I've reconfigured synapse (latest build) to use the original (from 0.91
configuration) senders as follows
<transportSender name="http"
class="org.apache.axis2.transport.http.CommonsHTTPTrans
portSender"/>
<transportSender name="https"
class="org.apache.axis2.transport.http.CommonsHTTPTrans
portSender">
<parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
<parameter name="Transfer-Encoding"
locked="false">chunked</parameter>
</transportSender>
And used the system properties via synapse.bat to point to my keystore and
loaded my targets cert into default truststore. At this point the trace of
the ClientKeyExchange step plays out as it did with SOAP-UI. I am now able
to get a SOAP message to the target and recieve a response in Synapse.
All is not well though. I'm getting a NullPointerException while Synapse
processes the response and thus my client doesn't get a response
[HttpServerWorker-1] ERROR Axis2Sender - Unexpected error during Sending
message onwards
java.lang.NullPointerException
at org.apache.synapse.FaultHandler.handleFault(FaultHandler.java:54)
at
org.apache.synapse.core.axis2.SynapseCallbackReceiver.handleMessage(SynapseC
allbackReceiver.java:82)
at
org.apache.synapse.core.axis2.SynapseCallbackReceiver.receive(SynapseCallbac
kReceiver.java:55)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:497)
at
org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.se
nd(DynamicAxisOperation.java:236)
at
org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.ex
ecute(DynamicAxisOperation.java:176)
at
org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPCl
ient.java:172)
at
org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:46)
at
org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvir
onment.java:107)
at
org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:143)
at
org.apache.synapse.endpoints.IndirectEndpoint.send(IndirectEndpoint.java:36)
at
org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServi
ceMessageReceiver.java:129)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:497)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HT
TPTransportUtils.java:328)
at
org.apache.axis2.transport.nhttp.ServerWorker.processPost(ServerWorker.java:
189)
at
org.apache.axis2.transport.nhttp.ServerWorker.run(ServerWorker.java:161)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run
Task(ThreadPoolExecutor.java:665)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run
(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Thread.java:595)
[HttpServerWorker-1] DEBUG MediatorFaultHandler - MediatorFaultHandler ::
handleFault
[HttpServerWorker-1] DEBUG SequenceMediator - Sequence mediator <fault> ::
mediate()
[HttpServerWorker-1] DEBUG AbstractListMediator - Implicit Sequence
<SequenceMediator> :: mediate()
[HttpServerWorker-1] DEBUG LogMediator - Log mediator :: mediate()
My synapse configuration is as follows:
<definitions xmlns="http://ws.apache.org/ns/synapse";>
<localEntry key="MYAPI.wsdl"
src="file:repository/conf/sample/resources/proxy/MYAPI.wsdl" />
<endpoint name="MYAPI-1.0">
<address uri="https://host.mydomain.com/1.0/MYAPI"; format="soap12"/>
</endpoint>
<proxy name="MYAPI" transports="http">
<inSequence>
<log level="full"/>
<send/>
</inSequence>
<outSequence>
<log level="full"/>
<send/>
</outSequence>
<faultSequence>
<log level="full"/>
<send/>
</faultSequence>
<target>
<endpoint key="MYAPI-1.0"/>
</target>
<publishWSDL key="MYAPI.wsdl"/>
</proxy>
<!-- Log all messages passing through -->
<log level="none"/>
<!-- Send the messages where they have been sent (i.e. implicit "To"
EPR) -->
<send/>
</definitions>
Any guidance on how I might correct this would be great. Also, is the plan
to continue to support the non NIO senders and recieves or to drop them from
the offering. Let me know.
-----Original Message-----
From: Michael Griffin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 13, 2007 2:51 PM
To: [email protected]
Subject: RE: Outbound HTTPS with Client Certificate
I've reconfigured synapse (latest build) to use the original (from 0.91
configuration) senders as follows
-----Original Message-----
From: Michael Griffin [mailto:[EMAIL PROTECTED]
Sent: Friday, March 09, 2007 5:09 PM
To: [email protected]
Subject: RE: Outbound HTTPS with Client Certificate
Here is what I get from not-yet-commons with the following command line
-t host.domain.com:443 -km keystore.pkcs12 -p password
I've changed anything specific about the server host.
