Hi,
I got a strange problem using client certificates, maybe someone here
can help:
I'll try to connect to a SOAP service using https, secured using client
certificates (the server is a JBoss btw). My keystore and truststore
looks like this:
keystore
contains cert + key of the identity ("superadmin" in this case).
truststore
contains the CA certificate which was used to sign the superadmin
cert.
If I import the client certificate into Firefox, I can connect on the
web interface of the server (which is secured using the same certificate).
I connect using code generated by wsdl2java:
QName qname = new QName("http://ws.protocol.core.ejbca.org/";,
"EjbcaWSService");
EjbcaWSService service = new EjbcaWSService(new URL(urlstr), qname);
caPort = service.getEjbcaWSPort();
..the ususal way.
But then I'll get an exception while the handshake is running.
The client log:
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 1
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
main, called closeSocket()
main, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: bad_certificate
main, called close()
main, called closeInternal(true)
and the server log:
16:45:12,365 INFO [STDOUT] *** ServerHelloDone
16:45:12,365 INFO [STDOUT] http-0.0.0.0-8443-3, WRITE: TLSv1 Handshake,
length = 1745
16:45:12,412 INFO [STDOUT] http-0.0.0.0-8443-3, READ: TLSv1 Handshake,
length = 141
16:45:12,413 INFO [STDOUT] *** Certificate chain
16:45:12,413 INFO [STDOUT] ***
16:45:12,414 INFO [STDOUT] http-0.0.0.0-8443-3
16:45:12,415 INFO [STDOUT] , SEND TLSv1 ALERT:
16:45:12,416 INFO [STDOUT] fatal,
16:45:12,416 INFO [STDOUT] description = bad_certificate
16:45:12,417 INFO [STDOUT] http-0.0.0.0-8443-3, WRITE: TLSv1 Alert,
length = 2
16:45:12,418 INFO [STDOUT] http-0.0.0.0-8443-3, called closeSocket()
16:45:12,418 INFO [STDOUT] http-0.0.0.0-8443-3, handling exception:
javax.net.ssl.SSLHandshakeException: null cert chain
It seems like the server does not get the cert chain properly. I have
already googled for a solution and tried to set the protocol explicitly
to SSLv3:
Client client = ClientProxy.getClient(caPort);
HTTPConduit conduit = (HTTPConduit)client.getConduit();
TLSClientParameters params = new TLSClientParameters();
params.setSecureSocketProtocol("SSLv3");
params.setTrustManagers(simpleTrustManager);
params.setDisableCNCheck(true);
conduit.setTlsClientParameters(params);
but this also does not work (with another error: no_certificate).
Setting a "anything goes" TrustManager does not help either.
I also played around with the key/truststores and imported/cleaned/
imported/covered in dirt the keys in all ways possible.
I am a bit pointless right now..anyone any ideas??
Thanks,
Michael
--
Dipl.-Technoinform Michael Kleinhenz
tarent
Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Heilsbachstr. 24, 53123 Bonn | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0 | fon: +49(30) / 27594853
fax: +49(228) / 52675-25 | fax: +49(30) / 78709617
Geschäftsführer: Boris Esser, Elmar Geese
HRB AG Bonn 5168 - Ust-ID: DE122264941
