On 12/01/2016 16:39, David Sills wrote: > Oh, and by the way, it turns out I'm using Java 6, not 8. Not that that > should make a huge difference, but our client is a bit behind the times.
Are you sure the right certs are in the right stores? If all the certs are self-signed then: The trust store used by the client must include the server's cert. The trust store used by the server must include the client's cert. In isn't clear (to me anyway) form your original post what certs are in what stores. There should be no limits on using self-signed certs but with old Java 6 and Java 8 you might hit an issue with general SSL compatibility. If it works without a client cert then you should be OK. Mark > > -----Original Message----- > From: David Sills [mailto:dsi...@datasourceinc.com] > Sent: Tuesday, January 12, 2016 11:35 AM > To: Tomcat Users List > Subject: RE: Problem with clientAuth SSL connection > > Christopher: > > Thank you for your prompt reply. > > The client does seem to need a trust store when dealing with a self-signed > certificate from the server, as otherwise it tries to create a chain back to > an implicitly trusted CA. I agree, with a commercial certificate this would > not be necessary, as such a chain would be available. I prefer to separate > the keystores (the one for the client and the one for the server) on both > sides. I was hoping that the trust store would work the same in Tomcat as it > does in the client (which does work, as I said, perfectly when only > validating one-way) - whatever was in it would be implicitly trusted without > checking for a certificate chain. > > This message seems to say that the server is shutting down the handshake > connection just when the client is about to send its certificate, but perhaps > I'm misinterpreting it. > > Another possibility: perhaps self-signed certificates aren't allowed for > client authentication on the server side? > > David > > > > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, January 12, 2016 11:02 AM > To: Tomcat Users List > Subject: Re: Problem with clientAuth SSL connection > > David, > > On 1/12/16 7:43 AM, David Sills wrote: >> All: >> >> I'm trying to set up clientAuth SSL connection between a batch process and >> Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set >> up a server certificate (self-signed) and used this configuration in Tomcat >> (server.xml): >> >> <Connector port="${https.port}" >> protocol="org.apache.coyote.http11.Http11Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" sslProtocol="TLS" >> keystoreFile="conf/dsikeystore.jks" >> keystorePass="keystorePassword" >> clientAuth="false" >> /> >> >> In the client, I used >> >> java -cp ws-client.jar -Djavax.net.ssl.trustStore=clientkeystore2.jks >> -Djavax.net.ssl.trustStorePassword=changeme >> com.datasourceinc.abis.ws.pds.ServiceClient >> >> It seemed to me pretty straightforward that to set up client >> authentication, I would need to >> >> >> 1. Generate another (self-signed) certificate >> >> 2. Export that certificate to a *.crt file >> >> 3. Create another keystore on the server >> >> 4. Import the certificate from #2 >> >> 5. Mark that in the configuration as the trust store >> >> So, >> >> <Connector port="${https.port}" >> protocol="org.apache.coyote.http11.Http11Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" sslProtocol="TLS" >> keystoreFile="conf/dsikeystore.jks" >> keystorePass="keystorePassword" >> clientAuth="true" >> truststoreFile="conf/clienttrustkeystore.jks" >> truststorePass="changeme" >> /> > > Pretty much, yes. > >> And change the client (which has the original self-signed certificate) >> thus >> >> java -cp ws-client.jar -Djavax.net.ssl.keyStore=clientkeystore.jks >> -Djavax.net.ssl.keyStorePassword=changeme >> -Djavax.net.ssl.trustStore=clientkeystore2.jks >> -Djavax.net.ssl.trustStorePassword=changeme >> com.datasourceinc.abis.ws.pds.ServiceClient > > No, the client doesn't need a trust store. The client needs to specify the > keystore where the client certificate exists. Also, the client needs to know > which key to present to the server. Is the client you are using known to work > correctly? I'm tempted to recommend that you use another tool known to do > client-certs correctly, just in case your home-brewed tool is not doing what > it should. > >> >> All keystores have been verified. >> >> I have to have done something wrong or missed a step, because I keep butting >> up against this error, even after having tried all the fixes I read online, >> including restarting my (Windows 7) machine and of course restarting the >> server: >> >> java.net.SocketException: Software caused connection abort: recv failed >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(Unknown Source) >> at java.net.SocketInputStream.read(Unknown Source) >> at sun.security.ssl.InputRecord.readFully(Unknown Source) >> at sun.security.ssl.InputRecord.read(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) >> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) >> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) >> at >> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) >> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) >> at sun.security.ssl.Handshaker.processLoop(Unknown Source) >> at sun.security.ssl.Handshaker.process_record(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown >> Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at >> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) >> at >> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) >> at >> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) >> >> at >> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) >> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) >> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) >> at org.apache.axis.client.Call.invoke(Call.java:2767) >> at org.apache.axis.client.Call.invoke(Call.java:2443) >> at org.apache.axis.client.Call.invoke(Call.java:2366) >> at org.apache.axis.client.Call.invoke(Call.java:1812) >> at >> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) >> at >> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j >> ava:47) >> >> {http://xml.apache.org/axis/}hostname:DSI-DEV03 >> >> java.net.SocketException: Software caused connection abort: recv failed >> at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) >> >> at >> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) >> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) >> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) >> at org.apache.axis.client.Call.invoke(Call.java:2767) >> at org.apache.axis.client.Call.invoke(Call.java:2443) >> at org.apache.axis.client.Call.invoke(Call.java:2366) >> at org.apache.axis.client.Call.invoke(Call.java:1812) >> at >> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) >> at >> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j >> ava:47) Caused by: java.net.SocketException: Software caused >> connection abort: recv failed >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(Unknown Source) >> at java.net.SocketInputStream.read(Unknown Source) >> at sun.security.ssl.InputRecord.readFully(Unknown Source) >> at sun.security.ssl.InputRecord.read(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) >> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) >> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) >> at >> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) >> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) >> at sun.security.ssl.Handshaker.processLoop(Unknown Source) >> at sun.security.ssl.Handshaker.process_record(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown >> Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at >> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) >> at >> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) >> at >> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) >> >> ... 11 more >> >> Does anyone have any ideas that might help? > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
