SSL Client Cert Authentication

[victo...@gmail.com]

Hi, 

I'm trying to set up SSL with client certificate authentication, here is my ssl tag in proxy.xml:

<ssl clientAuth="need" >

<keystore location="keystore.jks" password="changeit" keyPassword="" />

<truststore location="truststore.jks" password="changeit" />

</ssl>

Somehow I always get this error: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

NOTE:

1) I have tested the link without the client-cert-auth with just the <truststore > tag and the connection works fine.

2) The keystore.jks file contains only 1 cert with no password set and that cert is deployed to the server for client-auth purpose.

I couldn't find any doc on the <keystore> tag, shouldn't it have a property of "alias" to indicate which cert to use?? Please help...

thanks in advance...

[Thomas Bayer]

Hi,
add the VM parameter:

-Djavax.net.debug=all

to your service-proxy.sh or bat. Try it again and analyse the log file. There you shall find the truth.

Cheers,
Thomas

Am 24.03.15 um 21:35 schrieb victo...@gmail.com:

--
You received this message because you are subscribed to the Google Groups "membrane-monitor" group.
To unsubscribe from this group and stop receiving emails from it, send an email to membrane-monit...@googlegroups.com.
To post to this group, send email to membrane...@googlegroups.com.
Visit this group at http://groups.google.com/group/membrane-monitor.
For more options, visit https://groups.google.com/d/optout.

[victo...@gmail.com]

Turned on the log and the truth is server hello is done without error, and ssl started clientKeyExchange:

*** ServerHelloDone

[read] MD5 and SHA1 hashes:  len = 4

0000: 0E 00 00 00

*** Certificate chain

***

*** ClientKeyExchange, RSA PreMasterSecret, TLSv1

However, during the exchange client cert somehow end up with bad_cert error:

RouterThread /137.15.139.181:59221, READ: TLSv1 Alert, length = 2

RouterThread /137.15.139.181:59221, RECV TLSv1 ALERT:  fatal, bad_certificate

%% Invalidated:  [Session-50, TLS_RSA_WITH_AES_128_CBC_SHA]

My question is how to set up the <SSL> tag to use a proper keystore with proper cert? Should I just generate a cert and store it in the keystore.jks file with any alias? Do I need to store server cert in the same file as well? How would the <keystore> tag know which cert to use if the keystore.jks contains more than 1 certs?

Please, if possible, give us an example about how to use the <ssl clientAuth="need" >?

Thanks again! 

[victo...@gmail.com]

I guess I narrowed down the issue, as I found the following:

*** ServerHelloDone

[read] MD5 and SHA1 hashes:  len = 4

0000: 0E 00 00 00

*** Certificate chain

***

*** ClientKeyExchange, RSA PreMasterSecret, TLSv1

After the ServerHelloDone, the client certificate chain is blank, which means the client (membrane) doesn't send out any certificate, right? And here is my configuration in proxy.xml, is there anything wrong?

<ssl clientAuth="need" >

<keystore location="keystore.jks" password="changeit" />

<truststore location="truststore.jks" password="changeit" />

</ssl>

Note that we store the self-signed server cert in the truststore.jks and the client cert in the keystore.jks file.

[sudes...@gmail.com]

Any update for this . Am observing the same error, where I encounter unknown_certificate and could see server responding with certificate.