You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jon Miller <jh...@yahoo.com> on 2008/12/02 23:53:00 UTC

Certificate error when using two-way SSL

Similar to other posts on this list, I receive a "javax.net.ssl.SSLHandshakeException: Received fatal
alert: bad_certificate" when I attempt to use a service that is configured
with two way SSL.  However, his workaround is not working for me,

My configuration for the client is:
...

   <http:conduit name="*.http-conduit">
       
      <http:client ProxyServer="192.168.1.1" ProxyServerPort="11"/>
      <http:proxyAuthorization>
         <sec:UserName>username</sec:UserName>
         <sec:Password>password</sec:Password>
      </http:proxyAuthorization>
      
      <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="SSL">
         <sec:trustManagers>
            <sec:keyStore type="JKS" password="password" file="keystore.jks"/>
         </sec:trustManagers>
         <sec:keyManagers keyPassword="password">
            <sec:keyStore type="JKS" password="password" file="truststore.jks"/>
         </sec:keyManagers>
      </http:tlsClientParameters>
   </http:conduit>
   
   <jaxws:client id="client1" serviceClass="Test" address="http://localhost:8008/Test"/>
...   

In troubleshooting this I noticed that if I perform

Client client = ClientProxy.getClient(test);       
HTTPConduit http = (HTTPConduit) client.getConduit();
logger.debug("SSP: " + http.getTlsClientParameters().getSecureSocketProtocol());

It would come up null (whereas the other parameters such as disableCNCheck
would be as they were set in the application context (not sure if this is a
bug).

Anyhow, I added this step to make certain that the secure socket protocol
would in fact be set

http.getTlsClientParameters().setSecureSocketProtocol("SSL");

But I still get the bad_certificate error.  I have gone through the process
of turning on debug for the SSL code, but it hasn't really shed any light on
what might be causing the problem.  Other clients using Axis have no problem
connecting to other services on this box and they simply use the command
line java options to set the SSL info.

Best,
jm