David David - 5 days ago 4
Java Question

Why client cert is not sent during SSL connection? CXF 2.7.9

Background



My application is deployed in jboss 5, communicates with a Web service server which requires MASSL. (2-way SSL)

Issue



By looking at the log of SSL connection, client cert is not sent even it has been loaded at the beginning.

Log details as below, client cert is supposed to be sent after server hello is done.

[EDIT] Added more details based on reply


  1. added CertificateRequest in log

  2. Cient certificate actually matches above request - (a) algorithm is RSA, (b) signed by one the CAs speficied in the request



logs:

2016-11-25 09:32:38,434 INFO [STDOUT] (http-0.0.0.0-8080-4) keyStore is : /XX/XX/my.jks
2016-11-25 09:32:38,434 INFO [STDOUT] (http-0.0.0.0-8080-4) keyStore type is : jks
2016-11-25 09:32:38,434 INFO [STDOUT] (http-0.0.0.0-8080-4) keyStore provider is :
2016-11-25 09:32:38,434 INFO [STDOUT] (http-0.0.0.0-8080-4) init keystore
2016-11-25 09:32:38,440 INFO [STDOUT] (http-0.0.0.0-8080-4) init keymanager of type SunX509
2016-11-25 12:00:04,420 INFO [STDOUT] (http-0.0.0.0-8080-4) ***
2016-11-25 12:00:04,421 INFO [STDOUT] (http-0.0.0.0-8080-4) found key for : mykey
2016-11-25 12:00:04,432 INFO [STDOUT] (http-0.0.0.0-8080-4) chain [0] = [
[
Version: V3
Subject: CN=xx.xxx.xxx.com, OU=xxxxxxxx, O=xxxx, L=xxxx, ST=xxx, C=xx
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Issuer: CN=abc AD Object CA1, DC=core, DC=dir, DC=def, DC=com

...

2016-11-25 12:00:05,520 INFO [STDOUT] (http-0.0.0.0-8080-4) *** CertificateRequest
2016-11-25 12:00:05,521 INFO [STDOUT] (http-0.0.0.0-8080-4) Cert Types:
2016-11-25 12:00:05,521 INFO [STDOUT] (http-0.0.0.0-8080-4) RSA
2016-11-25 12:00:05,521 INFO [STDOUT] (http-0.0.0.0-8080-4) Cert Authorities:
2016-11-25 12:00:05,521 INFO [STDOUT] (http-0.0.0.0-8080-4) <CN=abc AD Object CA1, DC=core, DC=dir, DC=def, DC=com>
2016-11-25 12:00:05,521 INFO [STDOUT] (http-0.0.0.0-8080-4) <CN=abc Policy CA1, O=gh Corporation Limited>
2016-11-25 12:00:05,522 INFO [STDOUT] (http-0.0.0.0-8080-4) <CN=abc Root CA>

2016-11-25 09:32:39,475 INFO [STDOUT] (http-0.0.0.0-8080-4) *** ServerHelloDone
2016-11-25 09:32:39,475 INFO [STDOUT] (http-0.0.0.0-8080-4) *** Certificate chain
2016-11-25 09:32:39,475 INFO [STDOUT] (http-0.0.0.0-8080-4) ***
2016-11-25 09:32:39,482 INFO [STDOUT] (http-0.0.0.0-8080-4) *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
2016-11-25 09:32:39,482 INFO [STDOUT] (http-0.0.0.0-8080-4) http-0.0.0.0-8080-4, WRITE: TLSv1 Handshake, length = 269
2016-11-25 09:32:39,482 INFO [STDOUT] (http-0.0.0.0-8080-4) SESSION KEYGEN:
2016-11-25 09:32:39,483 INFO [STDOUT] (http-0.0.0.0-8080-4) PreMaster Secret:


question



Did I missing something here? 

Answer

For anyone who is having same issue while using CXF (2.7.9), this is a doggy issue that CXF introduces.

CXF doesn't pick up keystore configured by VM argument "-Djavax.net.ssl.keyStore", but has its own solution. see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport

Comments