You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Arek R." <un...@gmail.com> on 2017/06/23 13:30:50 UTC
2way ssl
1. I've a requirement to implement 2 way ssl. I'm using
JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
https. 1 way ssl is working.
Now want to add a client certificate cause there's an error in the server
log like 'client sent no required SSL certificate while reading client
request headers' but cannot find any good example how to do it. Any hint ?
2. If ssl terminates at nginx server am I able to recognize the client on
the web server ?
I guess no and in such case I should handle ssl at jetty/cxf level. Please
confirm.
Or the only way is to sign the messages and then it doesn't matter where
ssl is handled.
Re: 2way ssl
Posted by "Arek R." <un...@gmail.com>.
I think I found it. There's a bug in java 1.8 that disables SNI and I've
multiple ssl servers on the same ip
And as I know client uses ibm message broker which is running on java 1.6,
probably it won't work
2017-07-12 22:43 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> Strange.
>
> Could you trace both working client under java 7 and "problem" client
> under java 8 using -Djavax.net.debug=all and compare these traces?
> Perhaps you can see the difference on early stage.
>
> Regards,
> Andrei.
>
>
> > -----Original Message-----
> > From: Arek R. [mailto:undsame@gmail.com]
> > Sent: Montag, 10. Juli 2017 19:55
> > To: users@cxf.apache.org
> > Subject: Re: 2way ssl
> >
> > I believe I did it properly. I've got to the point where it's working
> if client is run
> > on java7, but don't work with java8 On server side I can find SSL:
> TLSv1.2,
> > cipher: "ECDHE-RSA-AES256-SHA384
> > TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
> > know it's sth with the certificate chain, with the cert itself, server
> configuration
> >
> >
> > 2017-07-04 18:53 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> >
> > > Hi,
> > >
> > > You need to configure keyManager and trustManager on client side.
> > > The keystore have to contain server certificate for trustManager and
> > > public/private key pair for the keyManager.
> > >
> > > Take a look this integration test: https://github.com/apache/cxf/
> > > blob/master/services/sts/systests/basic/src/test/java/
> > > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> > > Method prepareTLSParams().
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Arek R. [mailto:undsame@gmail.com]
> > > > Sent: Freitag, 30. Juni 2017 09:54
> > > > To: users@cxf.apache.org
> > > > Subject: Re: 2way ssl
> > > >
> > > > I cannot get it working. The server says that client doesn't send
> > > > the
> > > certificate.
> > > > My client keystore contains only the client key/cert pair and this
> > > > is
> > > working in
> > > > SoapUi project but not in pure java
> > > >
> > > > Here is the log
> > > >
> > > > main, READ: TLSv1.2 Handshake, length = 333
> > > > *** ECDH ServerKeyExchange
> > > > Signature Algorithm SHA512withRSA
> > > > Server key: Sun EC public key, 256 bits
> > > > public x coord: 830289587105151256207749267013
> > > > 20321981505124484199856534866410300374616735045
> > > > public y coord: 332067304039254916257006573681
> > > > 82738242939062461168510217069674332072760548082
> > > > parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> > > (1.2.840.10045.3.1.7)
> > > > main, READ: TLSv1.2 Handshake, length = 4
> > > > *** ServerHelloDone
> > > > *** ECDHClientKeyExchange
> > > > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151,
> > > > 48,
> > > 83, 140,
> > > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13,
> > > > 143,
> > > 160, 102,
> > > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> > > 127, 252,
> > > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103,
> > > > 4,
> > > 8 } main,
> > > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > > > PreMaster Secret:
> > > > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C
> ..........h.....
> > > > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA
> ........m..F....
> > > > CONNECTION KEYGEN:
> > > > Client Nonce:
> > > > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02
> YU...V...N.r....
> > > > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10
> qv..._.Kl..S....
> > > > Server Nonce:
> > > > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4
> .......O....#.:.
> > > > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3
> Xv!.....?.K.....
> > > > Master Secret:
> > > > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E
> ......M....N.z.n
> > > > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE
> .Jhz...Qh....v@
> > > .
> > > > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD
> .L.....'.,?..._.
> > > > ... no MAC keys used for this cipher Client write key:
> > > > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3
> N..._..W.6..b.B.
> > > > Server write key:
> > > > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E
> E.K......_%.....
> > > > Client write IV:
> > > > 0000: 81 92 DF AE ....
