I did more debugging and found some more info. If I use SOAPUI to send the
request, it works. So I compared the trace of using SOAPUI with the trace of
using CXF client and noticed that the CXF client send an empty client
certificate to the server:
SOAPUI trace:
2009-09-04 10:20:30,039 INFO [STDOUT] *** CertificateRequest
2009-09-04 10:20:30,039 INFO [STDOUT] Cert Types:
2009-09-04 10:20:30,039 INFO [STDOUT] RSA
2009-09-04 10:20:30,039 INFO [STDOUT] ,
2009-09-04 10:20:30,039 INFO [STDOUT] DSS
2009-09-04 10:20:30,039 INFO [STDOUT] Cert Authorities:
2009-09-04 10:20:30,039 INFO [STDOUT] <CN=localhost, OU=BAH, O=Client,
L=Eatontown, ST=NJ, C=US>
2009-09-04 10:20:30,039 INFO [STDOUT] *** ServerHelloDone
2009-09-04 10:20:30,039 INFO [STDOUT] [write] MD5 and SHA1 hashes: len =
763
2009-09-04 10:20:30,039 INFO [STDOUT] :
..........
2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called close()
2009-09-04 10:20:30,445 INFO [STDOUT] .
2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called closeInternal(true)
2009-09-04 10:20:30,445 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer
2009-09-04 10:20:30,460 INFO [STDOUT] , SEND TLSv1 ALERT:
2009-09-04 10:20:30,460 INFO [STDOUT] warning,
2009-09-04 10:20:30,460 INFO [STDOUT] description = close_notify
2009-09-04 10:20:30,460 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer, WRITE: TLSv1 Alert, length
= 2
..........
2009-09-04 10:20:30,523 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1
Handshake, length = 763
2009-09-04 10:20:30,523 INFO [STDOUT] [Raw write]: length = 768
..........
2009-09-04 10:20:31,756 INFO [STDOUT] http-127.0.0.1-443-1, READ: TLSv1
Handshake, length = 717
2009-09-04 10:20:31,756 INFO [STDOUT] *** Certificate chain
2009-09-04 10:20:31,756 INFO [STDOUT] chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ,
C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
11022136404366260786867706998815909120892711655220041366154642335877115593279601433747951868492173069771624921569689871916587651201
13337107402148452214825984897539665655796798747506864238546313597740365973637835759903929054930661247779625717386078730310144326004
34597744487789382442047536039796155847678644961
public exponent: 65537
Validity: [From: Tue Sep 01 14:01:20 EDT 2009,
To: Mon Nov 30 13:01:20 EST 2009]
Issuer: CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ, C=US
SerialNumber: [
4a9d6170]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7F 22 71 21 35 CC F5 82 39 6E 3B 26 2D F9 BF D8 ."q!5...9n;&-...
0010: 68 85 4E 6C 77 4C C7 CA 72 7C 2A 5D 33 13 46 9A h.NlwL..r.*]3.F.
0020: D4 3F C1 D0 71 CE 36 02 D6 3D BE 1A 80 70 35 6C .?..q.6..=...p5l
0030: D5 38 F7 62 D9 3C 68 53 27 CA 83 22 01 E1 F0 17 .8.b.<hS'.."....
0040: 85 D4 2E B9 4C CC 2E 4A F5 78 57 54 C3 C3 56 AE ....L..J.xWT..V.
0050: 2A E0 5C 19 16 3C E4 5F BB F7 1F BA F2 89 0C 04 *.\..<._........
0060: 1E A5 70 2B 82 CD CB C7 5F 9B 75 CA 5D 00 0D 29 ..p+...._.u.]..)
0070: AD 7C 82 9C 25 F1 56 05 59 AA 41 5D 41 5A AB 59 ....%.V.Y.A]AZ.Y
CXF Client trace:
2009-09-04 10:59:54,937 INFO [STDOUT] *** CertificateRequest
2009-09-04 10:59:54,937 INFO [STDOUT] Cert Types:
2009-09-04 10:59:54,937 INFO [STDOUT] RSA
2009-09-04 10:59:54,937 INFO [STDOUT] ,
2009-09-04 10:59:54,937 INFO [STDOUT] DSS
2009-09-04 10:59:54,937 INFO [STDOUT] Cert Authorities:
2009-09-04 10:59:54,937 INFO [STDOUT] <CN=localhost, OU=BAH, O=Client,
L=Eatontown, ST=NJ, C=US>
2009-09-04 10:59:54,937 INFO [STDOUT] *** ServerHelloDone
2009-09-04 10:59:54,937 INFO [STDOUT] [write] MD5 and SHA1 hashes: len =
763
2009-09-04 10:59:54,937 INFO [STDOUT] :
.......