Cipher: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
============================================================================
====
Writing:
============================================================================
====
HEAD / HTTP/1.1
Host: host.domain.com
Reading:
============================================================================
====
HTTP/1.1 200 OK
Date: Fri, 09 Mar 2007 22:03:10 GMT
Server: Apache
Content-Type: text/html
Server Certificate Chain for: [host.domain.com:443]
============================================================================
====
host.domain.com
Valid: 2007/Jan/25 - 2020/Oct/03
s: [EMAIL PROTECTED], CN=host.domain.com, OU=Blah,
O="Blah, Inc.", L=Blah, ST=Blah, C=US
i: [EMAIL PROTECTED], CN=Blah, OU=Blah, O=Blah, L=Blah,
ST=Blah, C=US
-----BEGIN CERTIFICATE-----
MIIDtjCCAp4CBAdbzRYwDQYJKoZIhvcNAQEFBQAwgfkxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR0wGwYD
VQQKExRWZXJ0aWNhbFJlc3BvbnNlIEluYzEqMCgGA1UECxMhVmVydGljYWxSZXNw
b25zZSBJbmMgQVBJIFNlcnZpY2VzMUAwPgYDVQQDEzdWZXJ0aWNhbFJlc3BvbnNl
IEluYyBBUEkgU2VydmljZXMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MTAwLgYJKoZI
hvcNAQkBFiFhcGktc2VydmljZXNAdmVydGljYWxyZXNwb25zZS5jb20wHhcNMDcw
MTI1MjE1NzQxWhcNMjAxMDAzMjE1NzQxWjCByDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHzAdBgNVBAoT
FlZlcnRpY2FsUmVzcG9uc2UsIEluYy4xFzAVBgNVBAsTDlZSIEFQSSBTdXBwb3J0
MSEwHwYDVQQDExhhcGkudmVydGljYWxyZXNwb25zZS5jb20xLzAtBgkqhkiG9w0B
CQEWIGFwaS1zdXBwb3J0QHZlcnRpY2FscmVzcG9uc2UuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDMhnh8VbIYozVG0ST5chrmouoK+0C8CwXgSKhEE/u0
V4aCujT3ZZp8vEVdtQ3/rEj61jeRfPbIbctqUVAg+9oML6Z2xlMRXXZZPXcM/JnZ
T7bwUzAXSJWaG/YHS2updEiyrWroajDS1wwMznFniHKhErFaIueXe+RMic67A/ym
dQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAhWGLj8jR6wPXl+rNc0VXwzn6MvolB
KQm1rcVSM5+pC+unKUISv2JY2hFHGEF+bDLncWiH9c0bgDhWikz2PeIK6GpcRjfV
9I4Ybk8nKiiV95iSs3tTPrA91F42i82mNh0SzhDEiBpnpcu7PVdt9s/AaE+593a7
1Q7Vg/iTx1STIH5A2do7zY1+uxbyuqEGPr9Wpjk+Pzx5PArqQCKNcLEW1yG2vnj8
99mxG6WRn+n75PoGpcEqIPnm/NtTod4VCQCiixdfW+BEiHMiZkyfuRh8CcDMqU0P
wWE6zbwW5X/os9yt9gME16q00T6xmrLiywUMYFUv8iosDO6yFvepCnET
-----END CERTIFICATE-----
Blah Certificate Authority
Valid: 2006/Dec/20 - 2034/May/07
s: [EMAIL PROTECTED], CN=Blah, OU=Blah, O=Blah, L=Blah,
ST=Blah, C=US
i: self-signed
-----BEGIN CERTIFICATE-----
MIIEcDCCA1gCCQDbK5aeug4AeTANBgkqhkiG9w0BAQUFADCB+TELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
HTAbBgNVBAoTFFZlcnRpY2FsUmVzcG9uc2UgSW5jMSowKAYDVQQLEyFWZXJ0aWNh
bFJlc3BvbnNlIEluYyBBUEkgU2VydmljZXMxQDA+BgNVBAMTN1ZlcnRpY2FsUmVz
cG9uc2UgSW5jIEFQSSBTZXJ2aWNlcyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxMDAu
BgkqhkiG9w0BCQEWIWFwaS1zZXJ2aWNlc0B2ZXJ0aWNhbHJlc3BvbnNlLmNvbTAe
Fw0wNjEyMjAxODM5MjdaFw0zNDA1MDcxODM5MjdaMIH5MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsG
A1UEChMUVmVydGljYWxSZXNwb25zZSBJbmMxKjAoBgNVBAsTIVZlcnRpY2FsUmVz
cG9uc2UgSW5jIEFQSSBTZXJ2aWNlczFAMD4GA1UEAxM3VmVydGljYWxSZXNwb25z
ZSBJbmMgQVBJIFNlcnZpY2VzIENlcnRpZmljYXRlIEF1dGhvcml0eTEwMC4GCSqG
SIb3DQEJARYhYXBpLXNlcnZpY2VzQHZlcnRpY2FscmVzcG9uc2UuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m6z4FhpkwNz//V5n8HGDxEvVUUM
zNCzRz++FZez1uapD/+NasdKfHa2roTEFWKKS2P3uRqT87C6Vv+epoQxPrW91JA7
jflVc3RAf7gG+0MbPYqvSuZa3AjZ+FqptavUEyUb0B97F9QJcWbztkPrrmPaUlvs
G4aAemE3VBIlhn0M6TgHk4kVkjZdrPq6hzecRVChfOQxMeNN4JiOp6E6UHeX26MC
EDRyk9eg0GkSl2Br9C+AelBqL5NOwh2KbNw2jByMpp2uykEfv/5P9WDj3DqRbotH
i4SxyUm0cw0CKVh7ZkyoqoNIjqkFtchhlFABgqGRsJC91t1gYoXuBpE2lQIDAQAB
MA0GCSqGSIb3DQEBBQUAA4IBAQCYoxmOIrOgvVlVhCM2k2FBKgiaJFPCkYQnsqcv
yu8tI0HFdw0WD0k6AjxGnJCw5l8McRz+cYYcBd6jIjr45yRAtDJGsQ20TjOFEhCF
c/LwOJG6MBIg9NBf2tY0DoEpDyS3dS9zmrvcDlysIgiU8EHFmTkP5e6J7WQ+JJ3b
uz+HVFEuMCKh5BDKL5cTQr27sB0y6W6WU8WIBwPNTKKisfShYEmsIfSZlOWObBIW
yJCDqujj8H6ysCZaKUgPgcTo6b6SPyq2Hhjx3qCc49ioeuihTeMd1y7zZCoHJzZK
RBBS5WLPw/abVZjiMysfhSFO5aWViKnysIx1i/jddrXmBM/J
-----END CERTIFICATE-----
-----Original Message-----
From: Julius Davies [mailto:[EMAIL PROTECTED]
Sent: Friday, March 09, 2007 4:35 PM
To: [email protected]
Subject: Re: Outbound HTTPS with Client Certificate
Hi, Griffin, Asankha,
I don't know SSL at the "javax.net.debug=all" level! But it looks
like a great trace you've got there...
If we could get the output of "java -jar
not-yet-commons-ssl-0.3.7.jar", that might also help. It will
definitely reveal anything obvious. So please provide output from
that tool, especially any stacktraces, if you don't mind! You can
download it here:
http://juliusdavies.ca/commons-ssl/download.html
Or you can look for it inside SOAP-UI - they use
not-yet-commons-ssl-0.3.4.jar.
If nothing interesting comes out of the "java -jar
not-yet-commons-ssl-0.3.7.jar" output, I think we should get Oleg
involved.
yours,
Julius
On 3/9/07, Michael Griffin <[EMAIL PROTECTED]> wrote:
> Unfortuneatly the endpoint is not mine. It is a commercial endpoint of an
> actual service I need to call. My hope is that I can use synapse to deal
> with all of the HTTPS stuff that my main application platform does not
have
> to deal with it. Seems like a perfect fit for synapse :-)
>
> -----Original Message-----
> From: Asankha C. Perera [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 09, 2007 3:55 PM
> To: [email protected]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Outbound HTTPS with Client Certificate
>
>
> Hi Griffin
>
> Hmmm.. this seems interesting and I am copying this to Julius for his
> expert views on what seems to be going wrong here. Is your endpoint a
> test endpoint accessible over the Internet? If so maybe I could give it
> a try?
