I did more debugging and found some more info. If I use SOAPUI to send the request, it works. So I compared the trace of using SOAPUI with the trace of using CXF client and noticed that the CXF client send an empty client certificate to the server:
SOAPUI trace: 2009-09-04 10:20:30,039 INFO [STDOUT] *** CertificateRequest 2009-09-04 10:20:30,039 INFO [STDOUT] Cert Types: 2009-09-04 10:20:30,039 INFO [STDOUT] RSA 2009-09-04 10:20:30,039 INFO [STDOUT] , 2009-09-04 10:20:30,039 INFO [STDOUT] DSS 2009-09-04 10:20:30,039 INFO [STDOUT] Cert Authorities: 2009-09-04 10:20:30,039 INFO [STDOUT] <CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ, C=US> 2009-09-04 10:20:30,039 INFO [STDOUT] *** ServerHelloDone 2009-09-04 10:20:30,039 INFO [STDOUT] [write] MD5 and SHA1 hashes: len = 763 2009-09-04 10:20:30,039 INFO [STDOUT] : .......... 2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called close() 2009-09-04 10:20:30,445 INFO [STDOUT] . 2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called closeInternal(true) 2009-09-04 10:20:30,445 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer 2009-09-04 10:20:30,460 INFO [STDOUT] , SEND TLSv1 ALERT: 2009-09-04 10:20:30,460 INFO [STDOUT] warning, 2009-09-04 10:20:30,460 INFO [STDOUT] description = close_notify 2009-09-04 10:20:30,460 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer, WRITE: TLSv1 Alert, length = 2 .......... 2009-09-04 10:20:30,523 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1 Handshake, length = 763 2009-09-04 10:20:30,523 INFO [STDOUT] [Raw write]: length = 768 .......... 2009-09-04 10:20:31,756 INFO [STDOUT] http-127.0.0.1-443-1, READ: TLSv1 Handshake, length = 717 2009-09-04 10:20:31,756 INFO [STDOUT] *** Certificate chain 2009-09-04 10:20:31,756 INFO [STDOUT] chain [0] = [ [ Version: V3 Subject: CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ, C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 11022136404366260786867706998815909120892711655220041366154642335877115593279601433747951868492173069771624921569689871916587651201 13337107402148452214825984897539665655796798747506864238546313597740365973637835759903929054930661247779625717386078730310144326004 34597744487789382442047536039796155847678644961 public exponent: 65537 Validity: [From: Tue Sep 01 14:01:20 EDT 2009, To: Mon Nov 30 13:01:20 EST 2009] Issuer: CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ, C=US SerialNumber: [ 4a9d6170] ] Algorithm: [SHA1withRSA] Signature: 0000: 7F 22 71 21 35 CC F5 82 39 6E 3B 26 2D F9 BF D8 ."q!5...9n;&-... 0010: 68 85 4E 6C 77 4C C7 CA 72 7C 2A 5D 33 13 46 9A h.NlwL..r.*]3.F. 0020: D4 3F C1 D0 71 CE 36 02 D6 3D BE 1A 80 70 35 6C .?..q.6..=...p5l 0030: D5 38 F7 62 D9 3C 68 53 27 CA 83 22 01 E1 F0 17 .8.b.<hS'..".... 0040: 85 D4 2E B9 4C CC 2E 4A F5 78 57 54 C3 C3 56 AE ....L..J.xWT..V. 0050: 2A E0 5C 19 16 3C E4 5F BB F7 1F BA F2 89 0C 04 *.\..<._........ 0060: 1E A5 70 2B 82 CD CB C7 5F 9B 75 CA 5D 00 0D 29 ..p+...._.u.]..) 0070: AD 7C 82 9C 25 F1 56 05 59 AA 41 5D 41 5A AB 59 ....%.V.Y.A]AZ.Y CXF Client trace: 2009-09-04 10:59:54,937 INFO [STDOUT] *** CertificateRequest 2009-09-04 10:59:54,937 INFO [STDOUT] Cert Types: 2009-09-04 10:59:54,937 INFO [STDOUT] RSA 2009-09-04 10:59:54,937 INFO [STDOUT] , 2009-09-04 10:59:54,937 INFO [STDOUT] DSS 2009-09-04 10:59:54,937 INFO [STDOUT] Cert Authorities: 2009-09-04 10:59:54,937 INFO [STDOUT] <CN=localhost, OU=BAH, O=Client, L=Eatontown, ST=NJ, C=US> 2009-09-04 10:59:54,937 INFO [STDOUT] *** ServerHelloDone 2009-09-04 10:59:54,937 INFO [STDOUT] [write] MD5 and SHA1 hashes: len = 763 2009-09-04 10:59:54,937 INFO [STDOUT] : ....... 2009-09-04 10:59:55,157 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1 Handshake, length = 763 2009-09-04 10:59:55,157 INFO [STDOUT] [Raw write]: length = 768 2009-09-04 10:59:55,157 INFO [STDOUT] : ....... 2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1, READ: TLSv1 Handshake, length = 141 2009-09-04 10:59:55,407 INFO [STDOUT] *** Certificate chain 2009-09-04 10:59:55,407 INFO [STDOUT] *** 2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1 2009-09-04 10:59:55,407 INFO [STDOUT] , SEND TLSv1 ALERT: 2009-09-04 10:59:55,407 INFO [STDOUT] fatal, 2009-09-04 10:59:55,407 INFO [STDOUT] description = bad_certificate 2009-09-04 10:59:55,407 INFO [STDOUT] http-127.0.0.1-443-1, WRITE: TLSv1 Alert, length = 2 2009-09-04 10:59:55,407 INFO [STDOUT] [Raw write]: length = 7 2009-09-04 10:59:55,407 INFO [STDOUT] : I also noticed that the SOAPUI trace did somethings that CXF client didn't after client CertificateRequest: 2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called close() 2009-09-04 10:20:30,445 INFO [STDOUT] . 