Hi all,
I'm another poor poster stuck with the problem of setting up SSL client
cert auth with SOAP :-(
I'm using (almost literally) the example code previously posted on this
list by Nathan Wray to set up a custom SSLSocketFactory (see below). When I
run my client app with "-Djavax.net.debug=all" I can see that my
SocketFactory seems to be unable to send it's cert upon request of the
server:
[...]
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
[...]
although I can see from debugging output, that the Certificate chain on the
client side is set up correctly. If I use the same
SSLSocketFactory-initialization-code with the
"SSLSocketWithClientAuth"-example that comes with JSSE, output looks like
the following:
[...]
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching client alias : kim
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=Kim Altintop, OU=SD, O=mbfp, C=DE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@5ee671
Validity: [From: Fri Jan 25 14:55:44 CET 2002,
To: Thu Apr 25 15:55:44 CEST 2002]
Issuer: CN=Kim Altintop, OU=SD, O=mbfp, C=DE
SerialNumber: [ 3c5163e0 ]
]
Algorithm: [MD5withRSA]
Signature:
0000: 63 9C 18 51 74 A3 24 0C 27 41 E4 D4 66 6A 97 A2 c..Qt.$.'A..fj..
0010: 95 89 FA A2 14 24 B3 8C F5 7B D2 A4 DC 64 7E 88 .....$.......d..
0020: 47 3F EF A9 EF 7C 5B E0 AC 7B D1 45 C3 7A AF 1E G?....[....E.z..
0030: 8A 18 31 B7 9C D9 23 B0 23 B6 79 C0 1F F8 AB 7E ..1...#.#.y.....
0040: 22 35 81 19 66 E6 71 3A A3 D2 15 CD D2 60 DF EA "5..f.q:.....`..
0050: 86 99 85 B1 15 C6 5F 85 B7 C9 E5 CA 48 80 86 D4 ......_.....H...
0060: 80 8E 44 08 C3 BC 0D 30 52 28 5D B0 A1 A6 05 EB ..D....0R(].....
0070: 27 DE C5 34 68 C1 79 6E 20 1F 98 21 14 00 9C 76 '..4h.yn ..!...v
]
***
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
[...]
So, what's going wrong? As far as I can see, the only difference between
the apps is that I have to use
"HttpsURLConnection.setDefaultSSLSocketFactory()" with the SOAP-client
whereas the JSSE-example is creating the socket directly.
Has anyone run into this before? I would greatly appreciate any hints...
[ for now, as I _CAN_ establish a SSL connection with only server-side cert
auth, I can work with BASIC AUTH as the credentials are encrypted while
travelling over network - but this requires username/password to be
hardcoded or at least stored somewhere on the machine I'm running the
client. And I don't like that... ;-( ]
Best regards,
Kim
-- Here's the code I use in my SOAP client --
[ ... ]
try {
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLContext ctx;
KeyManagerFactory kmf;
TrustManagerFactory tmf;
KeyStore ks;
char[] passphrase = "dirkdiggler".toCharArray();
ctx = SSLContext.getInstance("TLS");
kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");
tmf = TrustManagerFactory.getInstance("SunX509");
ks.load(new FileInputStream("mykeystore"), passphrase);
kmf.init(ks, passphrase);
tmf.init(ks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
} catch (Exception e) {
System.out.println("SSLSocketFactory initialization failed");
e.printStackTrace();
}
[ ... ]
