I believe I did it properly. I've got to the point where it's working if client is run on java7, but don't work with java8 On server side I can find SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't know it's sth with the certificate chain, with the cert itself, server configuration
2017-07-04 18:53 GMT+02:00 Andrei Shakirin <[email protected]>: > Hi, > > You need to configure keyManager and trustManager on client side. > The keystore have to contain server certificate for trustManager and > public/private key pair for the keyManager. > > Take a look this integration test: https://github.com/apache/cxf/ > blob/master/services/sts/systests/basic/src/test/java/ > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java > Method prepareTLSParams(). > > Regards, > Andrei. > > > -----Original Message----- > > From: Arek R. [mailto:[email protected]] > > Sent: Freitag, 30. Juni 2017 09:54 > > To: [email protected] > > Subject: Re: 2way ssl > > > > I cannot get it working. The server says that client doesn't send the > certificate. > > My client keystore contains only the client key/cert pair and this is > working in > > SoapUi project but not in pure java > > > > Here is the log > > > > main, READ: TLSv1.2 Handshake, length = 333 > > *** ECDH ServerKeyExchange > > Signature Algorithm SHA512withRSA > > Server key: Sun EC public key, 256 bits > > public x coord: 830289587105151256207749267013 > > 20321981505124484199856534866410300374616735045 > > public y coord: 332067304039254916257006573681 > > 82738242939062461168510217069674332072760548082 > > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] > (1.2.840.10045.3.1.7) > > main, READ: TLSv1.2 Handshake, length = 4 > > *** ServerHelloDone > > *** ECDHClientKeyExchange > > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48, > 83, 140, > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143, > 160, 102, > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118, > 127, 252, > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4, > 8 } main, > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN: > > PreMaster Secret: > > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h..... > > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F.... > > CONNECTION KEYGEN: > > Client Nonce: > > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r.... > > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S.... > > Server Nonce: > > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:. > > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K..... > > Master Secret: > > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n > > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@ > . > > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._. > > ... no MAC keys used for this cipher > > Client write key: > > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B. > > Server write key: > > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%..... > > Client write IV: > > 0000: 81 92 DF AE .... > > Server write IV: > > 0000: AB 27 F3 37 .'.7 > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 > > *** Finished > > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 } > > *** > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change > > Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40 > > *** Finished > > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 } > > *** > > %% Cached client session: [Session-1, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2 > > Application Data, length = 200 > > > > There's no CertificateVerify message > > > > Java code is quite typical > > > > factory = new JaxWsProxyFactoryBean(); > > factory.setAddress("https://xxx";); > > > > factory.setServiceClass(XXX.class); > > XXX xxx = (XXX) factory.create(); > > > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit = > > (HTTPConduit) client.getConduit(); > > httpConduit.setTlsClientParameters(Utils.getTlsParams()); > > > > and tls params I set only the keystore. I learnt the server cert is > registered in > > Comodo > > > > tlsParams.setDisableCNCheck(true); > > tlsParams.setSecureSocketProtocol("TLS"); > > KeyManagerFactory keyFactory = > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); > > keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km = > > keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km); > > > > Not sure it's about the cert - but soapui is working or it's about the > java code > > cxf 3.0.12 and cannot be upgraded > > > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[email protected]>: > > > > > Hi, > > > > > > As the first step, I would recommend to activate -Djavax.net.debug=all > > > JVM property, you will get a bit more information about error. > > > > > > You can also check if server requires client authentication using > > > OpenSSL, there are some hints regarding that: https://security. > > > stackexchange.com/questions/101511/determine-if-a-server- > > > is-asking-for-a-client-certificate-using-openssl-s-client. > > > > > > Regards, > > > Andrei. > > > > > > > -----Original Message----- > > > > From: Arek R. [mailto:[email protected]] > > > > Sent: Dienstag, 27. Juni 2017 10:15 > > > > To: [email protected] > > > > Subject: Re: 2way ssl > > > > > > > > I had to switch the idea and ssl terminates at jetty server. So I > > > > had to > > > configure > > > > things like keystore etc. At the same time I've setup ssl > > > > configuration > > > like > > > > keystore etc and link to the HttpConduit. Also added > > > <sec:clientAuthenticayion > > > > required='true' want='true'/> But don't understand how these 2 > > > > configs > > > are > > > > working together and I had an impression that cxf config is ignored > > > Don't know > > > > how to proof that server requests for the client certificate > > > > > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider > > > ><[email protected] > > > >: > > > > > > > > > If your client needs to call the nginx proxy instead of the > > > > > service then the proxy must provide all the server side ssl setup > > > > > including the 2 way ssl rules which client certs are allowed to > connect. > > > > > > > > > > Christian > > > > > > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[email protected]>: > > > > > > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a > > > > > > test via https. 1 way ssl is working. > > > > > > Now want to add a client certificate cause there's an error in > > > > > > the server log like 'client sent no required SSL certificate > > > > > > while reading client request headers' but cannot find any good > > > > > > example how to do it. Any hint > > > > > ? > > > > > > > > > > > > 2. If ssl terminates at nginx server am I able to recognize the > > > > > > client on the web server ? > > > > > > I guess no and in such case I should handle ssl at jetty/cxf > level. > > > > > Please > > > > > > confirm. > > > > > > Or the only way is to sign the messages and then it doesn't > > > > > > matter where ssl is handled. > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > -- > > > > > Christian Schneider > > > > > http://www.liquid-reality.de > > > > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > > a7 > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de> > > > > > > > > > > Open Source Architect > > > > > http://www.talend.com > > > > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > > a7 > > > > > e > > > > > 46&URL=http%3a%2f%2fwww.talend.com> > > > > > > > > >
