Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL Two-way Client authentication without Weblogic classes?

0 views
Skip to first unread message

Primoz Hrvatin

unread,
Sep 12, 2003, 6:04:18 AM9/12/03
to

Hi!

Client is running as a JSP. Its sole purpose is checking the availability
of the (secure) URL on the server:
<%
URL url = new URL(urlString);
HttpURLConnection con = (HttpURLConnection)url.openConnection();
%>contacting <%= urlString %><br>
<%= con.getResponseCode() + ": " + con.getResponseMessage() %>
<%
con.disconnect();
%>

I don't want to use the proprietary weblogic classes, because I want this
JSP to be generic for all platforms. One-way authentication works though!

I'm using WL 8.1 SP1 on both clients and server.
I have set up a two-way authentication using the following procedure.

Server:
1. configured Custom Identity & Custom Trust in the admin console
identity keystore: server-keys
trust keystore: server-trust

In the Keystores & SSL tab I selected Two Way Client Cert Behavior as
"Client certs are required and enforced"

2. keytool -keystore server-keys -genkey -alias server -keysize 512
Note: Development license support only low-grade encryption and
requires 512-bit key size.
CN field is set to the DNS name of the server, eg. server.name.com.
3. keytool -keystore server-keys -export -alias server -file server.crt

Client:
The same steps as server, replace 'server' with 'client'.
Then
4. keytool -keystore client-trust -trustcacerts -import -alias ca_server
-file server.crt

And then on the server:
keytool -keystore server-trust -trustcacerts -import -alias ca_client -file
client.crt

Machines reboot.
After running the client, the code does not work, I get a HANDSHAKE ERROR
on the client:
---
javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE
alert received from client.name.com - 111.111.111.111. Check both sides of
the SSL configuration for mismatches in supported ciphers, supported
protocol versions, trusted CAs, and hostname verification settings.
---

I have enabled SSL debugging on the server and it says:
----
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Filtering JSSE
SSLSocket>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.addContext(ctx): 23386952>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <SSLSocket will be
Muxing>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.findContext(is): 7898079>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <isMuxerActivated:
false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 readRecord()>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL
Version 2 with no padding>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL3/TLS MAC>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 received
SSL_20_RECORD>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
ClientHelloV2>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 58>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 475>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Converting
principal: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 128>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 4>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <isMuxerActivated:
false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 readRecord()>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL3/TLS MAC>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 received
HANDSHAKE>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
Certificate>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <validationCallback:
validateErr = 16>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Required peer
certificates not supplied by peer>
<Sep 12, 2003 11:40:54 AM MEST> <Warning> <Security> <BEA-090508>
<Certificate chain received from client.name.com - 111.111.111.111 was
incomplete.>
<Sep 12, 2003 11:40:54 AM MEST> <Warning> <Security> <BEA-090477>
<Certificate chain received from client.name.com - 111.111.111.111 was not
trusted causing SSL handshake failure.>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Validation error = 20>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Certificate chain
is incomplete>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Certificate chain
is untrusted>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <User defined JSSE
trustmanagers not allowed to override>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <SSLTrustValidator
returns: 84>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Trust failure (84):
CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <NEW ALERT:
com.certicom.tls.record.alert.Alert@81ad8f Severity: 2 Type: 40
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at
com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown
Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at
com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at
weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write ALERT offset
= 0 length = 2>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <close(): 14411981>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.removeContext(ctx): 23386952>
----

I suspect something is missing in the client certificate, leading to server
not trusting it. But the server loaded trust keystore successfully:

--
<Sep 12, 2003 11:38:45 AM MEST> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the jks keystore file /path/to/client-trust.>
<Sep 12, 2003 11:38:45 AM MEST> <Debug> <TLS> <000000> <Trusted CA: [
[
Version: V1
Subject: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffe56
Validity: [From: Thu Sep 11 22:28:35 MEST 2003,
To: Wed Dec 10 21:28:35 MET 2003]
Issuer: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx
SerialNumber: [ 3f60daf3]

]
Algorithm: [MD5withRSA]
Signature:
0000: 24 BB BE D3 C4 F7 BB B5 C5 E0 43 F0 B6 AD AD 5C $.........C....\
0010: 2D 92 CD 85 9F 9A A1 E1 2E A9 A6 CE CB A7 7C B2 -...............
0020: 63 18 84 B0 70 59 ED A5 43 79 EE 9D 70 34 D9 FF c...pY..Cy..p4..
0030: B0 43 FA 42 05 33 DE 27 E1 96 91 2C 38 1D C1 A3 .C.B.3.'...,8...

]>
<Sep 12, 2003 11:38:45 AM MEST> <Debug> <TLS> <000000> <SSLManager: loaded
1 trusted CAs from /path/to/client-trust>
--

What am I doing wrong??


Help strongly appreciated!

Primoz

PavelS

unread,
Sep 15, 2003, 2:29:02 PM9/15/03
to

The server complains because the client did not send its identity certificate.
You'll need to modify client's code to set its identity.

Pavel.

Primoz Hrvatin

unread,
Sep 16, 2003, 11:26:31 AM9/16/03
to
Is it possible to do that without using weblogic classes
(weblogic.net.http.HttpsURLConnection)? I want to have as modular
configuration of the client as possible.

Primoz

Pavel

unread,
Sep 17, 2003, 2:59:44 PM9/17/03
to

You could try using JSSE. This is not supported but might work in your case.
Certicom SSL implementation used by WLS has own implementations for some of the
JSSE classes. So, adding jsse.jar in front of weblogic classes in the classpath
in some cases can break Certicom, adding it at the end might break Sun's implementation.
0 new messages