Client is running as a JSP. Its sole purpose is checking the availability
of the (secure) URL on the server:
<%
URL url = new URL(urlString);
HttpURLConnection con = (HttpURLConnection)url.openConnection();
%>contacting <%= urlString %><br>
<%= con.getResponseCode() + ": " + con.getResponseMessage() %>
<%
con.disconnect();
%>
I don't want to use the proprietary weblogic classes, because I want this
JSP to be generic for all platforms. One-way authentication works though!
I'm using WL 8.1 SP1 on both clients and server.
I have set up a two-way authentication using the following procedure.
Server:
1. configured Custom Identity & Custom Trust in the admin console
identity keystore: server-keys
trust keystore: server-trust
In the Keystores & SSL tab I selected Two Way Client Cert Behavior as
"Client certs are required and enforced"
2. keytool -keystore server-keys -genkey -alias server -keysize 512
Note: Development license support only low-grade encryption and
requires 512-bit key size.
CN field is set to the DNS name of the server, eg. server.name.com.
3. keytool -keystore server-keys -export -alias server -file server.crt
Client:
The same steps as server, replace 'server' with 'client'.
Then
4. keytool -keystore client-trust -trustcacerts -import -alias ca_server
-file server.crt
And then on the server:
keytool -keystore server-trust -trustcacerts -import -alias ca_client -file
client.crt
Machines reboot.
After running the client, the code does not work, I get a HANDSHAKE ERROR
on the client:
---
javax.net.ssl.SSLHandshakeException: [Security:090497]HANDSHAKE_FAILURE
alert received from client.name.com - 111.111.111.111. Check both sides of
the SSL configuration for mismatches in supported ciphers, supported
protocol versions, trusted CAs, and hostname verification settings.
---
I have enabled SSL debugging on the server and it says:
----
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Filtering JSSE
SSLSocket>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.addContext(ctx): 23386952>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <SSLSocket will be
Muxing>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.findContext(is): 7898079>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <isMuxerActivated:
false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 readRecord()>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL
Version 2 with no padding>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL3/TLS MAC>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 received
SSL_20_RECORD>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
ClientHelloV2>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 58>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 475>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Converting
principal: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 128>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write HANDSHAKE
offset = 0 length = 4>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <isMuxerActivated:
false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 readRecord()>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 SSL3/TLS MAC>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <14411981 received
HANDSHAKE>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
Certificate>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <validationCallback:
validateErr = 16>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Required peer
certificates not supplied by peer>
<Sep 12, 2003 11:40:54 AM MEST> <Warning> <Security> <BEA-090508>
<Certificate chain received from client.name.com - 111.111.111.111 was
incomplete.>
<Sep 12, 2003 11:40:54 AM MEST> <Warning> <Security> <BEA-090477>
<Certificate chain received from client.name.com - 111.111.111.111 was not
trusted causing SSL handshake failure.>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Validation error = 20>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Certificate chain
is incomplete>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Certificate chain
is untrusted>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <User defined JSSE
trustmanagers not allowed to override>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <SSLTrustValidator
returns: 84>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <Trust failure (84):
CERT_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <NEW ALERT:
com.certicom.tls.record.alert.Alert@81ad8f Severity: 2 Type: 40
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at
com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown
Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at
com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at
weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <write ALERT offset
= 0 length = 2>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000> <close(): 14411981>
<Sep 12, 2003 11:40:54 AM MEST> <Debug> <TLS> <000000>
<SSLIOContextTable.removeContext(ctx): 23386952>
----
I suspect something is missing in the client certificate, leading to server
not trusting it. But the server loaded trust keystore successfully:
--
<Sep 12, 2003 11:38:45 AM MEST> <Notice> <Security> <BEA-090169> <Loading
trusted certificates from the jks keystore file /path/to/client-trust.>
<Sep 12, 2003 11:38:45 AM MEST> <Debug> <TLS> <000000> <Trusted CA: [
[
Version: V1
Subject: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffe56
Validity: [From: Thu Sep 11 22:28:35 MEST 2003,
To: Wed Dec 10 21:28:35 MET 2003]
Issuer: CN=client.name.com, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xx
SerialNumber: [ 3f60daf3]
]
Algorithm: [MD5withRSA]
Signature:
0000: 24 BB BE D3 C4 F7 BB B5 C5 E0 43 F0 B6 AD AD 5C $.........C....\
0010: 2D 92 CD 85 9F 9A A1 E1 2E A9 A6 CE CB A7 7C B2 -...............
0020: 63 18 84 B0 70 59 ED A5 43 79 EE 9D 70 34 D9 FF c...pY..Cy..p4..
0030: B0 43 FA 42 05 33 DE 27 E1 96 91 2C 38 1D C1 A3 .C.B.3.'...,8...
]>
<Sep 12, 2003 11:38:45 AM MEST> <Debug> <TLS> <000000> <SSLManager: loaded
1 trusted CAs from /path/to/client-trust>
--
What am I doing wrong??
Help strongly appreciated!
Primoz
Pavel.
Primoz