cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Shakirin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5652) WebClient with SSL: javax.net.ssl.SSLHandshakeException handshake_failure
Date Sat, 19 Jul 2014 18:43:38 GMT

    [ https://issues.apache.org/jira/browse/CXF-5652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14067629#comment-14067629
] 

Andrei Shakirin commented on CXF-5652:
--------------------------------------

Hi Vjacheslav,
I think I found the reason of the problem with JVM parameters. CXF also uses URL.openConnection()
to get HttpsUrlConnection. However CXF additionally creates SSLContext and wraps it's socketFactory
to enable certain cipher suites. This socket factory will be set into the HttpsURLConnection.setSSLSocketFactory().
See https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
for details.
Here is the problem: if the keyManager and trustManager are not provided, the SSLContext will
be initialized as context.init(null, null, null). In this case the error "fatal error: 42:
null cert chain" occurs even if JVM keyStore and trustStore properties are set.
If you don't set socketFactory in HttpsURLConnection at all, or properly initialize SSLContext
with keyManager and trustManager - client authentication scenario works.
I have reproduced that in simple test case based on URL.getConnection() (attached). If you
uncomment line "context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);" and comment
"context.init(null, null, null);" - client authentication scenario works. Otherwise server
sends mentioned error 42 even with JVM properties. (but both options work if client authentication
is deactivated). Could you please check it on your environment?
Regarding solution: I think we can check if keyManagers and trustManagers are null and initialize
them from JVM properties (if they are set). This will fix client authentication scenario with
JVM properties. However I don't think that it helps with instability problem you mentioned
- I am afraid further analysis here will be necessary.

Regards,
Andrei.

> WebClient with SSL: javax.net.ssl.SSLHandshakeException handshake_failure
> -------------------------------------------------------------------------
>
>                 Key: CXF-5652
>                 URL: https://issues.apache.org/jira/browse/CXF-5652
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS
>    Affects Versions: 3.0.0-milestone2
>            Reporter: Vjacheslav Borisov
>            Assignee: Andrei Shakirin
>            Priority: Minor
>
> I got error when using WebClient with SSL using client certificate:
> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
> I found a way to fix this error
>             KeyStore keyStore = KeyStore.getInstance("JKS");
>             String trustpass = "chageit";
>             File truststore = new File("/home/slavb/.java/deployment/security/trusted.clientcerts");
>             keyStore.load(new FileInputStream(truststore), trustpass.toCharArray());
>             KeyStore ts = KeyStore.getInstance("JKS");
>             truststore = new File("/etc/ssl/certs/trusted.cacerts");
>             ts.load(new FileInputStream(truststore), "".toCharArray());
>             Client client = ClientBuilder.newBuilder().keyStore(keyStore, trustpass).
>                     trustStore(ts).build();
> And I have question, why WebClient is not working like embedded in java URLConnection
or 
> apache http client when I specify system properties
> -Djavax.net.ssl.trustStore=/etc/ssl/certs/trusted.cacerts 
> -Djavax.net.ssl.keyStore=/home/slavb/.java/deployment/security/trusted.clientcerts 
> -Djavax.net.ssl.keyStorePassword=changeit
> (i got error javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
when using SSL web client)
> Why it is need to configure ssl in code?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message