hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesus M. Salvo Jr." <jesus.sa...@migasia.com>
Subject Re: client certs - how to choose which cert to use?
Date Tue, 25 May 2004 05:58:22 GMT

1) It looks like the server cert is a self-signed certificate:

     Issuer: EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
     SerialNumber: [    01]

You have to add their server certificate into your cacerts file to 
"trust" them

    keytool -import -trustcacerts -keystore <path>/cacerts -file 
<servercert> -alias <alias_you_define>


2) You need the debug output much earlier than the one below to prove to 
yourself that your keystore is being loaded.
Here's what I get ( JDK 1.4.2_04 on Solaris8 ):


keyStore is : /export/livedata/GW-soft2/allClientCerts.jks
keyStore type is : JKS
init keystore
init keymanager of type SunX509
***
found key for : eis preconfig 37's telstra research laboratories id
chain [0] = [
[
  Version: V1
  Subject: SERIALNUMBER=38895284 + CN=EIS Preconfig 37 + 
EMAILADDRESS=Preconfig37@es.telstra.com, DNQ=TRL Demo Customer, C=AU
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

< ..... snip ..... >

***
***
found key for : 2
chain [0] = [
[
  Version: V1
  Subject: CN=smsoar_10073_default, OU=customers, O=smsoar, C=gb
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

< ..... snip ..... >

***
***
found key for : 1
chain [0] = [
[
  Version: V1
  Subject: CN=smsoar_10091_default, OU=customers, O=smsoar, C=gb
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

< ..... snip ..... >

***
***
found key for : mykey
chain [0] = [
[
  Version: V1
  Subject: CN=Jesus M. Salvo Jr., OU=IT, O=Mobile Internet Group Pty. 
Ltd., L=North Sydney, ST=NSW, C=AU
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

< ..... snip ..... >

***
trustStore is: /usr/j2sdk1.4.2_04/jre/lib/security/cacerts
trustStore type is : jks
init truststore
adding as trusted cert:


John



Tim Wild wrote:

