Strange. Could you trace both working client under java 7 and "problem" client under java 8 using -Djavax.net.debug=all and compare these traces? Perhaps you can see the difference on early stage.
Regards, Andrei. > -----Original Message----- > From: Arek R. [mailto:[email protected]] > Sent: Montag, 10. Juli 2017 19:55 > To: [email protected] > Subject: Re: 2way ssl > > I believe I did it properly. I've got to the point where it's working if > client is run > on java7, but don't work with java8 On server side I can find SSL: TLSv1.2, > cipher: "ECDHE-RSA-AES256-SHA384 > TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't > know it's sth with the certificate chain, with the cert itself, server > configuration > > > 2017-07-04 18:53 GMT+02:00 Andrei Shakirin <[email protected]>: > > > Hi, > > > > You need to configure keyManager and trustManager on client side. > > The keystore have to contain server certificate for trustManager and > > public/private key pair for the keyManager. > > > > Take a look this integration test: https://github.com/apache/cxf/ > > blob/master/services/sts/systests/basic/src/test/java/ > > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java > > Method prepareTLSParams(). > > > > Regards, > > Andrei. > > > > > -----Original Message----- > > > From: Arek R. [mailto:[email protected]] > > > Sent: Freitag, 30. Juni 2017 09:54 > > > To: [email protected] > > > Subject: Re: 2way ssl > > > > > > I cannot get it working. The server says that client doesn't send > > > the > > certificate. > > > My client keystore contains only the client key/cert pair and this > > > is > > working in > > > SoapUi project but not in pure java > > > > > > Here is the log > > > > > > main, READ: TLSv1.2 Handshake, length = 333 > > > *** ECDH ServerKeyExchange > > > Signature Algorithm SHA512withRSA > > > Server key: Sun EC public key, 256 bits > > > public x coord: 830289587105151256207749267013 > > > 20321981505124484199856534866410300374616735045 > > > public y coord: 332067304039254916257006573681 > > > 82738242939062461168510217069674332072760548082 > > > parameters: secp256r1 [NIST P-256, X9.62 prime256v1] > > (1.2.840.10045.3.1.7) > > > main, READ: TLSv1.2 Handshake, length = 4 > > > *** ServerHelloDone > > > *** ECDHClientKeyExchange > > > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, > > > 48, > > 83, 140, > > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, > > > 143, > > 160, 102, > > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118, > > 127, 252, > > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, > > > 4, > > 8 } main, > > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN: > > > PreMaster Secret: > > > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h..... > > > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F.... > > > CONNECTION KEYGEN: > > > Client Nonce: > > > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r.... > > > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S.... > > > Server Nonce: > > > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:. > > > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K..... > > > Master Secret: > > > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n > > > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@ > > . > > > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._. > > > ... no MAC keys used for this cipher Client write key: > > > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B. > > > Server write key: > > > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%..... > > > Client write IV: > > > 0000: 81 92 DF AE .... > > > Server write IV: > > > 0000: AB 27 F3 37 .'.7 > > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1 > > > *** Finished > > > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 > > > } > > > *** > > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 > > > Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length > > > = 40 > > > *** Finished > > > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 } > > > *** > > > %% Cached client session: [Session-1, > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] > > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: > > > TLSv1.2 Application Data, length = 200 > > > > > > There's no CertificateVerify message > > > > > > Java code is quite typical > > > > > > factory = new JaxWsProxyFactoryBean(); > > > factory.setAddress("https://xxx";); > > > > > > factory.setServiceClass(XXX.class); > > > XXX xxx = (XXX) factory.create(); > > > > > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit > > > = > > > (HTTPConduit) client.getConduit(); > > > httpConduit.setTlsClientParameters(Utils.getTlsParams()); > > > > > > and tls params I set only the keystore. I learnt the server cert is > > registered in > > > Comodo > > > > > > tlsParams.setDisableCNCheck(true); > > > tlsParams.setSecureSocketProtocol("TLS"); > > > KeyManagerFactory keyFactory = > > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm( > > > )); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] > > > km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km); > > > > > > Not sure it's about the cert - but soapui is working or it's about > > > the > > java code > > > cxf 3.0.12 and cannot be upgraded > > > > > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <[email protected]>: > > > > > > > Hi, > > > > > > > > As the first step, I would recommend to activate > > > > -Djavax.net.debug=all JVM property, you will get a bit more information > about error. > > > > > > > > You can also check if server requires client authentication using > > > > OpenSSL, there are some hints regarding that: https://security. > > > > stackexchange.com/questions/101511/determine-if-a-server- > > > > is-asking-for-a-client-certificate-using-openssl-s-client. > > > > > > > > Regards, > > > > Andrei. > > > > > > > > > -----Original Message----- > > > > > From: Arek R. [mailto:[email protected]] > > > > > Sent: Dienstag, 27. Juni 2017 10:15 > > > > > To: [email protected] > > > > > Subject: Re: 2way ssl > > > > > > > > > > I had to switch the idea and ssl terminates at jetty server. So > > > > > I had to > > > > configure > > > > > things like keystore etc. At the same time I've setup ssl > > > > > configuration > > > > like > > > > > keystore etc and link to the HttpConduit. Also added > > > > <sec:clientAuthenticayion > > > > > required='true' want='true'/> But don't understand how these 2 > > > > > configs > > > > are > > > > > working together and I had an impression that cxf config is > > > > > ignored > > > > Don't know > > > > > how to proof that server requests for the client certificate > > > > > > > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider > > > > ><[email protected] > > > > >: > > > > > > > > > > > If your client needs to call the nginx proxy instead of the > > > > > > service then the proxy must provide all the server side ssl > > > > > > setup including the 2 way ssl rules which client certs are > > > > > > allowed to > > connect. > > > > > > > > > > > > Christian > > > > > > > > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <[email protected]>: > > > > > > > > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using > > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run > > > > > > > a test via https. 1 way ssl is working. > > > > > > > Now want to add a client certificate cause there's an error > > > > > > > in the server log like 'client sent no required SSL > > > > > > > certificate while reading client request headers' but cannot > > > > > > > find any good example how to do it. Any hint > > > > > > ? > > > > > > > > > > > > > > 2. If ssl terminates at nginx server am I able to recognize > > > > > > > the client on the web server ? > > > > > > > I guess no and in such case I should handle ssl at jetty/cxf > > level. > > > > > > Please > > > > > > > confirm. > > > > > > > Or the only way is to sign the messages and then it doesn't > > > > > > > matter where ssl is handled. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > -- > > > > > > Christian Schneider > > > > > > http://www.liquid-reality.de > > > > > > > > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > > > a7 > > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de> > > > > > > > > > > > > Open Source Architect > > > > > > http://www.talend.com > > > > > > > > > > > > > > > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5 > > > > > a7 > > > > > > e > > > > > > 46&URL=http%3a%2f%2fwww.talend.com> > > > > > > > > > > > >
