java - Client authentication with HttpClient -


trying implement client key authentication (with self signed ca).

code looks like:

keystore keystore = keystore.getinstance("pkcs12"); keystore.load(new fileinputstream("client.p12"), "changeit".tochararray())  sslcontext sslcontext = sslcontexts.custom()             .loadtrustmaterial(null, new trustselfsignedstrategy()) //dont that, it's simplify example. use real truststore real server certificate imported. dont trust self signed             .loadkeymaterial(keystore, "changeit".tochararray())             .build(); socketfactory = new sslconnectionsocketfactory(             sslcontext,             new string[] {"tlsv1.2", "tlsv1.1"},             null,             new noophostnameverifier() ); httpclient httpclient = httpclients.custom()             .setsslsocketfactory(socketfactory)             .build();

with -djavax.net.debug=all can see correctly chooses certificate, see signatures, see certificate request, , there ecdhclientkeyexchange, etc, looks fine.

but anyway i'm getting following response nginx (with status 400):

<head><title>400 ssl certificate error</title></head>

notice, incorrect certificate/key nginx drops session, w/o providing details in plain text response.

this client.p12 works command line, like:

$ curl -ivk --cert client.p12:changeit https://192.168.1.1   * rebuilt url to: https://192.168.1.1/ *   trying 192.168.1.1... * connected 192.168.1.1 (192.168.1.1) port 443 (#0) * warning: ssl: certificate type not set, assuming pkcs#12 format. * client certificate: client-es.certs.my * tls 1.2 connection using tls_ecdhe_ecdsa_with_aes_256_gcm_sha384 * server certificate: server.certs.my * server certificate: ca.my > / http/1.1 > host: 192.168.1.1 > user-agent: curl/7.43.0 > accept: */* > < http/1.1 200 ok

so key valid. why doesn't work java? there're i've missed in java ssl config?

the problem client key including signing certificates in key chain. not client certificate (which required authentication), whole chain of certificates (without keys of course, certificates)

it was:

> root ca cert -> client ca cert -> client key + cert

i guess java uses wrong certificate @ case, maybe ca or intermediate certificate.

fixed adding p12 or keychain client's key , certificate, without intermediates.

it should not have -certfile options (which had before). client key/cert. correct export command is:

openssl pkcs12 -export \     -in client.crt -inkey client.key \     -out client.p12

this client.p12 imported keychain:

keytool -importkeystore \     -deststorepass changeit -destkeystore keystore \     -srckeystore client.p12 -srcstoretype pkcs12 -srcstorepass changeit

and worked fine custom authentication.


Comments

Post a Comment

Popular posts from this blog

sublimetext3 - what keyboard shortcut is to comment/uncomment for this script tag in sublime -

Image
i have script tag in code, keyboard shortcut comment/uncomment script tag in sublime. after selecting script open , close tag. <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> i pressing ctrl + shift + / , getting this /*<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script>*/ also pressed ctrl + / , got this // <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> // </script> instead of <!-- <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> --> script open , close tag in 2 lines not in 1 line , not have spaces too. for mac,high light lines want comment. hold 'command , / ' commented. for windows: high line or select lines ,then hold ctrl + / if not work: ...
Read more

java - No use of nillable="0" in SOAP Webservice -

i have received xsd 3rd party supplier generated java based system; used create soap endpoint receive data transfers. xsd not make use of nillable attribute defined within w3c/xsd namespace, example: <xs:complextype name="customer"> <xs:sequence> <xs:element minoccurs="1" maxoccurs="1" name="id" type="xs:integer"/> <xs:element minoccurs="0" maxoccurs="1" name="titleid" type="xs:integer"/> <xs:element minoccurs="0" maxoccurs="1" name="firstname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" name="familyname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" name="previousname" type="xs:string"/> <xs:element minoccurs="0" maxoccurs="1" nam...
Read more

ubuntu - Laravel 5.2 quickstart guide gives Not Found Error -

edit: think problem due not setting apache properly, these 2 links helped me. solution: http://laravel.io/forum/06-11-2014-not-found-but-route-exists https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts end edit i'm following laravel 5.2 quickstart guide. https://laravel.com/docs/5.2/quickstart i'm running ubuntu 14.04.2 the website runs initially, when click on add task button run 404 not found error. as per guide run following commands setup complete quickstart project. git clone https://github.com/laravel/quickstart-basic quickstart cd quickstart composer install php artisan migrate additionally run following commands because i'm on ubuntu server: sudo chown -r www-data.www-data quickstart sudo chmod -r 755 quickstart sudo chmod 777 quickstart/storage the routes.php file looks like: <?php use app\task; use illuminate\http\request; route::group(['middleware' => ['web']]...
Read more