> I'm using JDK 1.4.2. I turned debug on, and I can see the server cert 
> and my CA cert being sent to the client, but it doesn't look like a 
> client cert is being presented.
>
> The output is quite verbose, but i've included it in case you can see 
> anything obvious in it. I've removed most of the hex output from it to 
> make it shorter. I've included the 3 lines from my sample program too.
>
>        HttpClient httpclient = new HttpClient();
>        GetMethod httpget = new 
> GetMethod("https://machinename//index.txt");
>        httpclient.executeMethod(httpget);
>
> jdk1.4.2_03\bin\javaw.exe 
> -Djava.net.ssl.keyStore=C:/Projects/.keystore 
> -Djava.net.ssl.keyStorePassword=password 
> -Djava.net.ssl.keyStoreType=JKS -Djavax.net.debug=all Test1
>
> trigger seeding of SecureRandom
> done seeding SecureRandom
> setSoTimeout(0) called
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie:  GMT: 1068619367 bytes = { 30, 135, 31, 112, 113, 241, 
> 134, 95, 221, 9, 63, 21, 239, 194, 9, 35, 19, 150, 248, 155, 245, 153, 
> 87, 0, 79, 1, 104, 176 }
> Session ID:  {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, 
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, 
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
> Compression Methods:  { 0 }
> ***
> [write] MD5 and SHA1 hashes:  len = 73
> (snip)
> main, WRITE: TLSv1 Handshake, length = 73
> [write] MD5 and SHA1 hashes:  len = 98
> (snip)
> main, WRITE: SSLv2 client hello message, length = 98
> main, READ: TLSv1 Handshake, length = 42
> *** ServerHello, TLSv1
> RandomCookie:  GMT: 1068619367 bytes = { 250, 109, 255, 201, 149, 191, 
> 165, 33, 170, 225, 228, 40, 2, 162, 137, 105, 20, 252, 215, 176, 14, 
> 151, 188, 86, 69, 242, 205, 223 }
> Session ID:  {}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Compression Method: 0
> ***
> %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> ** SSL_RSA_WITH_RC4_128_MD5
> [read] MD5 and SHA1 hashes:  len = 42
> 0000: 02 00 00 26 03 01 40 B2   D6 67 FA 6D FF C9 95 BF  ...&..@..g.m....
> 0010: A5 21 AA E1 E4 28 02 A2   89 69 14 FC D7 B0 0E 97  .!...(...i......
> 0020: BC 56 45 F2 CD DF 00 00   04 00                    .VE.......
> main, READ: TLSv1 Handshake, length = 1909
> *** Certificate chain
> chain [0] = [
> [
>  Version: V3
>  Subject: EMAILADDRESS=tim.wild@solnetsolutions.co.nz, 
> CN=wlg-dev-dsk04, OU=Development, O=SolNet Solutions Ltd, C=NZ
>  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
>  Key:  SunJSSE RSA public key:
>  public exponent:
>    010001
>  modulus:
> (snip)
>  Validity: [From: Wed May 19 13:44:25 NZST 2004,
>               To: Thu May 19 13:44:25 NZST 2005]
>  Issuer: EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
>  SerialNumber: [    01]
>
> Certificate Extensions: 4
> [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
> Extension unknown: DER encoded OCTET string =
> 0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
> 0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
> 0020: 65                                                 e
>
>
> [2]: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 52 CD DC EF 82 3F C7 B5   04 09 F9 8E 2E 3A 97 B6  R....?.......:..
> 0010: EA 91 AD 5F                                        ..._
> ]
> ]
>
> [3]: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: EF 18 F6 1E F7 5D 25 86   B5 D6 C6 F9 C5 C5 82 B6  .....]%.........
> 0010: 4B 2C DB 84                                        K,..
> ]
>
> [EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ]
> SerialNumber: [    00]
> ]
>
> [4]: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:false
> PathLen: undefined
> ]
>
> ]
>  Algorithm: [MD5withRSA]
>  Signature:
> (snip)
>
> ]
> chain [1] = [
> [
>  Version: V3
>  Subject: EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
>  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
>
>  Key:  SunJSSE RSA public key:
>  public exponent:
>    010001
>  modulus:
>    be28a824 de59b306 167821cf 7228e2fd c3914df8 6021cf0d 0673198a 
> 6a13ad71
>    504e0337 68d5e451 71455a1f f4cd4b22 6d26af58 8b844eb7 0f1a352b 
> f44be9ad
>    efb5b6e6 b464465b 9ff60a29 9b3ad451 daa9a45b ed2531e7 66a73e97 
> fe1e4c8c
>    75e193b8 cad32073 eb44741d fe3cf347 df3d4e2b 7cb08efb 9e5c885c 
> 73f51219
>  Validity: [From: Wed May 19 13:28:22 NZST 2004,
>               To: Thu May 19 13:28:22 NZST 2005]
>  Issuer: EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ
>  SerialNumber: [    00]
>
> Certificate Extensions: 3
> [1]: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: EF 18 F6 1E F7 5D 25 86   B5 D6 C6 F9 C5 C5 82 B6  .....]%.........
> 0010: 4B 2C DB 84                                        K,..
> ]
> ]
>
> [2]: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: EF 18 F6 1E F7 5D 25 86   B5 D6 C6 F9 C5 C5 82 B6  .....]%.........
> 0010: 4B 2C DB 84                                        K,..
> ]
>
> [EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ]
> SerialNumber: [    00]
> ]
>
> [3]: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> ]
>  Algorithm: [MD5withRSA]
>  Signature:
> (snip)
>
> ]
> ***
> [read] MD5 and SHA1 hashes:  len = 1909
> 0000: 0B 00 07 71 00 07 6E 00   03 C3 30 82 03 BF 30 82  ...q..n...0...0.
> (snip)
> 0760: 73 6B AC 6F 75 C5 A2 31   DF 0C 70 42 2F 97 54 A2  sk.ou..1..pB/.T.
> 0770: AB 43 DA 01 19                                     .C...
> main, READ: TLSv1 Handshake, length = 170
> *** CertificateRequest
> Cert Types: RSA, DSS,
> Cert Authorities:
> <EMAILADDRESS=tim.wild@solnetsolutions.co.nz, CN=Tims CA, 
> OU=Development, O=SolNet Solutions Ltd, L=Wellington, C=NZ>
> [read] MD5 and SHA1 hashes:  len = 166
> 0000: 0D 00 00 A2 02 01 02 00   9D 00 9B 30 81 98 31 0B  ...........0..1.
> (snip)
> 0070: 54 69 6D 73 20 43 41 31   2D 30 2B 06 09 2A 86 48  Tims CA1-0+..*.H
> 0080: 86 F7 0D 01 09 01 16 1E   74 69 6D 2E 77 69 6C 64  ........tim.wild
> 0090: 40 73 6F 6C 6E 65 74 73   6F 6C 75 74 69 6F 6E 73  @solnetsolutions
> 00A0: 2E 63 6F 2E 6E 7A                                  .co.nz
> *** ServerHelloDone
> [read] MD5 and SHA1 hashes:  len = 4
> 0000: 0E 00 00 00                                        ....
> *** Certificate chain
> ***
> JsseJCE: Using JSSE internal implementation for cipher 
> RSA/ECB/PKCS1Padding
> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
> Random Secret:  { 3, 1, 19, 49, 122, 163, 243, 76, 221, 155, 77, 25, 
> 251, 230, 32, 148, 220, 73, 203, 245, 7, 152, 212, 104, 4, 216, 178, 
> 106, 73, 230, 196, 226, 151, 60, 25, 216, 247, 114, 33, 105, 73, 45, 
> 97, 127, 109, 247, 100, 64 }
> [write] MD5 and SHA1 hashes:  len = 141
> (snip)
> main, WRITE: TLSv1 Handshake, length = 141
> SESSION KEYGEN:
> PreMaster Secret:
> (snip)
> CONNECTION KEYGEN:
> Client Nonce:
> 0000: 40 B2 D6 67 1E 87 1F 70   71 F1 86 5F DD 09 3F 15  @..g...pq.._..?.
> 0010: EF C2 09 23 13 96 F8 9B   F5 99 57 00 4F 01 68 B0  ...#......W.O.h.
> Server Nonce:
> 0000: 40 B2 D6 67 FA 6D FF C9   95 BF A5 21 AA E1 E4 28  @..g.m.....!...(
> 0010: 02 A2 89 69 14 FC D7 B0   0E 97 BC 56 45 F2 CD DF  ...i.......VE...
> Master Secret:
> 0000: 4E A0 E3 58 14 B8 2B 72   A4 19 DB DC FE A2 5B 36  N..X..+r......[6
> 0010: 1E 7C A3 2C 1C 77 18 A4   F1 69 EA 38 1A 18 4B 6D  ...,.w...i.8..Km
> 0020: F9 09 DE F7 7B 30 00 77   AE F3 84 5F 65 9E 82 CB  .....0.w..._e...
> Client MAC write Secret:
> 0000: 1E BD 25 C5 56 1F 27 D0   4E 38 6F FF F7 0E 39 76  ..%.V.'.N8o...9v
> Server MAC write Secret:
> 0000: AF 6C F6 1B C8 DA FD 08   D1 38 66 0E 79 B9 67 EE  .l.......8f.y.g.
> Client write key:
> 0000: 1C D8 F6 A3 37 25 4B 71   7B 00 30 1F A1 49 1F 95  ....7%Kq..0..I..
> Server write key:
> 0000: ED 7D 46 D3 BF A7 2D 72   00 E7 FE 52 0A CF 9D 15  ..F...-r...R....
> ... no IV for cipher
> main, WRITE: TLSv1 Change Cipher Spec, length = 1
> JsseJCE: Using JSSE internal implementation for cipher RC4
> *** Finished
> verify_data:  { 92, 132, 157, 55, 235, 50, 252, 229, 185, 29, 124, 106 }
> ***
> [write] MD5 and SHA1 hashes:  len = 16
> 0000: 14 00 00 0C 5C 84 9D 37   EB 32 FC E5 B9 1D 7C 6A  ....\..7.2.....j
> Plaintext before ENCRYPTION:  len = 32
> 0000: 14 00 00 0C 5C 84 9D 37   EB 32 FC E5 B9 1D 7C 6A  ....\..7.2.....j
> 0010: BE 03 CD 88 09 C8 C4 CD   A6 D3 70 A7 97 F3 64 C1  ..........p...d.
> main, WRITE: TLSv1 Handshake, length = 32
> main, READ: TLSv1 Alert, length = 2
> main, RECV TLSv1 ALERT:  fatal, handshake_failure
> main, called closeSocket()
> main, handling exception: javax.net.ssl.SSLHandshakeException: 
> Received fatal alert: handshake_failure
> main, called close()
> main, called closeInternal(true)
> main, called close()
> main, called closeInternal(true)
> main, called close()
> main, called closeInternal(true)
> javax.net.ssl.SSLHandshakeException: Received fatal alert: 
> handshake_failure
>    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
>    at 
> org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1368)

