Re: [OT] Client not loading truststore or keystore

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diarmuid,

(Marking as OT because this is not a Tomcat issue.)

On 9/1/15 5:34 PM, dmccrthy wrote:
> Sorry for the ambiguity, we're using scenario (b), outgoing client 
> connections. The server cert is signed by GeoTrust but we don't
> have the full CA chain in the truststore, only the server cert.

Okay, then you need to do the following:

1. Put your client key + signed certificate into your keystore
2. Put the server's cert (or GeoTrust's top-level CA cert and any
   intermediate certs that you might need) into your truststore
3. Configure your HTTP client to use the above keystore and trust store
   (or really just pull the client key+cert and configure them with
   the HTTP client... a keystore is not strictly necessary but it
   sometimes makes everything a bit easier if the HTTP client library
   can work with the keystore instead of individual Java objects)

That should be all you need to do. If your HTTP client library can
detect the system properties you've already set, then that's great. If
it can't, you'll need to use actual Java code to configure it properly.

If the above doesn't work, please provide stack traces when you get
errors. Since OpenSSL s_client works, your client key+cert are working
and you just need to get the configuration of your own client right.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R
5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv
1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb
oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe
xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM
J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp
beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb
43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0
FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn
NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t
3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O
6uNejioO4Kcu4/ZrVe8p
=vCLy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] Client not loading truststore or keystore

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diarmuid,

On 9/7/15 12:29 PM, dmccrthy wrote:
> You were right. The issue was with the code our vendor supplied for
> the Tomcat client webapp making outbound HTTPS connections. This
> was not correctly overriding classes with the result that the
> truststore and keystore environment settings were being completely
> ignored.
> 
> Thanks for your patience with this. It seems our vendor was not
> paying enough attention to log files and had me convinced that the
> issue was on our side. Your findings reiterating that it had to be
> something else helped me a lot.

Glad to help. Encrypted connections with Java requires a great deal of
plumbing code and if it hasn't been done properly, it can make it
impossible to use the library in the way you want.

For instance, if you want to use a different trust store for TLS
connections than whatever -Djavax.net.ssl.trustStore is set to, and
the library doesn't support it, you are dead in the water: you have to
get the library authors to re-write the code to support it.

I had to do this a while back with my own client code and ended up
liberally borrowing methods from Apache Tomcat to do it. Whoever did
that code in the past made it very easy for me to follow in their
footsteps.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8DRIAAoJEBzwKT+lPKRYbdMQAJZBg3MRmcQevN8gwBiGST7K
ubFN3uyKpOva/r8cO+qG+A3CRHd6ZW4gSe6ILxqopTxTNop+/NZuQycHSa3X+Rd+
Hd6nvMWyuXNyQe7v0U4PiZwSDyBWXw406c42B8lKo8vjuzpU7RYolkM43HkgHaLY
X56BAP2IQXfjLwPcUUPl7VZF5nUTu0NtSoEqaVXeWWR11GGSw8P5u+5ZPVPo3f1l
5DwrCY3B/0d73CKbUB55Fj11QKG7rhHWYqzjVLXA87hBx1zlKSOIiu0MA2xb+IeM
qbiyyI9CwTB6UIyCIsF7PzwUGlfBWLJwrv1eqn69uemqkOCIIxoZVkV8RuHWgFv8
5sZRcYCidlgztnIL9FsCfJRvqV8IxIwTFEZGgpzlXKvgkSiHohhjSd4KZJA1itc5
01X6K2ZW7jxWE/AYBAM21G1fjijPbXE+pcAQ+p+kP0CccPrM1O4PeDOVKjrjGGSR
b9fbFG0ntW8Z4Dud/2NFvu8DwmNMZzv56kdvKD4H1G51YkTvM+jgub0koNacgnDS
XlCPLdM6ihzLYe5bqyChB6aFpchCNaI3Q1KE02bV3IWXEKtSuqLq+ZtIWiEgGUsI
mbOtq7h3OHsaHLPfB6Jgi0YXtL/ZXeWatHe0Cab4mL91H0wnWObU6+ly+tfLdC3Z
JMenJy+1Pw2eU9HutmDZ
=LRWm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] Client not loading truststore or keystore

[dmccrthy <dm...@gmail.com>]

Hi Chris,

You were right. The issue was with the code our vendor supplied for the
Tomcat client webapp making outbound HTTPS connections. This was not
correctly overriding classes with the result that the truststore and
keystore environment settings were being completely ignored.

Thanks for your patience with this. It seems our vendor was not paying
enough attention to log files and had me convinced that the issue was on
our side. Your findings reiterating that it had to be something else helped
me a lot.

Thanks,
Diarmuid
On 2 Sep 2015 13:56, "Christopher Schultz" <ch...@christopherschultz.net>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Diarmuid,
>
> (Marking as OT because this is not a Tomcat issue.)
>
> On 9/1/15 5:34 PM, dmccrthy wrote:
> > Sorry for the ambiguity, we're using scenario (b), outgoing client
> > connections. The server cert is signed by GeoTrust but we don't
> > have the full CA chain in the truststore, only the server cert.
>
> Okay, then you need to do the following:
>
> 1. Put your client key + signed certificate into your keystore
> 2. Put the server's cert (or GeoTrust's top-level CA cert and any
>    intermediate certs that you might need) into your truststore
> 3. Configure your HTTP client to use the above keystore and trust store
>    (or really just pull the client key+cert and configure them with
>    the HTTP client... a keystore is not strictly necessary but it
>    sometimes makes everything a bit easier if the HTTP client library
>    can work with the keystore instead of individual Java objects)
>
> That should be all you need to do. If your HTTP client library can
> detect the system properties you've already set, then that's great. If
> it can't, you'll need to use actual Java code to configure it properly.
>
> If the above doesn't work, please provide stack traces when you get
> errors. Since OpenSSL s_client works, your client key+cert are working
> and you just need to get the configuration of your own client right.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R
> 5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv
> 1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb
> oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe
> xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM
> J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp
> beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb
> 43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0
> FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn
> NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t
> 3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O
> 6uNejioO4Kcu4/ZrVe8p
> =vCLy
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>