Hello,
I have a Java WebService client (based on JAX-WS), requesting an Apache Server, over SSL (the URLs are all in HTTPS), with mutual authentication.
Certificates are generated into a PEM file, and imported into the Apache's repository (whatever it is, I have no competence whatsoever with the Apache side), and into the Java client's keystore (for the client certificate) and truststore (for the server certificate).
Our tests so far showed that with server authentication alone, WS invocations work.
However all our attempts using mutual-authent have failed.
The developer managed to activate what I think are JSSE traces on the client side, which I post below (see note).
Other tests conducted are:
- display the HTTPS WSDL URL in a browser (Mozilla, IE) -> WORKS (with adequete import/definition of the certificates (P12 form) into the browser conf)
- test with OpenSSL command-line tools -> WORKS (show that the server-side certificate chain is the one expected)
- test with an "incorrect" (name, key) certificate in the client'side store -> WORKS (that is, fail with a much more explicit message, along the line of "unable to validate certificate chain")
So currently we
assume the certificates are correct in the Java box, but the runtime does somehow not "gets them completely".
What I expect from forum users is a push to help me investigate the issue:
- I don't know which traces to activate (Java client-side and Apache server side) to check where the connection stops (presumably on the server as the Java client displays a
SocketException: Software caused connection abort: recv failed).
- I don't know which tool to use to
validate that the certificates are correctly imported into the JKS (the import process from PEM files was our first suspect)
- maybe someone may out of the blue spot the actual bit that tells it all in the traces I provide... (joining hands)
Here are the client-side logs.
(Note) I'm sure I cut or anonymized important bits, I am yet to analyze what I can safely or not post on a public web site - please let me know what parts of the handshake traces I should post, anyway don't tell my manager! :o)
...
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: <skipped>
0010: <skipped>
0020: <skipped>
CONNECTION KEYGEN:
Client Nonce:
0000: <skipped>
0010: <skipped>
Server Nonce:
0000: <skipped>
0010: <skipped>
Master Secret:
0000: <skipped>
0010: <skipped>
0020: <skipped>
Client MAC write Secret:
0000: <skipped>
Server MAC write Secret:
0000: <skipped>
Client write key:
0000: <skipped>
Server write key:
0000: <skipped>
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { <skipped > }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 1
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
EDIT- do I need to add that I'm a very newbie to SSL and security in general?
EDIT - one person just pointed out that the Java client uses TLSv1, while the browser uses SSLv3, ha, ha..
A hint?
Brain-smoking...