Groups > Weblogic > WebLogic security > Two-way SSL configuration problem

Two-way SSL configuration problem

Two-way SSL configuration problem
	Mon, 31 Mar 2008 09:24:45 -070
Hi, We are writing some code that uses two-way SSL https connections between some code (an AuditProvider for WLS 9.2's security provider infrastructure, but we have run into the same problems running it as a plain Java class with main method) and a WLS 9.2 server. We have: * set up WLS 9.2 server to request client certificates * created two .pem files, a matching private key and certificate, signed by our CA * added our CA's certificate to the WLS 9.2 server demo trust certificate store Then, we try to run the following program: [pre] import java.net.URL; import junit.framework.TestCase; import weblogic.net.http.HttpsURLConnection; public class HttpsTest { public static void main(String[] args) throws Exception { HttpsURLConnection urlConnection = new HttpsURLConnection(new URL("https://it-dev3:7002/remoting/BEAAuditLogService-hessian")); urlConnection.loadLocalIdentity(getClass().getResourceAsStream("/supervis or.root.certs.pem"), getClass().getResourceAsStream("/supervisor.private.pem"), "kinamik".toCharArray()); urlConnection.getContent(); } } [/pre] using the following VM options: [pre] -Dbea.home=c:\dev\bea -Dweblogic.home=c:\dev\bea\weblogic92\server -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true -Dweblogic.webservice.client.ssl.strictcertchecking=false -Dweblogic.security.TrustKeyStore=DemoTrust [/pre] However, the TLS exchange fails with alert 40 (Handshake failure (fatal), according to Wikipedia). Fiddling around, we also manage to get alert 51 (Decrypt error (TLS only) (warning or fatal)). I am wondering if the above steps are correct. Is there any special stuff going on for the Trust Store? We have managed to get similar things working using Sun's SSL classes instead of BEA's, so we believe that the problem is in the client end. Kind regards, Alex (btw, I would also appreciate email followup if possible at acorcoles at kinamik dot com) ps: this is the full debug output of the above program [pre] Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: SSL license found Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Not in server, Certicom SSL license found Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacSHA1 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacMD5 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE KeyAgreement: SunJCE version 1.5 for algorithm DiffieHellman Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default KeyAgreement for algorithm DiffieHellman Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default KeyAgreement for algorithm ECDH Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm DESede Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm DES Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm AES Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RC4 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RSA/ECB/PKCS1Padding Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RSA/ECB/NoPadding Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: SSL Session TTL :90000 Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: DefaultHostnameVerifier: allowReverseDNS=false Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Trusted CA keystore: c:\dev\bea\weblogic92\server\lib\DemoTrust.jks Mar 31, 2008 6:11:08 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Trusted CA keystore: C:\Program Files\Java\jdk1.5.0_06\jre\lib\security\cacerts Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm DESede Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Trusted CA keystore: c:\dev\bea\weblogic92\server\lib\DemoTrust.jks Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Trusted CA keystore: C:\Program Files\Java\jdk1.5.0_06\jre\lib\security\cacerts Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: clientInfo has new style certificate and key Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Filtering JSSE SSLSocket Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: SSLIOContextTable.addContext(ctx): 31601333 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: SSLSocket will NOT be Muxing Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write SSL_20_RECORD Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: isMuxerActivated: false Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 SSL3/TLS MAC Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 received HANDSHAKE Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: HANDSHAKEMESSAGE: ServerHello Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: isMuxerActivated: false Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 SSL3/TLS MAC Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 received HANDSHAKE Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: HANDSHAKEMESSAGE: Certificate Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Validating certificate 0 in the chain: Serial number: 163515771763733915716195253240375104027 Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=it-dev3 Not Valid Before:Tue Jan 16 13:33:15 CET 2007 Not Valid After:Mon Jan 17 13:33:15 CET 2022 Signature Algorithm:MD5withRSA Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Validating certificate 1 in the chain: Serial number: 46914133237969612308202465797198785159 Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Not Valid Before:Thu Oct 24 17:54:45 CEST 2002 Not Valid After:Tue Oct 25 17:54:45 CEST 2022 Signature Algorithm:MD5withRSA Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: validationCallback: validateErr = 0 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: cert[0] = Serial number: 163515771763733915716195253240375104027 Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=it-dev3 Not Valid Before:Tue Jan 16 13:33:15 CET 2007 Not Valid After:Mon Jan 17 13:33:15 CET 2022 Signature Algorithm:MD5withRSA Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: cert[1] = Serial number: 46914133237969612308202465797198785159 Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=CertGenCAB Not Valid Before:Thu Oct 24 17:54:45 CEST 2002 Not Valid After:Tue Oct 25 17:54:45 CEST 2022 Signature