>
>    at 
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
>    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
>    at 
> org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:799)

>
>    at 
> org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2277) 
>
>    at 
> org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2657)

>
>    at 
> org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1093) 
>
>    at 
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:675) 
>
>    at 
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:529) 
>
>    at Test1.testHttpClient(Test1.java:50)
>    at Test1.main(Test1.java:33)
> Process terminated with exit code 0
>
>
> Jesus M. Salvo Jr. wrote:
>
>>
>> Tim Wild wrote:
>>
>>> Thanks Jesus,
>>>
>>> I gave this a try, but I think I missed something, as it didn't work 
>>> - I got a SSLHandshakeException: with the message handshake_failure, 
>>> indicating that the client certificate hadn't been presented.
>>
>>
>>
>>
>> What JDK are you using ?
>> If you are using JDK 1.3, then you have to add 
>> java.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol to 
>> your system property
>> Also, add javax.net.debug=all to your system property so that at 
>> least you can see what's happening.
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: 
> commons-httpclient-dev-help@jakarta.apache.org
>
>
>


-- 
Jesus M. Salvo Jr.
Mobile Internet Group Pty Ltd
(formerly Softgame International Pty Ltd)
M: +61 409 126699
T: +61 2 94604777
F: +61 2 94603677

PGP Public key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0BA5348




---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message