SSL client authentication fails with stand alone play-ws
1,730 views
Skip to first unread message
David Ruescas
Jan 27, 2017, 5:22:02 PM1/27/17
to Play Framework
I'm testing 2-way ssl with play-ws with a simple program that connects to a nginx server
Client authentication fails with this message
400 Bad Request
No required SSL certificate was sent
My application.conf has specified both a trust store and a keystore:
I have tested this with a low level java client that uses the same trust store and keystores:
and it works. I've also tested it with curl using the --cert option to specify a client key and it also works.
I've tried debugging the ssl output of the play-ws code and found that the client key is being loaded correctly:
***
found key for : 1
chain [0] = [
[
Version: V1
Subject: CN=Client, OU=Client, O=Client, L=Madrid, ST=Madrid, C=ES
...
Validity: [From: Fri Jan 27 15:09:51 CET 2017,
To: Sat Jan 27 15:09:51 CET 2018]
Issuer: CN=CA, OU=CA, O=The CA, L=Madrid, ST=Madrid, C=ES
...
and that the issuer of this client key matches the certificate requested by the server for client authentication:
*** CertificateRequest
...
Cert Authorities:
<CN=CA, OU=CA, O=The CA, L=Madrid, ST=Madrid, C=ES>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
but as you can see there is no client certificate found, even though the trace above shows that the required certificate was in fact loaded.
An speculative explanation would be that somehow play-ws is using different keystores when loading my client certificate and after
when talking to the server, and the latter is empty. Let me know if I should file this as an issue.
Regards,
David
Will Sargent
Jan 27, 2017, 7:22:32 PM1/27/17
to play-fr...@googlegroups.com
If you call the factory method:
val wsClient = AhcWSClient()
then it will call SystemConfiguration() for you, which sets up the SSL:
--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/0bab5228-3e6c-4cac-8c4f-c2254837ce13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Will Sargent
Jan 27, 2017, 7:22:35 PM1/27/17
to play-fr...@googlegroups.com
Will Sargent
Jan 27, 2017, 7:26:47 PM1/27/17
to play-fr...@googlegroups.com
Okay, the first example incorrectly uses new AhcWSClient(), and doesn't call SystemConfiguration(). Fixed.
David Ruescas
Jan 27, 2017, 8:28:40 PM1/27/17
to Play Framework
On Saturday, January 28, 2017 at 1:22:32 AM UTC+1, Will Sargent wrote:
If you call the factory method:val wsClient = AhcWSClient()then it will call SystemConfiguration() for you, which sets up the SSL:
Changing
val wsClient = new AhcWSClient(ahcConfig)(materializer)
to
val wsClient = AhcWSClient(ahcConfig)(materializer)
has no effect, the behaviour is the same. Furthermore i've notiched that the non-factory method (new Ahc...) is picking up SSL settings
because my keys are being loaded as shown in the log, and the behaviour is sensitive to other changes (for example loose.acceptAnyCertificate)
What fixed the problem is setting:
loose.acceptAnyCertificate=false
I had set this to true to disable hostname verification for quick testing with self signed certificates.
For some reason having this to true prevents client authentication from working. This was not clear to me from the documentation.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages