Membrane Service Proxy 4.4.2 SSL truststore issue

411 views
Skip to first unread message

Alex Soh

unread,
Aug 25, 2017, 4:48:04 AM8/25/17
to membrane-monitor
I'm running JRE 1.8.0_141.

I have this in my proxies.xml under one of my serviceProxy
<ssl protocol="TLSv1.2">
<keystore location="./ssl/keystore.jks" password="secret" keyPassword="secret"/>
<truststore location="./ssl/truststore.jks" password="secret"/>
</ssl>


I'm using self signed CA root cert and my host service server's keystore contains a cert that was signed by the self signed CA root cert.

the ./ssl/truststore.jks contains the self signed CA root cert.

I'm getting the following error SSL handshake error:
***
%% Invalidated:  [Session-5, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certp
ath.SunCertPathBuilderException: unable to find valid certification path to requested target

My current solution is to import my self signed CA root cert into
C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

It seems like membrane is not using the truststore specify in <truststore>


Tobias Polley

unread,
Aug 25, 2017, 5:01:33 AM8/25/17
to membrane-monitor
Hi Alex,

are you using 2 Membranes to communicate with each other?

(The keystore has to be put on one side of the TLS connection, the truststore on the other.)

Best
Tobias


Alex Soh

unread,
Aug 25, 2017, 5:22:54 AM8/25/17
to membrane-monitor
Hi Tobias,

I'm not using 2 Membrane, just 1.

It goes like this

SOAPUI(localhost)--->Membrane(localhost)--->Service Host (localhost)

This works
SOAPUI(localhost)--->Service Host (localhost)

This is the ssl:handshake,
Membrane Router running...
16:32:14,581  INFO TrackingFileSystemXmlApplicationContext:577 - Refreshing Membrane Service Proxy's Spring Context
16:32:14,644  INFO XmlBeanDefinitionReader:317 - Loading XML bean definitions from file [C:\membrane-service-proxy-4.4.2\examples\quickstart-soap\proxies.xml]
16:32:16,047  INFO DefaultLifecycleProcessor:341 - Starting beans in phase 0
16:32:22,816  WARN StaticSSLContext:60 - Your Java Virtual Machine does not have unlimited strength cryptography. If it is legal in your country, we strongly ad
vise installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.
***
found key for : ws-gateway
chain [0] = [
[
  Version: V1
  Subject: EMAILADDRESS=ws-ga...@example.com, CN=WS-Gateway, OU=dept, O=example, L=location, ST=State, C=AU
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 6360257673494716597756.........
  public exponent: 65537
  Validity: [From: Fri Aug 25 15:02:13 SGT 2017,
               To: Tue Nov 03 15:02:13 SGT 2020]
  Issuer: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  SerialNumber: [    01]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 65 BF 04 FD 67 C0 CB 5F   2E 18 F5 35 01 42 C7 55  e...g.._...5.B.U
0010: 3C 56 D4 AB 74 9D 8D 1E   92 87 33 BD 98 EB 5C FC  <V..t.....3...\.
0020: D4 0E 7E 4A 11 29 DA F8   7D C0 B0 95 E1 0A E8 73  ...J.).........s
......

]
chain [1] = [
[
  Version: V3
  Subject: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 7835215245816923624710400194.....
  public exponent: 65537
  Validity: [From: Thu Nov 05 14:30:04 SGT 2015,
               To: Wed Nov 04 14:30:04 SGT 2020]
  Issuer: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  SerialNumber: [    a62a096b 78f5fd31]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 23 8F 30 06 63 4F 0E D7   90 63 D5 E6 B4 62 54 F5  #.0.cO...c...bT.
0010: 51 73 0C E1                                        Qs..
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 8F 30 06 63 4F 0E D7   90 63 D5 E6 B4 62 54 F5  #.0.cO...c...bT.
0010: 51 73 0C E1                                        Qs..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: A8 85 2D 4E 90 FD 9D 20   8A FA 4D EA 15 52 24 52  ..-N... ..M..R$R
0010: E5 02 8D 24 07 D3 B6 8D   29 85 38 08 62 1A A4 9D  ...$....).8.b...
0020: DB AB ED 29 9F A3 E4 D1   21 C2 F5 D4 C6 63 DA 80  ...)....!....c..
0030: E8 2A 83 4D 24 92 91 82   0B A4 7D ED 05 67 1D A1  .*.M$........g..
.....