2009-09-04 10:20:30,445 INFO [STDOUT] Finalizer, called closeInternal(true) 2009-09-04 10:20:30,445 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer 2009-09-04 10:20:30,460 INFO [STDOUT] , SEND TLSv1 ALERT: 2009-09-04 10:20:30,460 INFO [STDOUT] warning, 2009-09-04 10:20:30,460 INFO [STDOUT] description = close_notify 2009-09-04 10:20:30,460 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] . 2009-09-04 10:20:30,460 INFO [STDOUT] Finalizer, WRITE: TLSv1 Alert, length = 2 I am not sure if this makes different. How do I configure CXF client to send the certificate? Xinxin xinxinwang wrote: > > Thanks for the info. I turn the debug on and got more info: > > 09:52:05,298 INFO [STDOUT] http-127.0.0.1-443-1, handling exception: > javax.net. > ssl.SSLHandshakeException: null cert chain > > Any idea? > > Xinxin > > > dkulp wrote: >> >> >> All I can suggest is to check the server logs for any information there >> as >> well as try setting the system property: >> -Djavax.net.debug=all >> and kind of trace through what the ssl handshake is doing. Might reveal >> a >> strange key being used or something. >> >> Dan >> >> >> On Wed September 2 2009 10:47:53 am xinxinwang wrote: >>> I deployed my service on JBoss 4.2.3/JDK 1.6.0_10 with port 443 over SSL >>> with the following connector: >>> >>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >>> maxThreads="150" scheme="https" secure="true" clientAuth="true" >>> address="${jboss.bind.address}" >>> keystoreFile="${jboss.server.home.dir}/conf/server.keystore.jks" >>> keystorePass="testit" >>> truststoreFile="${jboss.server.home.dir}/conf/client.keystore.jks" >>> truststorePass="testit" >>> sslProtocol="TLS"> >>> </Connector> >>> >>> I created both server.keystore.jks and client.keystore.jks using JDK >>> keytool with RSA algorithm. >>> >>> My client is located on the same machine. I am using >>> https://localhost:443/.... to connect to the service. >>> I am using the following code to set up the httpconduit and invoke the >>> service: >>> >>> >>> Service service = Service.create(new QName(namespace, serviceName)); >>> QName portQName = new QName(namespace, portTypeName); >>> service.addPort(portQName, SOAPBinding.SOAP11HTTP_BINDING, endPoint); >>> dispPayload = service.createDispatch(portQName, Source.class, >>> Service.Mode.PAYLOAD); >>> BindingProvider bp = (BindingProvider)service.getPort(portQName, >>> Source.class); >>> >>> HTTPConduit httpConduit = >>> (HTTPConduit)ClientProxy.getClient(bp).getConduit(); >>> TLSClientParameters tlsParams = new TLSClientParameters(); >>> tlsParams.setDisableCNCheck(true); >>> >>> KeyStore trustStore = KeyStore.getInstance("JKS"); >>> String trustpass = "testit";//provide trust pass >>> InputStream trustStream = >>> Thread.currentThread().getContextClassLoader().getResourceAsStream("server. >>> keystore.jks"); trustStore.load(trustStream, trustpass.toCharArray()); >>> TrustManagerFactory trustFactory = >>> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); >>> trustFactory.init(trustStore); >>> TrustManager[] tm = trustFactory.getTrustManagers(); >>> tlsParams.setTrustManagers(tm); >>> >>> KeyStore keyStore = KeyStore.getInstance("JKS"); >>> String keypass = "testit";//provide client keystore pass >>> InputStream keyStream = >>> Thread.currentThread().getContextClassLoader().getResourceAsStream("client. >>> keystore.jks"); keyStore.load(keyStream, keypass.toCharArray()); >>> KeyManagerFactory keyFactory = >>> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); >>> keyFactory.init(keyStore, keypass.toCharArray()); >>> KeyManager[] km = keyFactory.getKeyManagers(); >>> tlsParams.setKeyManagers(km); >>> >>> FiltersType filter = new FiltersType(); >>> filter.getInclude().add(".*_EXPORT_.*"); >>> filter.getInclude().add(".*_EXPORT1024_.*"); >>> filter.getInclude().add(".*_WITH_DES_.*"); >>> filter.getInclude().add(".*_WITH_NULL_.*"); >>> filter.getExclude().add(".*_DH_anon_.