2009-09-04 10:59:55,157 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1
Handshake, length = 763
2009-09-04 10:59:55,157 INFO [STDOUT] [Raw write]: length = 768
2009-09-04 10:59:55,157 INFO [STDOUT] :
.......
2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1, READ: TLSv1
Handshake, length = 141
2009-09-04 10:59:55,407 INFO [STDOUT] *** Certificate chain
2009-09-04 10:59:55,407 INFO [STDOUT] ***
2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1
2009-09-04 10:59:55,407 INFO [STDOUT] , SEND TLSv1 ALERT:
2009-09-04 10:59:55,407 INFO [STDOUT] fatal,
2009-09-04 10:59:55,407 INFO [STDOUT] description = bad_certificate
2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1
Alert, length = 2
2009-09-04 10:59:55,407 INFO [STDOUT] [Raw write]: length = 7
2009-09-04 10:59:55,407 INFO [STDOUT] :
I also noticed that the SOAPUI trace did somethings that CXF client didn't
after client CertificateRequest:
2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called close()
2009-09-04 10:20:30,445 INFO [STDOUT] .
2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called closeInternal(true)
2009-09-04 10:20:30,445 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer
2009-09-04 10:20:30,460 INFO [STDOUT] , SEND TLSv1 ALERT:
2009-09-04 10:20:30,460 INFO [STDOUT] warning,
2009-09-04 10:20:30,460 INFO [STDOUT] description = close_notify
2009-09-04 10:20:30,460 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] .
2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer, WRITE: TLSv1 Alert, length
= 2
I am not sure if this makes different.
How do I configure CXF client to send the certificate?
Xinxin
xinxinwang wrote:
>
> Thanks for the info. I turn the debug on and got more info:
>
> 09:52:05,298 INFO [STDOUT] http-127.0.0.1-443-1, handling exception:
> javax.net.
> ssl.SSLHandshakeException: null cert chain
>
> Any idea?
>
> Xinxin
>
>
> dkulp wrote:
>>
>>
>> All I can suggest is to check the server logs for any information there
>> as
>> well as try setting the system property:
>> -Djavax.net.debug=all
>> and kind of trace through what the ssl handshake is doing. Might reveal
>> a
>> strange key being used or something.
>>
>> Dan
>>
>>
>> On Wed September 2 2009 10:47:53 am xinxinwang wrote:
>>> I deployed my service on JBoss 4.2.3/JDK 1.6.0_10 with port 443 over SSL
>>> with the following connector:
>>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true" clientAuth="true"
>>> address="${jboss.bind.address}"
>>> keystoreFile="${jboss.server.home.dir}/conf/server.keystore.jks"
>>> keystorePass="testit"
>>> truststoreFile="${jboss.server.home.dir}/conf/client.keystore.jks"
>>> truststorePass="testit"
>>> sslProtocol="TLS">
>>> </Connector>
>>>
>>> I created both server.keystore.jks and client.keystore.jks using JDK
>>> keytool with RSA algorithm.
>>>
>>> My client is located on the same machine. I am using
>>> https://localhost:443/.... to connect to the service.
>>> I am using the following code to set up the httpconduit and invoke the
>>> service:
>>>
>>>
>>> Service service = Service.create(new QName(namespace, serviceName));
>>> QName portQName = new QName(namespace, portTypeName);
>>> service.addPort(portQName, SOAPBinding.SOAP11HTTP_BINDING, endPoint);
>>> dispPayload = service.createDispatch(portQName, Source.class,
>>> Service.Mode.PAYLOAD);
>>> BindingProvider bp = (BindingProvider)service.getPort(portQName,
>>> Source.class);
>>>
>>> HTTPConduit httpConduit =
>>> (HTTPConduit)ClientProxy.getClient(bp).getConduit();
>>> TLSClientParameters tlsParams = new TLSClientParameters();
>>> tlsParams.setDisableCNCheck(true);
>>>
>>> KeyStore trustStore = KeyStore.getInstance("JKS");
>>> String trustpass = "testit";//provide trust pass
>>> InputStream trustStream =
>>> Thread.currentThread().getContextClassLoader().getResourceAsStream("server.
