Hi, I'm currently working on a web service with a two way SSL authentification. I achieve to make it work with CXF code but I ran into an issue that I couldn't figure out. I have generated the keystores and trustores for both the client and server (i'm in control of both the client and the web service)
I made a client web service call using java code like described here : https://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-HowtoconfiguretheHTTPConduitfortheSOAPClient%3F And I also include the setup of TLSClientParameters using the default SSLContext : HTTPConduit http = (HTTPConduit) client.getConduit(); TLSClientParameters params = new TLSClientParameters(); params.setSSLSocketFactory(SSLContext.getDefault().getSocketFactory()); http.setTlsClientParameters(params); The client keystore and trustore are passed using the -Djavax.net.ssl. properties and it work However when I remove this piece of code or that I write a JAX WS standard client (even with setting up : HttpsURLConnection.setDefaultSSLSocketFactory(SSLContext.getDefault().getSocketFactory());) it doesn't work Debugging the ssl handshake, I spot the difference when the client receive the CertRequest for his certificate. In the case it work, the ssl layer found an alias with a matching certificate and send it to the server (client side log) : *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: <My DN> *** ServerHelloDone matching alias: myAlias *** Certificate chain chain [0] = [ ... In the other case, the ssl layer seem to found nothing and doesn't no send the certificate, and the server return an error (server side log) : [INFO] [talledLocalContainer] *** Certificate chain [INFO] [talledLocalContainer] *** [INFO] [talledLocalContainer] http-18043-1, SEND TLSv1 ALERT: fatal, description = bad_certificate [INFO] [talledLocalContainer] http-18043-1, WRITE: TLSv1 Alert, length = 2 [INFO] [talledLocalContainer] http-18043-1, called closeSocket() [INFO] [talledLocalContainer] http-18043-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain In both case, i rely on the default SSLContext setup. I search through the tls setup code in cxf but I couldn't figured out what could make it work, neither why it doesn't work in pure JAX WS code. Any idea ? I'm using cxf 2.2.12 , and jdk 1.6.0_29 (hotspot) -- Thomas Gueze
