmMxKjAoBgNVBAsTIVZlcnRpY2FsUmVz cG9uc2UgSW5jIEFQSSBTZXJ2aWNlczFAMD4GA1UEAxM3VmVydGljYWxSZXNwb25z ZSBJbmMgQVBJIFNlcnZpY2VzIENlcnRpZmljYXRlIEF1dGhvcml0eTEwMC4GCSqG SIb3DQEJARYhYXBpLXNlcnZpY2VzQHZlcnRpY2FscmVzcG9uc2UuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m6z4FhpkwNz//V5n8HGDxEvVUUM zNCzRz++FZez1uapD/+NasdKfHa2roTEFWKKS2P3uRqT87C6Vv+epoQxPrW91JA7 jflVc3RAf7gG+0MbPYqvSuZa3AjZ+FqptavUEyUb0B97F9QJcWbztkPrrmPaUlvs G4aAemE3VBIlhn0M6TgHk4kVkjZdrPq6hzecRVChfOQxMeNN4JiOp6E6UHeX26MC EDRyk9eg0GkSl2Br9C+AelBqL5NOwh2KbNw2jByMpp2uykEfv/5P9WDj3DqRbotH i4SxyUm0cw0CKVh7ZkyoqoNIjqkFtchhlFABgqGRsJC91t1gYoXuBpE2lQIDAQAB MA0GCSqGSIb3DQEBBQUAA4IBAQCYoxmOIrOgvVlVhCM2k2FBKgiaJFPCkYQnsqcv yu8tI0HFdw0WD0k6AjxGnJCw5l8McRz+cYYcBd6jIjr45yRAtDJGsQ20TjOFEhCF c/LwOJG6MBIg9NBf2tY0DoEpDyS3dS9zmrvcDlysIgiU8EHFmTkP5e6J7WQ+JJ3b uz+HVFEuMCKh5BDKL5cTQr27sB0y6W6WU8WIBwPNTKKisfShYEmsIfSZlOWObBIW yJCDqujj8H6ysCZaKUgPgcTo6b6SPyq2Hhjx3qCc49ioeuihTeMd1y7zZCoHJzZK RBBS5WLPw/abVZjiMysfhSFO5aWViKnysIx1i/jddrXmBM/J -----END CERTIFICATE----- -----Original Message----- From: Julius Davies [mailto:[EMAIL PROTECTED] Sent: Friday, March 09, 2007 4:35 PM To: [email protected] Subject: Re: Outbound HTTPS with Client Certificate Hi, Griffin, Asankha, I don't know SSL at the "javax.net.debug=all" level! But it looks like a great trace you've got there... If we could get the output of "java -jar not-yet-commons-ssl-0.3.7.jar", that might also help. It will definitely reveal anything obvious. So please provide output from that tool, especially any stacktraces, if you don't mind! You can download it here: http://juliusdavies.ca/commons-ssl/download.html Or you can look for it inside SOAP-UI - they use not-yet-commons-ssl-0.3.4.jar. If nothing interesting comes out of the "java -jar not-yet-commons-ssl-0.3.7.jar" output, I think we should get Oleg involved. yours, Julius On 3/9/07, Michael Griffin <[EMAIL PROTECTED]> wrote: > Unfortuneatly the endpoint is not mine. It is a commercial endpoint of an > actual service I need to call. My hope is that I can use synapse to deal > with all of the HTTPS stuff that my main application platform does not have > to deal with it. Seems like a perfect fit for synapse :-) > > -----Original Message----- > From: Asankha C. Perera [mailto:[EMAIL PROTECTED] > Sent: Friday, March 09, 2007 3:55 PM > To: [email protected] > Cc: [EMAIL PROTECTED] > Subject: Re: Outbound HTTPS with Client Certificate > > > Hi Griffin > > Hmmm.. this seems interesting and I am copying this to Julius for his > expert views on what seems to be going wrong here. Is your endpoint a > test endpoint accessible over the Internet? If so maybe I could give it > a try? > > asankha > > Michael Griffin wrote: > > asankha, > > > > I did some more analysis with the javax.net.debug=all turned on. > Basically > > I have found that betwen the two clients SOAPUI and Synapse there is a > > difference during the ClientKeyExchange step. The difference is as > follows: > > > > For the SOAPUI test client (this one works) > > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 > > Random Secret: { .... } > > [write] MD5 