You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jakub Neubauer (JIRA)" <ji...@apache.org> on 2014/04/24 12:43:14 UTC

[jira] [Commented] (CXF-5525) Client - UntrustedURLConnectionIOException even the HTTPS established with client certificate auth

    [ https://issues.apache.org/jira/browse/CXF-5525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13979560#comment-13979560 ] 

Jakub Neubauer commented on CXF-5525:
-------------------------------------

Problem is that client certificate verification is done by IIS in later time, not at the beginning of the SSL communication. I'll try do describe the communication:
# SSL Handshake is done between client and IIS server, but first WITHOUT client certificate verification.
# Client sends the HTTP request (at least the header, where URL is specified).
# IIS server recognizes the requested URL and re-initiates the SSL handshake (with SSL message Change_cipher_spec). It works in this way because in IIS you can specify different SSL behaviour for different URLs. So for example, for one endpoint you can configure SSL without client certificate and for second endpoint WITH client certificate.
# During the second SSL handshake, the client certificate is requested by IIS server and verified.
# Then the rest of request is processed by IIS server.

Problem is, that CXF client doesn't count with this behaviour. If certificate authentication is configured in WSDL, the CXF client performs a check that the client certificate was sent during the handshake (in one of the CXF phases - org.apache.cxf.phase.Phase). But it is done just after the FIRST handshake. This check by CXF client is done yet before the request data are sent, it is performed after just the first SSL handshake. But as I described, the first handshake is without client certificate. The certificate is requested by IIS server in second handshake, after URL is known to the IIS server. But CXF client never comes to this point, since it fails on the check after the first handshake - as is seen from the exception stacktrace.

So, I suggest not doing the check that client certificate was requested by the server - after all, it is the SERVER responsibility to check the certificate - why should the CXF client care about it?
It means removing the code in the HttpsTokenInterceptorProvider.java, somewhere around line 115:

{noformat}
if (info.getLocalCertificates() == null || info.getLocalCertificates().length == 0) {
  throw new UntrustedURLConnectionIOException( "RequireClientCertificate is set, "
    + "but no local certificates were negotiated.  Is"
    + " the server set to ask for client authorization?");
}
{noformat}


> Client - UntrustedURLConnectionIOException even the HTTPS established with client certificate auth
> --------------------------------------------------------------------------------------------------
>
>                 Key: CXF-5525
>                 URL: https://issues.apache.org/jira/browse/CXF-5525
>             Project: CXF
>          Issue Type: Bug
>         Environment: java 1.6.0_45 and 1.7.0_45 on Windows 8, CXF version 2.7.6
>            Reporter: Jakub Neubauer
>
> Hi,
> I'm facing issue with CXF client. I have a Java client generated from WSDL. The WSDL contains RequireClientCertificate="true" in the Policy. I'm calling a web service over HTTPS with client certificate authentication. Although HTTPS connection is established and with client certificate authentication (ensured with -Djavax.net.debug=all), calling a WS method throws exception.
> The strange thing is, that the first call succeeded and the second and all other calls, fail with this exception (!). The other calls can be done with the same client object or can create new, no matter. The client object is created as follows:
> {code}
> // our custom ssl settings, with client cert auth in this case.
> SSLSocketFactory sslSockF =
> createSSLSocketFactoryFromProperties(_properties);
> ProductionService service = new ProductionService(
>          new URL(myURL),
>          new QName("http://mycompany.com/api/productionService",
> "ProductionService"));
> port = service.getBasicHttpBindingIProductionService();
> Client client = ClientProxy.getClient(port);
> HTTPConduit http = (HTTPConduit) client.getConduit();
> TLSClientParameters tlsParams = new TLSClientParameters();
> tlsParams.setDisableCNCheck(true);
> tlsParams.setSSLSocketFactory(sslSockF);
> http.setTlsClientParameters(tlsParams);
> return port;
> {code}
> The exception:
> {noformat}
> -----------------------------
> etc...
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: UntrustedURLConnectionIOException invoking https://192.168.101.14/myApplication/services/ProductionService.svc: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
>  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
>  at java.lang.reflect.Constructor.newInstance(Unknown Source)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1334)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
>  at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>  at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:623)
>  at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>  at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>  at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:541)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
>  at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
>  at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>  at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
>  ... 14 more
> Caused by: org.apache.cxf.transport.http.UntrustedURLConnectionIOException: RequireClientCertificate is set, but no local certificates were negotiated.  Is the server set to ask for client authorization?
>  at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor$1.establishTrust(HttpsTokenInterceptorProvider.java:117)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.makeTrustDecision(HTTPConduit.java:1680)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1264)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
>  at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195)
>  at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
>  at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
>  at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1291)
>  ... 24 more
> -----------------------------
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)