David, On 1/12/16 11:34 AM, David Sills wrote: > The client does seem to need a trust store when dealing with a > self-signed certificate from the server, as otherwise it tries to > create a chain back to an implicitly trusted CA. I agree, with a > commercial certificate this would not be necessary, as such a chain > would be available. I prefer to separate the keystores (the one for > the client and the one for the server) on both sides.
In fact, you *should* keep them separate. > I was hoping that the trust store would work the same in Tomcat as it > does in the client (which does work, as I said, perfectly when only > validating one-way) - whatever was in it would be implicitly trusted > without checking for a certificate chain. Aah, of course. I had neglected that part of your OP. > This message seems to say that the server is shutting down the > handshake connection just when the client is about to send its > certificate, but perhaps I'm misinterpreting it. > > Another possibility: perhaps self-signed certificates aren't allowed > for client authentication on the server side? It's up to the server to decide if it will accept the client's certificate. There is no particular prohibition against self-signed certificates. I would imagine that there are a large number of self-signed client certificates in use with Tomcat, but that's just a wild guess. -chris > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, January 12, 2016 11:02 AM > To: Tomcat Users List > Subject: Re: Problem with clientAuth SSL connection > > David, > > On 1/12/16 7:43 AM, David Sills wrote: >> All: >> >> I'm trying to set up clientAuth SSL connection between a batch process and >> Tomcat (7.0.55, Java 8 64-bit server). One-way SSL works wonderfully. I set >> up a server certificate (self-signed) and used this configuration in Tomcat >> (server.xml): >> >> <Connector port="${https.port}" >> protocol="org.apache.coyote.http11.Http11Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" sslProtocol="TLS" >> keystoreFile="conf/dsikeystore.jks" >> keystorePass="keystorePassword" >> clientAuth="false" >> /> >> >> In the client, I used >> >> java -cp ws-client.jar -Djavax.net.ssl.trustStore=clientkeystore2.jks >> -Djavax.net.ssl.trustStorePassword=changeme >> com.datasourceinc.abis.ws.pds.ServiceClient >> >> It seemed to me pretty straightforward that to set up client >> authentication, I would need to >> >> >> 1. Generate another (self-signed) certificate >> >> 2. Export that certificate to a *.crt file >> >> 3. Create another keystore on the server >> >> 4. Import the certificate from #2 >> >> 5. Mark that in the configuration as the trust store >> >> So, >> >> <Connector port="${https.port}" >> protocol="org.apache.coyote.http11.Http11Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" sslProtocol="TLS" >> keystoreFile="conf/dsikeystore.jks" >> keystorePass="keystorePassword" >> clientAuth="true" >> truststoreFile="conf/clienttrustkeystore.jks" >> truststorePass="changeme" >> /> > > Pretty much, yes. > >> And change the client (which has the original self-signed certificate) >> thus >> >> java -cp ws-client.jar -Djavax.net.ssl.keyStore=clientkeystore.jks >> -Djavax.net.ssl.keyStorePassword=changeme >> -Djavax.net.ssl.trustStore=clientkeystore2.jks >> -Djavax.net.ssl.trustStorePassword=changeme >> com.datasourceinc.abis.ws.pds.ServiceClient > > No, the client doesn't need a trust store. The client needs to specify the > keystore where the client certificate exists. Also, the client needs to know > which key to present to the server. Is the client you are using known to work > correctly? I'm tempted to recommend that you use another tool known to do > client-certs correctly, just in case your home-brewed tool is not doing what > it should. > >> >> All keystores have been verified. >> >> I have to have done something wrong or missed a step, because I keep butting >> up against this error, even after having tried all the fixes I read online, >> including restarting my (Windows 7) machine and of course restarting the >> server: >> >> java.net.SocketException: Software caused connection abort: recv failed >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(Unknown Source) >> at java.net.SocketInputStream.read(Unknown Source) >> at sun.security.ssl.InputRecord.readFully(Unknown Source) >> at sun.security.ssl.InputRecord.read(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) >> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) >> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) >> at >> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) >> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) >> at sun.security.ssl.Handshaker.processLoop(Unknown Source) >> at sun.security.ssl.Handshaker.process_record(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown >> Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at >> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) >> at >> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) >> at >> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) >> >> at >> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) >> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) >> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) >> at org.apache.axis.client.Call.invoke(Call.java:2767) >> at org.apache.axis.client.Call.invoke(Call.java:2443) >> at org.apache.axis.client.Call.invoke(Call.java:2366) >> at org.apache.axis.client.Call.invoke(Call.java:1812) >> at >> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) >> at >> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j >> ava:47) >> >> {http://xml.apache.org/axis/}hostname:DSI-DEV03 >> >> java.net.SocketException: Software caused connection abort: recv failed >> at org.apache.axis.AxisFault.makeFault(AxisFault.java:101) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) >> >> at >> org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) >> at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) >> at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) >> at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) >> at org.apache.axis.client.Call.invokeEngine(Call.java:2784) >> at org.apache.axis.client.Call.invoke(Call.java:2767) >> at org.apache.axis.client.Call.invoke(Call.java:2443) >> at org.apache.axis.client.Call.invoke(Call.java:2366) >> at org.apache.axis.client.Call.invoke(Call.java:1812) >> at >> com.datasourceinc.abis.ws.pds.server.generated.IRS_PDS_ABIS_ServiceSOAP12BindingStub.update(IRS_PDS_ABIS_ServiceSOAP12BindingStub.java:164) >> at >> com.datasourceinc.abis.ws.pds.PdsServiceClient.main(PdsServiceClient.j >> ava:47) Caused by: java.net.SocketException: Software caused >> connection abort: recv failed >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(Unknown Source) >> at java.net.SocketInputStream.read(Unknown Source) >> at sun.security.ssl.InputRecord.readFully(Unknown Source) >> at sun.security.ssl.InputRecord.read(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.waitForClose(Unknown Source) >> at sun.security.ssl.HandshakeOutStream.flush(Unknown Source) >> at sun.security.ssl.Handshaker.sendChangeCipherSpec(Unknown Source) >> at >> sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(Unknown Source) >> at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source) >> at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) >> at sun.security.ssl.Handshaker.processLoop(Unknown Source) >> at sun.security.ssl.Handshaker.process_record(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown >> Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) >> at >> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) >> at >> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) >> at >> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) >> at >> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) >> >> ... 11 more >> >> Does anyone have any ideas that might help? > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