>
> asankha
>
> Michael Griffin wrote:
> > asankha,
> >
> > I did some more analysis with the javax.net.debug=all turned on.
> Basically
> > I have found that betwen the two clients SOAPUI and Synapse there is a
> > difference during the ClientKeyExchange step. The difference is as
> follows:
> >
> > For the SOAPUI test client (this one works)
> > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
> > Random Secret: { .... }
> > [write] MD5 and SHA1 hashes: len = 134
> > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 134
> > A1 [Raw write]: length = 139
> > SESSION KEYGEN:
> > PreMaster Secret:
> > CONNECTION KEYGEN:
> > Client Nonce:
> > Server Nonce:
> > Master Secret:
> > Client MAC write Secret:
> > Server MAC write Secret:
> > Client write key:
> > Server write key:
> > ... no IV for cipher
> > pool-1-thread-1, WRITE: TLSv1 Change Cipher Spec, length = 1
> > B1 [Raw write]: length = 6
> > *** Finished
> > verify_data: { 107, 203, 92, 131, 85, 121, 87, 171, 96, 206, 238,
30 }
> > ***
> > [write] MD5 and SHA1 hashes: len = 16
> > Padded plaintext before ENCRYPTION: len = 32
> > pool-1-thread-1, WRITE: TLSv1 Handshake, length = 32
> > A2
> > B2
> > [Raw write]: length = 37
> > [Raw read]: length = 5
> > [Raw read]: length = 1
> > pool-1-thread-1, READ: TLSv1 Change Cipher Spec, length = 1
> > [Raw read]: length = 5
> > [Raw read]: length = 32
> > pool-1-thread-1, READ: TLSv1 Handshake, length = 32
> > Padded plaintext after DECRYPTION: len = 32
> > *** Finished
> > verify_data: { 40, 93, 34, 17, 33, 112, 112, 78, 161, 7, 217,
136 }
> > ***
> > %% Didn't cache non-resumable client session: [Session-1,
> > SSL_RSA_WITH_RC4_128_MD5]
> >
> > For Synapse the A1 and B1 are in a different place
> >
> > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
> > Random Secret: { .... }
> > [write] MD5 and SHA1 hashes: len = 134
> > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 134
> > A1
> > SESSION KEYGEN:
> > PreMaster Secret:
> > CONNECTION KEYGEN:
> > Client Nonce:
> > Server Nonce:
> > Master Secret:
> > Client MAC write Secret:
> > Server MAC write Secret:
> > Client write key:
> > Server write key:
> > ... no IV for cipher
> > I/O reactor worker thread, WRITE: TLSv1 Change Cipher Spec, length
= 1
> > B1
> > *** Finished
> > verify_data: { 61, 90, 82, 31, 54, 31, 45, 19, 5, 78, 129, 203 }
> > ***
> > [write] MD5 and SHA1 hashes: len = 16
> > Padded plaintext before ENCRYPTION: len = 32
> > I/O reactor worker thread, WRITE: TLSv1 Handshake, length = 32
> > A2 [Raw write]: length = 139
> > B2 [Raw write]: length = 6
> > [Raw write]: length = 37
> > [Raw read]: length = 5
> > [Raw read]: length = 1
> > I/O reactor worker thread, READ: TLSv1 Change Cipher Spec, length
= 1
> > [Raw read]: length = 5
> > [Raw read]: length = 32
> > I/O reactor worker thread, READ: TLSv1 Handshake, length = 32
> > Padded plaintext after DECRYPTION: len = 32
> > *** Finished
> > verify_data: { 128, 51, 223, 64, 166, 195, 190, 199, 81, 87, 82,
197 }
> > ***
> > %% Didn't cache non-resumable client session: [Session-1,
> > SSL_RSA_WITH_RC4_128_MD5]
> >
> > The two 6 byte writes contain the same data, the 139 byte writes are
> > different.
> >
> > In both cases, I am using the same to keystore and trustore and the same
> > javax.net.debug setting. Both run on the same server and use the same
VM
> > instance. I don't know enough about SSL to provide any additional
insight
> > into what I think the problem is.
> >
> > regards,
> > griffin
> >
> >
--
yours,
Julius Davies
416-652-0183
http://juliusdavies.ca/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