> > > > Server write IV:
> > > > 0000: AB 27 F3 37 .'.7
> > > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > > > *** Finished
> > > > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32
> > > > }
> > > > ***
> > > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2
> > > > Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length
> > > > = 40
> > > > *** Finished
> > > > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > > > ***
> > > > %% Cached client session: [Session-1,
> > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE:
> > > > TLSv1.2 Application Data, length = 200
> > > >
> > > > There's no CertificateVerify message
> > > >
> > > > Java code is quite typical
> > > >
> > > > factory = new JaxWsProxyFactoryBean();
> > > > factory.setAddress("https://xxx");
> > > >
> > > > factory.setServiceClass(XXX.class);
> > > > XXX xxx = (XXX) factory.create();
> > > >
> > > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit
> > > > =
> > > > (HTTPConduit) client.getConduit();
> > > > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> > > >
> > > > and tls params I set only the keystore. I learnt the server cert is
> > > registered in
> > > > Comodo
> > > >
> > > > tlsParams.setDisableCNCheck(true);
> > > > tlsParams.setSecureSocketProtocol("TLS");
> > > > KeyManagerFactory keyFactory =
> > > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(
> > > > )); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[]
> > > > km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> > > >
> > > > Not sure it's about the cert - but soapui is working or it's about
> > > > the
> > > java code
> > > > cxf 3.0.12 and cannot be upgraded
> > > >
> > > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> > > >
> > > > > Hi,
> > > > >
> > > > > As the first step, I would recommend to activate
> > > > > -Djavax.net.debug=all JVM property, you will get a bit more
> information
> > about error.
> > > > >
> > > > > You can also check if server requires client authentication using
> > > > > OpenSSL, there are some hints regarding that: https://security.
> > > > > stackexchange.com/questions/101511/determine-if-a-server-
> > > > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > > > >
> > > > > Regards,
> > > > > Andrei.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Arek R. [mailto:undsame@gmail.com]
> > > > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > > > To: users@cxf.apache.org
> > > > > > Subject: Re: 2way ssl
> > > > > >
> > > > > > I had to switch the idea and ssl terminates at jetty server. So
> > > > > > I had to
> > > > > configure
> > > > > > things like keystore etc. At the same time I've setup ssl
> > > > > > configuration
> > > > > like
> > > > > > keystore etc and link to the HttpConduit. Also added
> > > > > <sec:clientAuthenticayion
> > > > > > required='true' want='true'/> But don't understand how these 2
> > > > > > configs
> > > > > are
> > > > > > working together and I had an impression that cxf config is
> > > > > > ignored
> > > > > Don't know
> > > > > > how to proof that server requests for the client certificate
> > > > > >
> > > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > > > ><chris@die-schneider.net
> > > > > >:
> > > > > >
> > > > > > > If your client needs to call the nginx proxy instead of the
> > > > > > > service then the proxy must provide all the server side ssl
> > > > > > > setup including the 2 way ssl rules which client certs are
> > > > > > > allowed to
> > > connect.
> > > > > > >
> > > > > > > Christian
> > > > > > >
> > > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> > > > > > >
> > > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run
> > > > > > > > a test via https. 1 way ssl is working.
> > > > > > > > Now want to add a client certificate cause there's an error
> > > > > > > > in the server log like 'client sent no required SSL
> > > > > > > > certificate while reading client request headers' but cannot
> > > > > > > > find any good example how to do it. Any hint
> > > > > > > ?
> > > > > > > >
> > > > > > > > 2. If ssl terminates at nginx server am I able to recognize
> > > > > > > > the client on the web server ?
> > > > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> > > level.
> > > > > > > Please
> > > > > > > > confirm.
> > > > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > > > matter where ssl is handled.
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > --
> > > > > > > Christian Schneider
> > > > > > > http://www.liquid-reality.de
> > > > > > >
> > > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > > a7
> > > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > > > >
> > > > > > > Open Source Architect
> > > > > > > http://www.talend.com
> > > > > > >
> > > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > > a7
> > > > > > > e
> > > > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > > > >
> > > > >
> > >
>
RE: 2way ssl
Posted by Andrei Shakirin <as...@talend.com>.
Strange.
Could you trace both working client under java 7 and "problem" client under java 8 using -Djavax.net.debug=all and compare these traces?
Perhaps you can see the difference on early stage.
Regards,
Andrei.
> -----Original Message-----
> From: Arek R. [mailto:undsame@gmail.com]
> Sent: Montag, 10. Juli 2017 19:55
> To: users@cxf.apache.org
> Subject: Re: 2way ssl
>
> I believe I did it properly. I've got to the point where it's working if client is run
> on java7, but don't work with java8 On server side I can find SSL: TLSv1.2,
> cipher: "ECDHE-RSA-AES256-SHA384
> TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
> know it's sth with the certificate chain, with the cert itself, server configuration
>
>
> 2017-07-04 18:53 GMT+02:00 Andrei Shakirin <as...@talend.com>:
>
> > Hi,
> >
> > You need to configure keyManager and trustManager on client side.
> > The keystore have to contain server certificate for trustManager and
> > public/private key pair for the keyManager.
> >
> > Take a look this integration test: https://github.com/apache/cxf/
> > blob/master/services/sts/systests/basic/src/test/java/
> > org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> > Method prepareTLSParams().