and SHA1 hashes: len = 134 > > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 134 > > A1 [Raw write]: length = 139 > > SESSION KEYGEN: > > PreMaster Secret: > > CONNECTION KEYGEN: > > Client Nonce: > > Server Nonce: > > Master Secret: > > Client MAC write Secret: > > Server MAC write Secret: > > Client write key: > > Server write key: > > ... no IV for cipher > > pool-1-thread-1, WRITE: TLSv1 Change Cipher Spec, length = 1 > > B1 [Raw write]: length = 6 > > *** Finished > > verify_data: { 107, 203, 92, 131, 85, 121, 87, 171, 96, 206, 238, 30 } > > *** > > [write] MD5 and SHA1 hashes: len = 16 > > Padded plaintext before ENCRYPTION: len = 32 > > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 32 > > A2 > > B2 > > [Raw write]: length = 37 > > [Raw read]: length = 5 > > [Raw read]: length = 1 > > pool-1-thread-1, READ: TLSv1 Change Cipher Spec, length = 1 > > [Raw read]: length = 5 > > [Raw read]: length = 32 > > pool-1-thread-1, READ: TLSv1 Handshake, length = 32 > > Padded plaintext after DECRYPTION: len = 32 > > *** Finished > > verify_data: { 40, 93, 34, 17, 33, 112, 112, 78, 161, 7, 217, 136 } > > *** > > %% Didn't cache non-resumable client session: [Session-1, > > SSL_RSA_WITH_RC4_128_MD5] > > > > For Synapse the A1 and B1 are in a different place > > > > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 > > Random Secret: { .... } > > [write] MD5 and SHA1 hashes: len = 134 > > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 134 > > A1 > > SESSION KEYGEN: > > PreMaster Secret: > > CONNECTION KEYGEN: > > Client Nonce: > > Server Nonce: > > Master Secret: > > Client MAC write Secret: > > Server MAC write Secret: > > Client write key: > > Server write key: > > ... no IV for cipher > > I/O reactor worker thread, WRITE: TLSv1 Change Cipher Spec, length = 1 > > B1 > > *** Finished > > verify_data: { 61, 90, 82, 31, 54, 31, 45, 19, 5, 78, 129, 203 } > > *** > > [write] MD5 and SHA1 hashes: len = 16 > > Padded plaintext before ENCRYPTION: len = 32 > > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 32 > > A2 [Raw write]: length = 139 > > B2 [Raw write]: length = 6 > > [Raw write]: length = 37 > > [Raw read]: length = 5 > > [Raw read]: length = 1 > > I/O reactor worker thread, READ: TLSv1 Change Cipher Spec, length = 1 > > [Raw read]: length = 5 > > [Raw read]: length = 32 > > I/O reactor worker thread, READ: TLSv1 Handshake, length = 32 > > Padded plaintext after DECRYPTION: len = 32 > > *** Finished > > verify_data: { 128, 51, 223, 64, 166, 195, 190, 199, 81, 87, 82, 197 } > > *** > > %% Didn't cache non-resumable client session: [Session-1, > > SSL_RSA_WITH_RC4_128_MD5] > > > > The two 6 byte writes contain the same data, the 139 byte writes are > > different. > > > > In both cases, I am using the same to keystore and trustore and the same > > javax.net.debug setting. Both run on the same server and use the same VM > > instance. I don't know enough about SSL to provide any additional insight > > into what I think the problem is. > > > > regards, > > griffin > > > > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
