Hi guys,
After hours spent trying and also going through million entries in wM forums I am still stuck with following:
I need to prove that we can connect to outside system (payment platform) with client certs.
The platform requires client authentification.
To simulate the platform, we have a mockup running on Tomcat server with following settings:
<Connector port=“443” maxHttpHeaderSize=“8192”
maxThreads=“150” minSpareThreads=“25” maxSpareThreads=“75”
enableLookups=“false” disableUploadTimeout=“true”
acceptCount=“100” scheme=“https” secure=“true”
clientAuth=“want” sslProtocol=“TLS”
keystoreFile=“C:\entwicklung\ca\server\server.ks”
keystorePass=“keystore” keystoreType=“JKS”
trustStoreFile=“C:\entwicklung\ca\server\server.ks”
truststorePass=“keystore” />
So for simple test I just invoke pub.security:setKeyAndChain and pub.client:http.
I set the cert chain with private key and client cert supplied, which is self signed (no CA or intermediate certificate)
I enabled the debugging for SSL in the IS and get following trace:
ssl_debug(31): Starting handshake (iSaSiLk 3.03)…
ssl_debug(31): Sending v2 client_hello message, requesting version 3.1…
ssl_debug(31): Received v3 server_hello handshake message.
ssl_debug(31): Server selected SSL version 3.1.
ssl_debug(31): Server created new session 48:B8:20:4B:6B:8E:99:A4…
ssl_debug(31): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(31): CompressionMethod selected by server: NULL
ssl_debug(31): Received certificate handshake message with server certificate.
ssl_debug(31): Server sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(31): Received server_hello_done handshake message.
ssl_debug(31): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(31): Sending change_cipher_spec message…
ssl_debug(31): Sending finished message…
ssl_debug(31): Received change_cipher_spec message.
ssl_debug(31): Received finished message.
ssl_debug(31): Session added to session cache.
ssl_debug(31): Handshake completed, statistics:
ssl_debug(31): Read 737 bytes in 3 records, wrote 182 bytes in 3 records.
2008-08-29 18:14:03 CEST [ISC.0038.0002D] → GET /ldsws/ HTTP/1.1
2008-08-29 18:14:03 CEST [ISC.0038.0002D] → User-Agent: Mozilla/4.0 [en] (WinN
T; I)
2008-08-29 18:14:03 CEST [ISC.0038.0002D] → Accept: image/gif, /
2008-08-29 18:14:03 CEST [ISC.0038.0002D] → Host: localhost:443
2008-08-29 18:14:03 CEST [ISC.0038.0002D] → Content-Type: application/x-www-fo
rm-urlencoded
ssl_debug(31): Received hello_request handshake message from server, restarting
handshake…
ssl_debug(31): Acquiring locks for renegotiation…
ssl_debug(31): Starting renegotiation…
ssl_debug(31): Sending v3 client_hello message, requesting version 3.1…
ssl_debug(31): Trying to resume session 48:B8:20:4B:6B:8E:99:A4…
ssl_debug(31): Received v3 server_hello handshake message.
ssl_debug(31): Server selected SSL version 3.1.
ssl_debug(31): Server created new session 48:B8:20:4B:DC:F4:09:BF…
ssl_debug(31): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_MD5
ssl_debug(31): CompressionMethod selected by server: NULL
ssl_debug(31): Received certificate handshake message with server certificate.
ssl_debug(31): Server sent a 1024 bit RSA certificate, chain has 1 elements.
ssl_debug(31): Received certificate_request handshake message.
ssl_debug(31): Accepted certificate types: RSA, DSS
ssl_debug(31): Accepted certificate authorities:
…
ssl_debug(31): Received server_hello_done handshake message.
ssl_debug(31): No client certificate available, sending empty certificate messag
e…
ssl_debug(31): Sending client_key_exchange handshake message (1024 bit)…
ssl_debug(31): Sending change_cipher_spec message…
ssl_debug(31): Sending finished message…
ssl_debug(31): Exception sending message: java.net.SocketException: Software cau
sed connection abort: socket write error
ssl_debug(31): Shutting down SSL layer…
So somehow the IS is not sending my own client certificate, even if I put it in the chain.
This error corresponds to error thrown on the Tomcat:
29.08.2008 18:14:03 org.apache.coyote.http11.Http11Processor action
WARNUNG: Exception getting SSL attributes
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
IS is set up to ignore empty chains and also to trust all CA’s, so the CA trusted dir is not used for this first attempt.
I also tried to do it other way, when I set up the certs in the ADMIN/certificates Outbound SSL Certificates page, but that throws the same error UNLESS I put the same client certificate as server’s CA certificate
For this case, I disabled the pub.security:setKeyAndChain call in the test flow and did the https directly.
Then the errors are different:
IS:
ssl_debug(34): Received server_hello_done handshake message.
ssl_debug(34): Sending certificate handshake message with RSA client
…
ssl_debug(34): Sending client_key_exchange handshake message (102
ssl_debug(34): Sending certificate_verify handshake message…
ssl_debug(34): Sending change_cipher_spec message…
ssl_debug(34): Exception sending message: java.net.SocketExceptio
sed connection abort: socket write error
ssl_debug(34): Shutting down SSL layer…
(As you can see, now the client cert is being sent, but only if I put it as server’s CA folder in the Admin/Certificates settings page)
Tomcat:
29.08.2008 18:30:59 org.apache.coyote.http11.Http11Processor action
WARNUNG: Exception getting SSL attributes
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: End user tried to act as a CA
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
Any idea?
At last, I imported the certs into IE and FireFox and was able to connect to the site from both without any problems.
One strange thing is that I am not able import those certs as client certificates to IS (‘Could not import certificate. Please ensure that the file is a valid certificate’), eventhough they are in the correct format (otherwise setKeyAndChain wouldn’t work)
Any suggestions are greatly appreciated
versions: IS 7.1.1, clean installation
Thanks
//Matt