Thanks for the reply, Roman! I am not using a self-signed certificate. For our deployment, we have our own (but valid) corporate CA, and all clients and all servers are using PKCS12 certificates that have been signed by our corporate certificate authority. In the case where I am getting the bad_certificate error, the server is also the client, because it is posting (via the https4 component) to one of its own REST endpoints. As I type, I have started up my spring boot application with debugging enabled, and it is a LOT of output during startup, but I'll comment if I notice anything interesting.
On Mon, Oct 23, 2017 at 9:24 AM, Roman Vottner <r...@gmx.at> wrote: > Are you attempting an SSL connection with a self-signed certificate? I > guess the server endpoints are working fine via https if accessed via a > browser? > > You should follow this guide (https://docs.oracle.com/ > javase/7/docs/technotes/guides/security/jsse/ReadDebug.html < > https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ > ReadDebug.html>) which suggests to add "-Djavax.net <http://djavax.net/ > >.debug=all" as startup argument to your server startup in order to > enable debug tracing for SSL connections. If you see something like „null > cert chain“ in the log on attempting to connect to the server and also > something like „found key for : server chain [0] = [ … ]“ you should check > what the server is expecting here. Probably the client keystone doesn’t > contain the cert the server is expecting (further reading: > https://stackoverflow.com/questions/4421536/java-ssl- > clientside-authentication-with-self-signed-certificates < > https://stackoverflow.com/questions/4421536/java-ssl- > clientside-authentication-with-self-signed-certificates>). As you provide > the key- and truststore data via javax.net.ssl properties, keep in mind > that these are only used if a default SSL context is used (as EJP mentioned > in a comment) but not if one is constructed via getInstance(). > > > Am 23.10.2017 um 14:18 schrieb Steve973 [via Camel] < > ml+s465427n5814765...@n5.nabble.com>: > > > > Hello. I asked a similar question on Friday, but I do not think that I > was > > specific enough about what I am intending to do. I am using camel > 2.19.2, > > and I am currently attempting to use the http4 component. In my pom, I > am > > including camel-spring-boot-starter, camel-http4, and camel-gson > > > > I am writing a Spring Boot messaging service so that deployed services > can > > register to receive certain message types that other services would > > publish. Interested services would register for a message type with the > > messaging service by providing a REST url that the message service can > use > > by posting the message to it. > > > > My route is currently configured as follows: > > > > from("vm:messageStart") > > .routeId("messageStart") > > .process(messageSubscriberListHeaderProcessor) > > .marshal().json(JsonLibrary.Gson) > > .recipientList(header("messageSubscriberList")) > > .delimiter(",") > > .parallelProcessing(); > > > > The processor gets a list of REST URLs from a repository that has that > > information: > > > > @Override > > public void process(Exchange exchange) throws Exception { > > Message in = exchange.getIn(); > > MyMessage message = in.getBody(MyMessage.class); > > MessageType messageType = message.getMessageType(); > > String messageSubscriberList = repository > > .findOne(messageType) > > .getSubscriberUris() > > .stream() > > .map(uri -> uri.replace("https:", "https4:")) > > .map(uri -> uri.replace("http:", "http4:")) > > .map(uri -> uri.concat("?useSystemProperties=true")) > > .collect(Collectors.joining(",")); > > in.setHeader("messageSubscriberList", messageSubscriberList) > > } > > > > When I deploy the app to tomcat, tomcat has the system properties for all > > of the relevant javax.net.ssl.-prefixed properties: trustStore, > > trustStorePassword, trustStoreType, keyStore, keyStorePassword, > > keyStorePasswordType. When I try to use my "/publish" endpoint to send a > > message to "vm:messageStart", and when it attempts to send the message to > > the recipient list, I get the same error for each recipient: > > "javax.net.ssl.SSLHandshakeException: Received fatal alert: > > bad_certificate". > > > > Note that for the purposes of testing, I also have the messaging service > > listening to the following rest endpoints: /rest/1, /rest/2, and /rest/3. > > The subscriber list contains the urls: https://server_host:8443/rest/1 < > https://server_host:8443/rest/1>, > > https://server_host:8443/rest/2 <https://server_host:8443/rest/2>, and > https://server_host:8443/rest/3 <https://server_host:8443/rest/3>. So > > it isn't a matter of one server being configured with one trust store and > > another server being configured with a different trust store. This is a > > service trying to post data to its own endpoints. > > > > Does anyone have some idea about how I have configured this incorrectly? > > Thanks in advance for any insight that anyone can provide. > > > > > > If you reply to this email, your message will be added to the discussion > below: > > http://camel.465427.n5.nabble.com/Send-messages-to-remote- > SSL-TLSv1-2-enabled-rest-endpoints-tp5814765.html <http://camel.465427.n5. > nabble.com/Send-messages-to-remote-SSL-TLSv1-2-enabled- > rest-endpoints-tp5814765.html> > > To unsubscribe from Camel - Users, click here <http://camel.465427.n5. > nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node= > 465428&code=cm92b0BnbXguYXR8NDY1NDI4fC04OTkzMjQ3MzM=>. > > NAML <http://camel.465427.n5.nabble.com/template/ > NamlServlet.jtp?macro=macro_viewer&id=instant_html% > 21nabble%3Aemail.naml&base=nabble.naml.namespaces. > BasicNamespace-nabble.view.web.template.NabbleNamespace- > nabble.view.web.template.NodeNamespace&breadcrumbs= > notify_subscribers%21nabble%3Aemail.naml-instant_emails% > 21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >
