I've tried to setup server-side client aith in my Java application as follows:
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setNeedClientAuth(true);
TrustManager[] trustManagers = new TrustManager[
]{new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
LoggerFactory.getLogger().fatal("Check client trusted");
}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
LoggerFactory.getLogger().fatal("Check server trusted");
}
@Override
public X509Certificate[] getAcceptedIssuers() {
LoggerFactory.getLogger().fatal("Returning accepted issuers");
try {
InputStream inStream = new FileInputStream("/home/sk_/client.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream);
inStream.close();
return new X509Certificate[]{cert};
} catch (Exception e) {
e.printStackTrace();
LoggerFactory.getLogger().fatal("AFDASDFSAASD", e);
return null;
}
}
}};
SSLContext context = SSLContext.getInstance("TLSv1.1");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
FileInputStream fin = new FileInputStream(".hive/certs/mjolnirr.jks");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(fin, "passwd".toCharArray());
kmf.init(ks, "passwd".toCharArray());
context.init(kmf.getKeyManagers(), trustManagers, null);
SSLEngine engine = context.createSSLEngine();
engine.setNeedClientAuth(true);
engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
engine.setEnabledProtocols(engine.getSupportedProtocols());
sslContextFactory.setSslContext(context);
Also I've added SSL settings to the client:
-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=jks
-Djavax.net.ssl.keyStore=/home/sk_/client-truststore.jks
-Djavax.net.ssl.keyStorePassword=passwd
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=/home/sk_/client-truststore.jks
-Djavax.net.ssl.trustStorePassword=passwd
client.cer was exported from the client truststore (client-trustore.jks). Client fails with the following error:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1705)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:122)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:972)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1087)
...
WHat's wrong with my application?
EDIT I've added debug for ssl and handshake to the server, here is output:
*** ServerHelloDone
qtp935608254-28, WRITE: TLSv1 Handshake, length = 1442
qtp935608254-29, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
qtp935608254-29, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
qtp935608254-29, SEND TLSv1 ALERT: fatal, description = bad_certificate
qtp935608254-29, WRITE: TLSv1 Alert, length = 2
qtp935608254-29, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
Your client certificate isn't trusted by the server's truststore. The server sends a list of trusted CAs and the client has to send a certificate that is trusted by one of them. It couldn't, so it sent a null cert chain instead. If your client certificate is self-signed, or signed by an untrusted CA, you need to export it from your client keystore and import it as a trusted cert into the server's truststore.