*"); >>> tlsParams.setCipherSuitesFilter(filter);//set all the needed include >>> and >>> exclude filters. >>> >>> httpConduit.setTlsClientParameters(tlsParams); >>> >>> >>> InputStream inputStream = >>> Thread.currentThread().getContextClassLoade().getResourceAsStream(request); >>> >>> DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); >>> factory.setNamespaceAware(true); >>> DocumentBuilder builder = factory.newDocumentBuilder(); >>> Document document = builder.parse(inputStream); >>> Source requestSource = new DOMSource(document); >>> >>> Source response = dispPayload.invoke(requestSource); >>> >>> When I run the client code, I got the following Exception at the line >>> above: >>> >>> org.apache.cxf.interceptor.Fault: Could not send Message. >>> at >>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte >>> rceptor.handleMessage(MessageSenderInterceptor.java:64) at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai >>> n.java:236) at >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471) at >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301) at >>> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253) at >>> org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:288) >>> at >>> org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:257) at >>> org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:195) at >>> mil.army.soa.adsl.client.DataServiceClient.retrieve(DataServiceClient.java: >>> 115) at >>> mil.army.soa.adsl.tester.DataServiceTester.main(DataServiceTester.java:37) >>> Caused by: java.net.SocketException: Software caused connection abort: >>> recv >>> failed >>> at java.net.SocketInputStream.socketRead0(Native Method) >>> at java.net.SocketInputStream.read(SocketInputStream.java:129) >>> at >>> >>> com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293) >>> at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331) >>> at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:78 >>> 9) at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java: >>> 1435) at >>> com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.ja >>> va:103) at >>> com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.jav >>> a:612) at >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(Cli >>> entHandshaker.java:868) at >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandsha >>> ker.java:794) at >>> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshak >>> er.java:226) at >>> >>> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) >>> at >>> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) >>> at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:88 >>> 4) at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocke >>> tImpl.java:1096) at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav >>> a:1123) at >>> com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.jav >>> a:1107) at >>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415) >>> at >>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abstr >>> actDelegateHttpsURLConnection.java:166) at >>> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnecti >>> on.java:881) at >>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLC >>> onnectionImpl.java:230) at >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeaders >>> TrustCaching(HTTPConduit.java:1909) at >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite( >>> HTTPConduit.java:1864) at >>> org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputSt >>> ream.java:42) at >>> org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutp >>> utStream.java:69) at >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPCon >>> duit.java:1927) at >>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66) >>> at >>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627) >>> at >>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte >>> rceptor.handleMessage(MessageSenderInterceptor.java:62) ... 9 more >>> >>> If I set the clientAuth="false", I do not get this exception. >>> >>> Thanks for any help, >>> >>> Xinxin >>> >> >> -- >> Daniel Kulp >> dk...@apache.org >> http://www.dankulp.com/blog >> >> > > -- View this message in context: http://www.nabble.com/CXF-Client%3A-Software-caused-connection-abort%3A-recv-failed-tp25259046p25296598.html Sent from the cxf-user mailing list archive at Nabble.com.