]
***
adding as trusted cert:
  Subject: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Issuer:  EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Algorithm: RSA; Serial number: 0xa62a096b78f5fd31
  Valid from Thu Nov 05 14:30:04 SGT 2015 until Wed Nov 04 14:30:04 SGT 2020

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
...

trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : ws-gateway
chain [0] = [
[
  Version: V1
  Subject: EMAILADDRESS=ws-ga...@example.com, CN=WS-Gateway, OU=dept, O=example, L=location, ST=State, C=AU
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 63602576734947165977563681934770215098881523254051339272445393053787446822454503169351246130381766748062613234048485366475657631422662846971882438338
....
  public exponent: 65537
  Validity: [From: Fri Aug 25 15:02:13 SGT 2017,
               To: Tue Nov 03 15:02:13 SGT 2020]
  Issuer: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  SerialNumber: [    01]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 65 BF 04 FD 67 C0 CB 5F   2E 18 F5 35 01 42 C7 55  e...g.._...5.B.U
0010: 3C 56 D4 AB 74 9D 8D 1E   92 87 33 BD 98 EB 5C FC  <V..t.....3...\.
0020: D4 0E 7E 4A 11 29 DA F8   7D C0 B0 95 E1 0A E8 73  ...J.).........s
....

]
chain [1] = [
[
  Version: V3
  Subject: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 78352152458169236247104001948249075470424426854007299546077297135177017875440288858941937624698524467548830794348525408204074306524440539281275445034
...
  public exponent: 65537
  Validity: [From: Thu Nov 05 14:30:04 SGT 2015,
               To: Wed Nov 04 14:30:04 SGT 2020]
  Issuer: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  SerialNumber: [    a62a096b 78f5fd31]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 23 8F 30 06 63 4F 0E D7   90 63 D5 E6 B4 62 54 F5  #.0.cO...c...bT.
0010: 51 73 0C E1                                        Qs..
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 8F 30 06 63 4F 0E D7   90 63 D5 E6 B4 62 54 F5  #.0.cO...c...bT.
0010: 51 73 0C E1                                        Qs..
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: A8 85 2D 4E 90 FD 9D 20   8A FA 4D EA 15 52 24 52  ..-N... ..M..R$R
0010: E5 02 8D 24 07 D3 B6 8D   29 85 38 08 62 1A A4 9D  ...$....).8.b...
0020: DB AB ED 29 9F A3 E4 D1   21 C2 F5 D4 C6 63 DA 80  ...)....!....c..
.....

]
***
adding as trusted cert:
  Subject: EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Issuer:  EMAILADDRESS=caR...@example.com, CN=CARoot, OU=dept, O=example, L=location, ST=State, C=AU
  Algorithm: RSA; Serial number: 0xa62a096b78f5fd31
  Valid from Thu Nov 05 14:30:04 SGT 2015 until Wed Nov 04 14:30:04 SGT 2020

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
...
trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 12:00:00 SGT 1999 until Mon Jun 22 12:00:00 SGT 2020

i noticed this line
trustStore is: C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

which cause me to try importing the CA cert into it.

Tobias Polley

unread,
Aug 25, 2017, 5:39:24 AM8/25/17
to membrane-monitor
Hi Alex,

<serviceProxy>
   <ssl>
      <keystore ../>
  </ssl>
  ...
  <target host="localhost" ...>
    <ssl>
      <truststore .../>
    </ssl>
  </target>
</serviceProxy>

should do the trick. The first <ssl> is used for inbound connections, the second for outbound (from Membrane's point of view).

Best,
Tobias

Alex Soh

unread,
Aug 28, 2017, 12:34:44 AM8/28/17
to membrane-monitor
Hi Tobias,

I removed my self-signed ca cert from C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts

and configure my proxies.xml to what you suggested.

It still give me the same problem.

(1)My truststore for membrane contains my self signed CA cert
(2)My keystore for membrane contains my self signed cert chain to the above self signed CA root

(3)My truststore at service host contains my self signed CA cert
(4)My keystore at service host contains my self signed cert chain to the above self signed CA root 

(1) and (3) are the same cert
(2) and (4) are the same cert


I tried the following as well, but it give different errors.
1)import my self-signed ca cert to C:\Program Files\Java\jre1.8.0_141\lib\security\cacerts
2)configure my proxies.xml as below
<serviceProxy>
 <ssl>
 </ssl>
 <target url="https://hostname:8443/service?wsdl">
   <ssl>
   </ssl>
 </target>
</serviceProxy>

3)SSL handshake shows that it Found trusted certificate , However membrane shows the following error:
ERROR RouterCLI:50 - Failed to start bean 'router'; nested exception is java.lang.RuntimeException: java.lang.RuntimeException: Could not extract DNS names from the first key's certificate in null


Sudesh Acharya

unread,
Dec 25, 2019, 1:46:51 PM12/25/19
to membrane-monitor
Hello,

Was facing the same issue as reported ( certificate_unknown) . In the log I could see that, after serverHello is initiated, the certificate chain printed was that of key present in keystore.jks. This should have been the server certificate. Hence when it looks in trustore for the key returned it could not find and fail with certificate_unknown

   <serviceProxy name="testing" port="12555">
    <ssl ignoreTimestampCheckFailure="true"  endpointIdentificationAlgorithm="">
        <keystore location="/tmp/keystore.jks" password="changeit" keyPassword="changeit"/>
    </ssl>
    <target host="remote.host.com" port="12555">
        <ssl endpointIdentificationAlgorithm="">
            <truststore location="/tmp/truststore.jks" password="changeit"/>
        </ssl>
    </target>
</serviceProxy>


Sudesh Acharya

unread,
Dec 25, 2019, 2:23:18 PM12/25/19
to membrane-monitor
Product is good, but only drawback is that this is unable to handle the two way ssl

Tobias Polley

unread,
Dec 26, 2019, 3:57:58 PM12/26/19
to membrane-monitor
Hi.

Membrane can handle TLS Client Authentication and TLS Server Authentication. It is basically the same as Java and not really a Membrane issue, as Membrane simply exposes the Java API through its XML configuration file.

serviceProxy/ssl is used to configure inbound TLS (from Membrane's perspective), serviceProxy/target/ssl is used to configure outbound TLS.

Best
Tobias

Sudesh Acharya

unread,
Dec 26, 2019, 11:25:17 PM12/26/19
to membrane...@googlegroups.com
Hi,

Thank you for the information. I was able to get the response using Java client via 2 way
 Now I just introduced the membrane in middle and I get those issues. So not very convince d that Java could be doing something different.

Kind regards,
Sudesh


--
You received this message because you are subscribed to the Google Groups "membrane-monitor" group.
To unsubscribe from this group and stop receiving emails from it, send an email to membrane-monit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/membrane-monitor/a7559085-9816-4ab2-93cb-1145553599b6%40googlegroups.com.

Sudesh Acharya

unread,
Dec 27, 2019, 1:47:49 PM12/27/19
to membrane-monitor
Another observation, 

 <serviceProxy name="testing" port="12556">

    <ssl ignoreTimestampCheckFailure="true"  endpointIdentificationAlgorithm="">
        <keystore location="/tmp/keystore.jks" password="changeit" keyPassword="changeit"/>
    </ssl>

    <target host="127.0.0.1" port="12555">

        <ssl endpointIdentificationAlgorithm="">
            <truststore location="/tmp/truststore.jks" password="changeit"/>
        </ssl>
    </target>
</serviceProxy>

I was expecting the outbound call to fail as there are no listeners set on 127.0.0.1 port 12555. But there was no indication in the log saying that membrane is not able to connect to unavailable remote host. 

On Thursday, December 26, 2019 at 9:25:17 PM UTC-7, Sudesh Acharya wrote:
Hi,

Thank you for the information. I was able to get the response using Java client via 2 way
 Now I just introduced the membrane in middle and I get those issues. So not very convince d that Java could be doing something different.

Kind regards,
Sudesh


On Thu, Dec 26, 2019, 1:58 PM Tobias Polley <tobias...@gmail.com> wrote:
Hi.

Membrane can handle TLS Client Authentication and TLS Server Authentication. It is basically the same as Java and not really a Membrane issue, as Membrane simply exposes the Java API through its XML configuration file.

serviceProxy/ssl is used to configure inbound TLS (from Membrane's perspective), serviceProxy/target/ssl is used to configure outbound TLS.

Best
Tobias

--
You received this message because you are subscribed to the Google Groups "membrane-monitor" group.
To unsubscribe from this group and stop receiving emails from it, send an email to membrane-monitor+unsubscribe@googlegroups.com.

Sudesh Acharya

unread,
Dec 29, 2019, 11:24:31 AM12/29/19
to membrane-monitor
I was about to explore other products, but after looking at Tobais comments and started to play around with the certificates including client.jks, membrane,jks along with keystore.jks and truststore.jks, and I was able to get the success response via 2 way. Thanks this product is very good and easy configuration.Thank you
Reply all
Reply to author
Forward
0 new messages