I setup 2way ssl with Camel and CXF using the http conduit element etc. I make a webservice call to an external party. All certificates are correctly installed (incoming traffic is succesfull, this is configured in Tomcat). After this post about secure renegotiation I finally received a response from the other party: HTTP response 403, forbidden.
I've been debugging with javax.net.debug=all and this excellent explanation. I can see in the logging that a secure connection is succesfully setup:
*** Finished
verify_data: { 141, 25, 184, 254, 93, 9, 10, 48, 135, 161, 213, 57 }
***
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
and no other errors or warnings. How can I verify if my client certificate is sent to the server? (I can't use Wireshark but I have the javax.net.debug logging)
I found the answer in this post and by comparing the javax.net.debug output to the client auth example. I don't see CertificateVerify in my log, only the one way ssl steps, so there is no client certificate sent.
The cause was that I copied the CXF http conduit example from their website, but somehow the ciphersuite filter it contained was too strict.