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Arek R. [mailto:undsame@gmail.com]
> > > Sent: Freitag, 30. Juni 2017 09:54
> > > To: users@cxf.apache.org
> > > Subject: Re: 2way ssl
> > >
> > > I cannot get it working. The server says that client doesn't send
> > > the
> > certificate.
> > > My client keystore contains only the client key/cert pair and this
> > > is
> > working in
> > > SoapUi project but not in pure java
> > >
> > > Here is the log
> > >
> > > main, READ: TLSv1.2 Handshake, length = 333
> > > *** ECDH ServerKeyExchange
> > > Signature Algorithm SHA512withRSA
> > > Server key: Sun EC public key, 256 bits
> > > public x coord: 830289587105151256207749267013
> > > 20321981505124484199856534866410300374616735045
> > > public y coord: 332067304039254916257006573681
> > > 82738242939062461168510217069674332072760548082
> > > parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> > (1.2.840.10045.3.1.7)
> > > main, READ: TLSv1.2 Handshake, length = 4
> > > *** ServerHelloDone
> > > *** ECDHClientKeyExchange
> > > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151,
> > > 48,
> > 83, 140,
> > > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13,
> > > 143,
> > 160, 102,
> > > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> > 127, 252,
> > > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103,
> > > 4,
> > 8 } main,
> > > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > > PreMaster Secret:
> > > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h.....
> > > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F....
> > > CONNECTION KEYGEN:
> > > Client Nonce:
> > > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r....
> > > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S....
> > > Server Nonce:
> > > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:.
> > > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K.....
> > > Master Secret:
> > > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n
> > > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@
> > .
> > > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._.
> > > ... no MAC keys used for this cipher Client write key:
> > > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B.
> > > Server write key:
> > > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%.....
> > > Client write IV:
> > > 0000: 81 92 DF AE ....
> > > Server write IV:
> > > 0000: AB 27 F3 37 .'.7
> > > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > > *** Finished
> > > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32
> > > }
> > > ***
> > > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2
> > > Change Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length
> > > = 40
> > > *** Finished
> > > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > > ***
> > > %% Cached client session: [Session-1,
> > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE:
> > > TLSv1.2 Application Data, length = 200
> > >
> > > There's no CertificateVerify message
> > >
> > > Java code is quite typical
> > >
> > > factory = new JaxWsProxyFactoryBean();
> > > factory.setAddress("https://xxx");
> > >
> > > factory.setServiceClass(XXX.class);
> > > XXX xxx = (XXX) factory.create();
> > >
> > > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit
> > > =
> > > (HTTPConduit) client.getConduit();
> > > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> > >
> > > and tls params I set only the keystore. I learnt the server cert is
> > registered in
> > > Comodo
> > >
> > > tlsParams.setDisableCNCheck(true);
> > > tlsParams.setSecureSocketProtocol("TLS");
> > > KeyManagerFactory keyFactory =
> > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm(
> > > )); keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[]
> > > km = keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> > >
> > > Not sure it's about the cert - but soapui is working or it's about
> > > the
> > java code
> > > cxf 3.0.12 and cannot be upgraded
> > >
> > > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> > >
> > > > Hi,
> > > >
> > > > As the first step, I would recommend to activate
> > > > -Djavax.net.debug=all JVM property, you will get a bit more information
> about error.
> > > >
> > > > You can also check if server requires client authentication using
> > > > OpenSSL, there are some hints regarding that: https://security.
> > > > stackexchange.com/questions/101511/determine-if-a-server-
> > > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > > >
> > > > Regards,
> > > > Andrei.
> > > >
> > > > > -----Original Message-----
> > > > > From: Arek R. [mailto:undsame@gmail.com]
> > > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > > To: users@cxf.apache.org
> > > > > Subject: Re: 2way ssl
> > > > >
> > > > > I had to switch the idea and ssl terminates at jetty server. So
> > > > > I had to
> > > > configure
> > > > > things like keystore etc. At the same time I've setup ssl
> > > > > configuration
> > > > like
> > > > > keystore etc and link to the HttpConduit. Also added
> > > > <sec:clientAuthenticayion
> > > > > required='true' want='true'/> But don't understand how these 2
> > > > > configs
> > > > are
> > > > > working together and I had an impression that cxf config is
> > > > > ignored
> > > > Don't know
> > > > > how to proof that server requests for the client certificate
> > > > >
> > > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > > ><chris@die-schneider.net
> > > > >:
> > > > >
> > > > > > If your client needs to call the nginx proxy instead of the
> > > > > > service then the proxy must provide all the server side ssl
> > > > > > setup including the 2 way ssl rules which client certs are
> > > > > > allowed to
> > connect.
> > > > > >
> > > > > > Christian
> > > > > >
> > > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> > > > > >
> > > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run
> > > > > > > a test via https. 1 way ssl is working.
