Christopher: Thank you for your prompt reply.
The client does seem to need a trust store when dealing with a self-signed certificate from the server, as otherwise it tries to create a chain back to an implicitly trusted CA. I agree, with a commercial certificate this would not be necessary, as such a chain would be available. I prefer to separate the keystores (the one for the client and the one for the server) on both sides. I was hoping that the trust store would work the same in Tomcat as it does in the client (which does work, as I said, perfectly when only validating one-way) - whatever was in it would be implicitly trusted without checking for a certificate chain. This message seems to say that the server is shutting down the handshake connection just when the client is about to send its certificate, but perhaps I'm misinterpreting it. Another possibility: perhaps self-signed certificates aren't allowed for client authentication on the server side? David -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, January 12, 2016 11:02 AM To: Tomcat Users List Subject: Re: Problem with clientAuth SSL connection David, On 1/12/16 7:43 AM, David Sills wrote: > All: > > I'm trying to set up clientAuth SSL connection between a batch process and > Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set > up a server certificate (self-signed) and used this configuration in Tomcat > (server.xml): > > <Connector port="${https.port}" > protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" sslProtocol="TLS" > keystoreFile="conf/dsikeystore.jks" > keystorePass="keystorePassword" > clientAuth="false" > /> > > In the client, I used > > java -cp ws-client.jar -Djavax.net.ssl.trustStore=clientkeystore2.jks > -Djavax.net.ssl.trustStorePassword=changeme > com.datasourceinc.abis.ws.pds.ServiceClient > > It seemed to me pretty straightforward that to set up client > authentication, I would need to > > > 1. Generate another (self-signed) certificate > > 2. Export that certificate to a *.crt file > > 3. Create another keystore on the server > > 4. Import the certificate from #2 > > 5. Mark that in the configuration as the trust store > > So, > > <Connector port="${https.port}" > protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" sslProtocol="TLS" > keystoreFile="conf/dsikeystore.jks" > keystorePass="keystorePassword" > clientAuth="true" > truststoreFile="conf/clienttrustkeystore.jks" > truststorePass="changeme" > /> Pretty much, yes. > And change the client (which has the original self-signed certificate) > thus > > java -cp ws-client.jar -Djavax.net.ssl.keyStore=clientkeystore.jks > -Djavax.net.ssl.keyStorePassword=changeme > -Djavax.net.ssl.trustStore=clientkeystore2.jks > -Djavax.net.ssl.trustStorePassword=changeme > com.datasourceinc.abis.ws.pds.ServiceClient No, the client doesn't need a trust store. The client needs to specify the keystore where the client certificate exists. Also, the client needs to know which key to present to the server. Is the client you are using known to work correctly? I'm tempted to recommend that you use another tool known to do client-certs correctly, just in case your home-brewed tool is not doing what it should. > > All keystores have been verified. > > I have to have done something wrong or missed a step, because I keep butting > up against this error, even after having tried all the fixes I read online, > including restarting my (Windows 7) machine and of course restarting the > server: > > java.net.SocketException: Software caused connection abort: recv failed > at java.net.SocketInputStream.socketRead0(Native Method) > at java.net.SocketInputStream.read(Unknown Source) > at java.net.SocketInputStream.read(Unknown Source) > at sun.security.ssl.InputRecord.readFully(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) > at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) > at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) > at > sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at > org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) > at > org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) > > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at org.apache.axis.client.Call.invoke(Call.java:2767) > at org.apache.axis.client.Call.invoke(Call.java:2443) > at org.apache.axis.client.Call.invoke(Call.java:2366) > at org.apache.axis.client.Call.invoke(Call.java:1812) > at > com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) > at > com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j > ava:47) > > {http://xml.apache.org/axis/}hostname:DSI-DEV03 > > java.net.SocketException: Software caused connection abort: recv failed > at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) > > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at org.apache.axis.client.Call.invoke(Call.java:2767) > at org.apache.axis.client.Call.invoke(Call.java:2443) > at org.apache.axis.client.Call.invoke(Call.java:2366) > at org.apache.axis.client.Call.invoke(Call.java:1812) > at > com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) > at > com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j > ava:47) Caused by: java.net.SocketException: Software caused > connection abort: recv failed > at java.net.SocketInputStream.socketRead0(Native Method) > at java.net.SocketInputStream.read(Unknown Source) > at java.net.SocketInputStream.read(Unknown Source) > at sun.security.ssl.InputRecord.readFully(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) > at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) > at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) > at > sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) > at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) > at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker.process_record(Unknown Source) > at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) > at > org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) > at > org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) > at > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) > > ... 11 more > > Does anyone have any ideas that might help? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