>>> keystore.jks"); trustStore.load(trustStream, trustpass.toCharArray());
>>> TrustManagerFactory trustFactory =
>>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
>>> trustFactory.init(trustStore);
>>> TrustManager[] tm = trustFactory.getTrustManagers();
>>> tlsParams.setTrustManagers(tm);
>>>
>>> KeyStore keyStore = KeyStore.getInstance("JKS");
>>> String keypass = "testit";//provide client keystore pass
>>> InputStream keyStream =
>>> Thread.currentThread().getContextClassLoader().getResourceAsStream("client.
>>> keystore.jks"); keyStore.load(keyStream, keypass.toCharArray());
>>> KeyManagerFactory keyFactory =
>>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
>>> keyFactory.init(keyStore, keypass.toCharArray());
>>> KeyManager[] km = keyFactory.getKeyManagers();
>>> tlsParams.setKeyManagers(km);
>>>
>>> FiltersType filter = new FiltersType();
>>> filter.getInclude().add(".*_EXPORT_.*");
>>> filter.getInclude().add(".*_EXPORT1024_.*");
>>> filter.getInclude().add(".*_WITH_DES_.*");
>>> filter.getInclude().add(".*_WITH_NULL_.*");
>>> filter.getExclude().add(".*_DH_anon_.*");
>>> tlsParams.setCipherSuitesFilter(filter);//set all the needed include
>>> and
>>> exclude filters.
>>>
>>> httpConduit.setTlsClientParameters(tlsParams);
>>>
>>>
>>> InputStream inputStream =
>>> Thread.currentThread().getContextClassLoade().getResourceAsStream(request);
>>>
>>> DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
>>> factory.setNamespaceAware(true);
>>> DocumentBuilder builder = factory.newDocumentBuilder();
>>> Document document = builder.parse(inputStream);
>>> Source requestSource = new DOMSource(document);
>>>
>>> Source response = dispPayload.invoke(requestSource);
>>>
>>> When I run the client code, I got the following Exception at the line
>>> above:
>>>
>>> org.apache.cxf.interceptor.Fault: Could not send Message.
>>> at
>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte
>>> rceptor.handleMessage(MessageSenderInterceptor.java:64) at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
>>> n.java:236) at
>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471) at
>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301) at
>>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253) at
>>> org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:288)
>>> at
>>> org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:257) at
>>> org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:195) at
>>> mil.army.soa.adsl.client.DataServiceClient.retrieve(DataServiceClient.java:
>>> 115) at
>>> mil.army.soa.adsl.tester.DataServiceTester.main(DataServiceTester.java:37)
>>> Caused by: java.net.SocketException: Software caused connection abort:
>>> recv
>>> failed
>>> at java.net.SocketInputStream.socketRead0(Native Method)
>>> at java.net.SocketInputStream.read(SocketInputStream.java:129)
>>> at
>>>
>>> com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
>>> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:78
>>> 9) at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:
>>> 1435) at
>>> com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.ja
>>> va:103) at
>>> com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.jav
>>> a:612) at
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(Cli
>>> entHandshaker.java:868) at
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandsha
>>> ker.java:794) at
>>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshak
>>> er.java:226) at
>>>
>>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
>>> at
>>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
>>> at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:88
>>> 4) at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocke
>>> tImpl.java:1096) at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
>>> a:1123) at
>>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav
>>> a:1107) at
>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
>>> at
>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abstr
>>> actDelegateHttpsURLConnection.java:166) at
>>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnecti
>>> on.java:881) at
>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLC
>>> onnectionImpl.java:230) at
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeaders
>>> TrustCaching(HTTPConduit.java:1909) at
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(
>>> HTTPConduit.java:1864) at
>>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputSt
>>> ream.java:42) at
>>> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutp
>>> utStream.java:69) at
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPCon
>>> duit.java:1927) at
>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
>>> at
>>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
>>> at
>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte
>>> rceptor.handleMessage(MessageSenderInterceptor.java:62) ... 9 more
>>>
>>> If I set the clientAuth="false", I do not get this exception.
>>>
>>> Thanks for any help,
>>>
>>> Xinxin
>>>
>>
>> --
>> Daniel Kulp
>> dk...@apache.org
>> http://www.dankulp.com/blog
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/CXF-Client%3A-Software-caused-connection-abort%3A-recv-failed-tp25259046p25296598.html
Sent from the cxf-user mailing list archive at Nabble.com.