> > > > > > > Now want to add a client certificate cause there's an error
> > > > > > > in the server log like 'client sent no required SSL
> > > > > > > certificate while reading client request headers' but cannot
> > > > > > > find any good example how to do it. Any hint
> > > > > > ?
> > > > > > >
> > > > > > > 2. If ssl terminates at nginx server am I able to recognize
> > > > > > > the client on the web server ?
> > > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> > level.
> > > > > > Please
> > > > > > > confirm.
> > > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > > matter where ssl is handled.
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > --
> > > > > > Christian Schneider
> > > > > > http://www.liquid-reality.de
> > > > > >
> > > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > a7
> > > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > > >
> > > > > > Open Source Architect
> > > > > > http://www.talend.com
> > > > > >
> > > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > > a7
> > > > > > e
> > > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > > >
> > > >
> >
Re: 2way ssl
Posted by "Arek R." <un...@gmail.com>.
I believe I did it properly. I've got to the point where it's working if
client is run on java7, but don't work with java8
On server side I can find SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-SHA384
TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384" in the logs. Still don't
know it's sth with the certificate chain, with the cert itself, server
configuration
2017-07-04 18:53 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> Hi,
>
> You need to configure keyManager and trustManager on client side.
> The keystore have to contain server certificate for trustManager and
> public/private key pair for the keyManager.
>
> Take a look this integration test: https://github.com/apache/cxf/
> blob/master/services/sts/systests/basic/src/test/java/
> org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
> Method prepareTLSParams().
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Arek R. [mailto:undsame@gmail.com]
> > Sent: Freitag, 30. Juni 2017 09:54
> > To: users@cxf.apache.org
> > Subject: Re: 2way ssl
> >
> > I cannot get it working. The server says that client doesn't send the
> certificate.
> > My client keystore contains only the client key/cert pair and this is
> working in
> > SoapUi project but not in pure java
> >
> > Here is the log
> >
> > main, READ: TLSv1.2 Handshake, length = 333
> > *** ECDH ServerKeyExchange
> > Signature Algorithm SHA512withRSA
> > Server key: Sun EC public key, 256 bits
> > public x coord: 830289587105151256207749267013
> > 20321981505124484199856534866410300374616735045
> > public y coord: 332067304039254916257006573681
> > 82738242939062461168510217069674332072760548082
> > parameters: secp256r1 [NIST P-256, X9.62 prime256v1]
> (1.2.840.10045.3.1.7)
> > main, READ: TLSv1.2 Handshake, length = 4
> > *** ServerHelloDone
> > *** ECDHClientKeyExchange
> > ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48,
> 83, 140,
> > 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143,
> 160, 102,
> > 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118,
> 127, 252,
> > 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4,
> 8 } main,
> > WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> > PreMaster Secret:
> > 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h.....
> > 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F....
> > CONNECTION KEYGEN:
> > Client Nonce:
> > 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r....
> > 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S....
> > Server Nonce:
> > 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:.
> > 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K.....
> > Master Secret:
> > 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n
> > 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@
> .
> > 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._.
> > ... no MAC keys used for this cipher
> > Client write key:
> > 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B.
> > Server write key:
> > 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%.....
> > Client write IV:
> > 0000: 81 92 DF AE ....
> > Server write IV:
> > 0000: AB 27 F3 37 .'.7
> > main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> > *** Finished
> > verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
> > ***
> > main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change
> > Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40
> > *** Finished
> > verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> > ***
> > %% Cached client session: [Session-1,
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> > main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2
> > Application Data, length = 200
> >
> > There's no CertificateVerify message
> >
> > Java code is quite typical
> >
> > factory = new JaxWsProxyFactoryBean();
> > factory.setAddress("https://xxx");
> >
> > factory.setServiceClass(XXX.class);
> > XXX xxx = (XXX) factory.create();
> >
> > Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit =
> > (HTTPConduit) client.getConduit();
> > httpConduit.setTlsClientParameters(Utils.getTlsParams());
> >
> > and tls params I set only the keystore. I learnt the server cert is
> registered in
> > Comodo
> >
> > tlsParams.setDisableCNCheck(true);
> > tlsParams.setSecureSocketProtocol("TLS");
> > KeyManagerFactory keyFactory =
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> > keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km =
> > keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
> >
> > Not sure it's about the cert - but soapui is working or it's about the
> java code
> > cxf 3.0.12 and cannot be upgraded
> >
> > 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> >
> > > Hi,
> > >
> > > As the first step, I would recommend to activate -Djavax.net.debug=all
> > > JVM property, you will get a bit more information about error.
> > >
> > > You can also check if server requires client authentication using
> > > OpenSSL, there are some hints regarding that: https://security.
> > > stackexchange.com/questions/101511/determine-if-a-server-
> > > is-asking-for-a-client-certificate-using-openssl-s-client.
> > >
> > > Regards,
> > > Andrei.
> > >
> > > > -----Original Message-----
> > > > From: Arek R. [mailto:undsame@gmail.com]
> > > > Sent: Dienstag, 27. Juni 2017 10:15
> > > > To: users@cxf.apache.org
> > > > Subject: Re: 2way ssl
> > > >
> > > > I had to switch the idea and ssl terminates at jetty server. So I
> > > > had to
> > > configure
> > > > things like keystore etc. At the same time I've setup ssl
> > > > configuration
> > > like
> > > > keystore etc and link to the HttpConduit. Also added
> > > <sec:clientAuthenticayion
> > > > required='true' want='true'/> But don't understand how these 2
> > > > configs
> > > are
> > > > working together and I had an impression that cxf config is ignored
> > > Don't know
> > > > how to proof that server requests for the client certificate
> > > >
> > > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > > ><chris@die-schneider.net
> > > >:
> > > >
> > > > > If your client needs to call the nginx proxy instead of the
> > > > > service then the proxy must provide all the server side ssl setup
> > > > > including the 2 way ssl rules which client certs are allowed to
> connect.
> > > > >
> > > > > Christian
> > > > >
> > > > > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> > > > >
> > > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a
> > > > > > test via https. 1 way ssl is working.
> > > > > > Now want to add a client certificate cause there's an error in
> > > > > > the server log like 'client sent no required SSL certificate
> > > > > > while reading client request headers' but cannot find any good
> > > > > > example how to do it. Any hint
> > > > > ?
> > > > > >
> > > > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > > > client on the web server ?
> > > > > > I guess no and in such case I should handle ssl at jetty/cxf
> level.
> > > > > Please
> > > > > > confirm.
> > > > > > Or the only way is to sign the messages and then it doesn't
> > > > > > matter where ssl is handled.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > --
> > > > > Christian Schneider
> > > > > http://www.liquid-reality.de
> > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > a7
> > > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > > >
> > > > > Open Source Architect
> > > > > http://www.talend.com
> > > > >
> > > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > > a7
> > > > > e
> > > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > > >
> > >
>
RE: 2way ssl
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
You need to configure keyManager and trustManager on client side.
The keystore have to contain server certificate for trustManager and public/private key pair for the keyManager.
Take a look this integration test: https://github.com/apache/cxf/blob/master/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/STSTokenOutInterceptorTest.java
Method prepareTLSParams().
Regards,
Andrei.
> -----Original Message-----
> From: Arek R. [mailto:undsame@gmail.com]
> Sent: Freitag, 30. Juni 2017 09:54
> To: users@cxf.apache.org
> Subject: Re: 2way ssl
>
> I cannot get it working. The server says that client doesn't send the certificate.
> My client keystore contains only the client key/cert pair and this is working in
> SoapUi project but not in pure java
>
> Here is the log
>
> main, READ: TLSv1.2 Handshake, length = 333
> *** ECDH ServerKeyExchange
> Signature Algorithm SHA512withRSA
> Server key: Sun EC public key, 256 bits
> public x coord: 830289587105151256207749267013
> 20321981505124484199856534866410300374616735045
> public y coord: 332067304039254916257006573681
> 82738242939062461168510217069674332072760548082
> parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
> main, READ: TLSv1.2 Handshake, length = 4
> *** ServerHelloDone
> *** ECDHClientKeyExchange
> ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48, 83, 140,
> 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49, 13, 143, 160, 102,
> 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190, 73, 37, 118, 127, 252,
> 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97, 230, 175, 12, 103, 4, 8 } main,
> WRITE: TLSv1.2 Handshake, length = 70 SESSION KEYGEN:
> PreMaster Secret:
> 0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h.....
> 0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F....
> CONNECTION KEYGEN:
> Client Nonce:
> 0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r....
> 0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S....
> Server Nonce:
> 0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:.
> 0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K.....
> Master Secret:
> 0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n
> 0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@.
> 0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._.
> ... no MAC keys used for this cipher
> Client write key:
> 0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B.
> Server write key:
> 0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%.....
> Client write IV:
> 0000: 81 92 DF AE ....
> Server write IV:
> 0000: AB 27 F3 37 .'.7
> main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
> *** Finished
> verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
> ***
> main, WRITE: TLSv1.2 Handshake, length = 40 main, READ: TLSv1.2 Change
> Cipher Spec, length = 1 main, READ: TLSv1.2 Handshake, length = 40
> *** Finished
> verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
> ***
> %% Cached client session: [Session-1,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> main, WRITE: TLSv1.2 Application Data, length = 289 main, WRITE: TLSv1.2
> Application Data, length = 200
>
> There's no CertificateVerify message
>
> Java code is quite typical
>
> factory = new JaxWsProxyFactoryBean();
> factory.setAddress("https://xxx");
>
> factory.setServiceClass(XXX.class);
> XXX xxx = (XXX) factory.create();
>
> Client client = ClientProxy.getClient(xxx); HTTPConduit httpConduit =
> (HTTPConduit) client.getConduit();
> httpConduit.setTlsClientParameters(Utils.getTlsParams());
>
> and tls params I set only the keystore. I learnt the server cert is registered in
> Comodo
>
> tlsParams.setDisableCNCheck(true);
> tlsParams.setSecureSocketProtocol("TLS");
> KeyManagerFactory keyFactory =
> KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> keyFactory.init(keyStore, trustpass.toCharArray()); KeyManager[] km =
> keyFactory.getKeyManagers(); tlsParams.setKeyManagers(km);
>
> Not sure it's about the cert - but soapui is working or it's about the java code
> cxf 3.0.12 and cannot be upgraded
>
> 2017-06-27 22:17 GMT+02:00 Andrei Shakirin <as...@talend.com>:
>
> > Hi,
> >
> > As the first step, I would recommend to activate -Djavax.net.debug=all
> > JVM property, you will get a bit more information about error.
> >
> > You can also check if server requires client authentication using
> > OpenSSL, there are some hints regarding that: https://security.
> > stackexchange.com/questions/101511/determine-if-a-server-
> > is-asking-for-a-client-certificate-using-openssl-s-client.
> >
> > Regards,
> > Andrei.
> >
> > > -----Original Message-----
> > > From: Arek R. [mailto:undsame@gmail.com]
> > > Sent: Dienstag, 27. Juni 2017 10:15
> > > To: users@cxf.apache.org
> > > Subject: Re: 2way ssl
> > >
> > > I had to switch the idea and ssl terminates at jetty server. So I
> > > had to
> > configure
> > > things like keystore etc. At the same time I've setup ssl
> > > configuration
> > like
> > > keystore etc and link to the HttpConduit. Also added
> > <sec:clientAuthenticayion
> > > required='true' want='true'/> But don't understand how these 2
> > > configs
> > are
> > > working together and I had an impression that cxf config is ignored
> > Don't know
> > > how to proof that server requests for the client certificate
> > >
> > > 2017-06-23 23:11 GMT+02:00 Christian Schneider
> > ><chris@die-schneider.net
> > >:
> > >
> > > > If your client needs to call the nginx proxy instead of the
> > > > service then the proxy must provide all the server side ssl setup
> > > > including the 2 way ssl rules which client certs are allowed to connect.
> > > >
> > > > Christian
> > > >
> > > > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> > > >
> > > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a
> > > > > test via https. 1 way ssl is working.
> > > > > Now want to add a client certificate cause there's an error in
> > > > > the server log like 'client sent no required SSL certificate
> > > > > while reading client request headers' but cannot find any good
> > > > > example how to do it. Any hint
> > > > ?
> > > > >
> > > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > > client on the web server ?
> > > > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > > > Please
> > > > > confirm.
> > > > > Or the only way is to sign the messages and then it doesn't
> > > > > matter where ssl is handled.
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > --
> > > > Christian Schneider
> > > > http://www.liquid-reality.de
> > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > a7
> > > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > > >
> > > > Open Source Architect
> > > > http://www.talend.com
> > > >
> > >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5
> > > a7
> > > > e
> > > > 46&URL=http%3a%2f%2fwww.talend.com>
> > > >
> >
Re: 2way ssl
Posted by "Arek R." <un...@gmail.com>.
I cannot get it working. The server says that client doesn't send the
certificate.
My client keystore contains only the client key/cert pair and this is
working in SoapUi project but not in pure java
Here is the log
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 830289587105151256207749267013
20321981505124484199856534866410300374616735045
public y coord: 332067304039254916257006573681
82738242939062461168510217069674332072760548082
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 187, 13, 125, 109, 106, 128, 252, 125, 151, 48,
83, 140, 73, 248, 175, 245, 27, 184, 241, 94, 60, 231, 220, 120, 40, 49,
13, 143, 160, 102, 148, 144, 139, 58, 169, 108, 177, 81, 115, 72, 76, 190,
73, 37, 118, 127, 252, 131, 198, 133, 236, 39, 135, 235, 3, 160, 22, 97,
230, 175, 12, 103, 4, 8 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: C2 9D 01 D3 06 E1 C3 C4 E5 C0 68 95 D1 1E A3 1C ..........h.....
0010: 09 7F C1 0F C5 B8 92 A5 6D A2 AA 46 B8 C6 03 DA ........m..F....
CONNECTION KEYGEN:
Client Nonce:
0000: 59 55 FF E2 DD 56 BB 05 D3 4E 0D 72 98 86 F6 02 YU...V...N.r....
0010: 71 76 CF EC C7 5F CC 4B 6C CE EE 53 DF AE E6 10 qv..._.Kl..S....
Server Nonce:
0000: DA E6 A8 95 F7 E3 89 4F 19 1A AB B5 23 F1 3A B4 .......O....#.:.
0010: 58 76 21 FC 95 0A 8D FE 3F FD 4B 1E D3 CC D5 F3 Xv!.....?.K.....
Master Secret:
0000: DE 99 96 B0 F8 B8 4D C0 8D 9D D0 4E D1 7A F1 6E ......M....N.z.n
0010: A4 4A 68 7A CB E6 1F 51 68 C8 1D ED F9 76 40 CE .Jhz...Qh....v@.
0020: FB 4C 1B D3 FF 1B ED 27 0C 2C 3F 1C 89 D8 5F CD .L.....'.,?..._.
... no MAC keys used for this cipher
Client write key:
0000: 4E 9D 81 E6 5F 84 FD 57 C0 36 A0 9B 62 C3 42 C3 N..._..W.6..b.B.
Server write key:
0000: 45 E7 4B 02 85 0A D3 05 D8 5F 25 7D EE 0D E9 9E E.K......_%.....
Client write IV:
0000: 81 92 DF AE ....
Server write IV:
0000: AB 27 F3 37 .'.7
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 172, 138, 51, 21, 122, 254, 9, 186, 249, 33, 253, 32 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 165, 182, 112, 90, 70, 54, 123, 31, 21, 181, 30, 9 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 289
main, WRITE: TLSv1.2 Application Data, length = 200
There's no CertificateVerify message
Java code is quite typical
factory = new JaxWsProxyFactoryBean();
factory.setAddress("https://xxx");
factory.setServiceClass(XXX.class);
XXX xxx = (XXX) factory.create();
Client client = ClientProxy.getClient(xxx);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
httpConduit.setTlsClientParameters(Utils.getTlsParams());
and tls params I set only the keystore. I learnt the server cert is
registered in Comodo
tlsParams.setDisableCNCheck(true);
tlsParams.setSecureSocketProtocol("TLS");
KeyManagerFactory keyFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, trustpass.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);
Not sure it's about the cert - but soapui is working or it's about the java
code
cxf 3.0.12 and cannot be upgraded
2017-06-27 22:17 GMT+02:00 Andrei Shakirin <as...@talend.com>:
> Hi,
>
> As the first step, I would recommend to activate -Djavax.net.debug=all JVM
> property, you will get a bit more information about error.
>
> You can also check if server requires client authentication using OpenSSL,
> there are some hints regarding that: https://security.
> stackexchange.com/questions/101511/determine-if-a-server-
> is-asking-for-a-client-certificate-using-openssl-s-client.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Arek R. [mailto:undsame@gmail.com]
> > Sent: Dienstag, 27. Juni 2017 10:15
> > To: users@cxf.apache.org
> > Subject: Re: 2way ssl
> >
> > I had to switch the idea and ssl terminates at jetty server. So I had to
> configure
> > things like keystore etc. At the same time I've setup ssl configuration
> like
> > keystore etc and link to the HttpConduit. Also added
> <sec:clientAuthenticayion
> > required='true' want='true'/> But don't understand how these 2 configs
> are
> > working together and I had an impression that cxf config is ignored
> Don't know
> > how to proof that server requests for the client certificate
> >
> > 2017-06-23 23:11 GMT+02:00 Christian Schneider <chris@die-schneider.net
> >:
> >
> > > If your client needs to call the nginx proxy instead of the service
> > > then the proxy must provide all the server side ssl setup including
> > > the 2 way ssl rules which client certs are allowed to connect.
> > >
> > > Christian
> > >
> > > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> > >
> > > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test
> > > > via https. 1 way ssl is working.
> > > > Now want to add a client certificate cause there's an error in the
> > > > server log like 'client sent no required SSL certificate while
> > > > reading client request headers' but cannot find any good example how
> > > > to do it. Any hint
> > > ?
> > > >
> > > > 2. If ssl terminates at nginx server am I able to recognize the
> > > > client on the web server ?
> > > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > > Please
> > > > confirm.
> > > > Or the only way is to sign the messages and then it doesn't matter
> > > > where ssl is handled.
> > > >
> > >
> > >
> > >
> > > --
> > > --
> > > Christian Schneider
> > > http://www.liquid-reality.de
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> > >
> > > Open Source Architect
> > > http://www.talend.com
> > >
> > <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > > e
> > > 46&URL=http%3a%2f%2fwww.talend.com>
> > >
>
RE: 2way ssl
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
As the first step, I would recommend to activate -Djavax.net.debug=all JVM property, you will get a bit more information about error.
You can also check if server requires client authentication using OpenSSL, there are some hints regarding that: https://security.stackexchange.com/questions/101511/determine-if-a-server-is-asking-for-a-client-certificate-using-openssl-s-client.
Regards,
Andrei.
> -----Original Message-----
> From: Arek R. [mailto:undsame@gmail.com]
> Sent: Dienstag, 27. Juni 2017 10:15
> To: users@cxf.apache.org
> Subject: Re: 2way ssl
>
> I had to switch the idea and ssl terminates at jetty server. So I had to configure
> things like keystore etc. At the same time I've setup ssl configuration like
> keystore etc and link to the HttpConduit. Also added <sec:clientAuthenticayion
> required='true' want='true'/> But don't understand how these 2 configs are
> working together and I had an impression that cxf config is ignored Don't know
> how to proof that server requests for the client certificate
>
> 2017-06-23 23:11 GMT+02:00 Christian Schneider <ch...@die-schneider.net>:
>
> > If your client needs to call the nginx proxy instead of the service
> > then the proxy must provide all the server side ssl setup including
> > the 2 way ssl rules which client certs are allowed to connect.
> >
> > Christian
> >
> > 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> >
> > > 1. I've a requirement to implement 2 way ssl. I'm using
> > > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test
> > > via https. 1 way ssl is working.
> > > Now want to add a client certificate cause there's an error in the
> > > server log like 'client sent no required SSL certificate while
> > > reading client request headers' but cannot find any good example how
> > > to do it. Any hint
> > ?
> > >
> > > 2. If ssl terminates at nginx server am I able to recognize the
> > > client on the web server ?
> > > I guess no and in such case I should handle ssl at jetty/cxf level.
> > Please
> > > confirm.
> > > Or the only way is to sign the messages and then it doesn't matter
> > > where ssl is handled.
> > >
> >
> >
> >
> > --
> > --
> > Christian Schneider
> > http://www.liquid-reality.de
> >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > e 46&URL=http%3a%2f%2fwww.liquid-reality.de>
> >
> > Open Source Architect
> > http://www.talend.com
> >
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7
> > e
> > 46&URL=http%3a%2f%2fwww.talend.com>
> >
Re: 2way ssl
Posted by "Arek R." <un...@gmail.com>.
I had to switch the idea and ssl terminates at jetty server. So I had to
configure things like keystore etc. At the same time I've setup ssl
configuration like keystore etc and link to the HttpConduit. Also added
<sec:clientAuthenticayion required='true' want='true'/>
But don't understand how these 2 configs are working together and I had an
impression that cxf config is ignored
Don't know how to proof that server requests for the client certificate
2017-06-23 23:11 GMT+02:00 Christian Schneider <ch...@die-schneider.net>:
> If your client needs to call the nginx proxy instead of the service then
> the proxy must provide all the server side ssl setup including the 2 way
> ssl rules which client certs are allowed to connect.
>
> Christian
>
> 2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
>
> > 1. I've a requirement to implement 2 way ssl. I'm using
> > JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
> > https. 1 way ssl is working.
> > Now want to add a client certificate cause there's an error in the server
> > log like 'client sent no required SSL certificate while reading client
> > request headers' but cannot find any good example how to do it. Any hint
> ?
> >
> > 2. If ssl terminates at nginx server am I able to recognize the client on
> > the web server ?
> > I guess no and in such case I should handle ssl at jetty/cxf level.
> Please
> > confirm.
> > Or the only way is to sign the messages and then it doesn't matter where
> > ssl is handled.
> >
>
>
>
> --
> --
> Christian Schneider
> http://www.liquid-reality.de
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e
> 46&URL=http%3a%2f%2fwww.liquid-reality.de>
>
> Open Source Architect
> http://www.talend.com
> <https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e
> 46&URL=http%3a%2f%2fwww.talend.com>
>
Re: 2way ssl
Posted by Christian Schneider <ch...@die-schneider.net>.
If your client needs to call the nginx proxy instead of the service then
the proxy must provide all the server side ssl setup including the 2 way
ssl rules which client certs are allowed to connect.
Christian
2017-06-23 15:30 GMT+02:00 Arek R. <un...@gmail.com>:
> 1. I've a requirement to implement 2 way ssl. I'm using
> JaxWsProxyFactoryBean, set TlsClientParams and manage to run a test via
> https. 1 way ssl is working.
> Now want to add a client certificate cause there's an error in the server
> log like 'client sent no required SSL certificate while reading client
> request headers' but cannot find any good example how to do it. Any hint ?
>
> 2. If ssl terminates at nginx server am I able to recognize the client on
> the web server ?
> I guess no and in such case I should handle ssl at jetty/cxf level. Please
> confirm.
> Or the only way is to sign the messages and then it doesn't matter where
> ssl is handled.
>
--
--
Christian Schneider
http://www.liquid-reality.de
<https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e46&URL=http%3a%2f%2fwww.liquid-reality.de>
Open Source Architect
http://www.talend.com
<https://owa.talend.com/owa/redir.aspx?C=3aa4083e0c744ae1ba52bd062c5a7e46&URL=http%3a%2f%2fwww.talend.com>