Algorithm:MD5withRSA Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: SSLTrustValidator returns: 0 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Trust status (0): NONE Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Performing hostname validation checks: it-dev3 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: isMuxerActivated: false Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 SSL3/TLS MAC Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 received HANDSHAKE Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: HANDSHAKEMESSAGE: CertificateRequest Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: isMuxerActivated: false Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 SSL3/TLS MAC Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: 6460907 received HANDSHAKE Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: HANDSHAKEMESSAGE: ServerHelloDone Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Returning chain of 2 certificates. Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write HANDSHAKE, offset = 0, length = 3427 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm MD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RC4 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RSA/ECB/PKCS1Padding Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write HANDSHAKE, offset = 0, length = 70 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Private key class is com.certicom.tls.provider.spec.JSAFE_RSAPrivateKey Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Using standard Certicom CertificateVerify code Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RSA/ECB/NoPadding Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write HANDSHAKE, offset = 0, length = 134 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write CHANGE_CIPHER_SPEC, offset = 0, length = 1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Cipher for algorithm RC4 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HMACMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HMACMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacMD5 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Will use default Mac for algorithm HmacSHA1 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write HANDSHAKE, offset = 0, length = 16 Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: Exception during handshake, stack trace follows java.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite0(Native Method) at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92) at java.net.SocketOutputStream.write(SocketOutputStream.java:136) at com.certicom.io.OutputSSLIOStream.write(Unknown Source) at com.certicom.tls.record.WriteHandler.flushOutput(Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.flush(Unknown Source) at com.certicom.tls.record.handshake.ClientStateReceivedCertificate.handle(Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknow n Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unkno wn Source) at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source) at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source) at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source) at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source) at com.certicom.tls.record.WriteHandler.write(Unknown Source) at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) at java.io.FilterOutputStream.flush(FilterOutputStream.java:123) at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:151) at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:364) at java.net.URLConnection.getContent(URLConnection.java:682) at com.kinamik.bea.sap.HttpsTest.test(HttpsTest.java:19) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav a:25) at java.lang.reflect.Method.invoke(Method.java:585) at junit.framework.TestCase.runTest(TestCase.java:164) at junit.framework.TestCase.runBare(TestCase.java:130) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:120) at junit.framework.TestSuite.runTest(TestSuite.java:230) at junit.framework.TestSuite.run(TestSuite.java:225) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestR eference.java:130) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner .java:460) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner .java:673) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java :386) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.jav a:196) Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: NEW ALERT with Severity: FATAL, Type: 40 java.lang.Exception: New alert stack at com.certicom.tls.record.alert.Alert.<init>(Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknow n Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unkno wn Source) at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source) at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source) at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source) at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source) at com.certicom.tls.record.WriteHandler.write(Unknown Source) at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) at java.io.FilterOutputStream.flush(FilterOutputStream.java:123) at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:151) at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:364) at java.net.URLConnection.getContent(URLConnection.java:682) at com.kinamik.bea.sap.HttpsTest.test(HttpsTest.java:19) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.jav a:25) at java.lang.reflect.Method.invoke(Method.java:585) at junit.framework.TestCase.runTest(TestCase.java:164) at junit.framework.TestCase.runBare(TestCase.java:130) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:120) at junit.framework.TestSuite.runTest(TestSuite.java:230) at junit.framework.TestSuite.run(TestSuite.java:225) at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestR eference.java:130) at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner .java:460) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner .java:673) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java :386) at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.jav a:196) Mar 31, 2008 6:11:09 PM weblogic.diagnostics.debug.DebugLogger debug FINE: write ALERT, offset = 0, length = 2
Post Reply

about | contact

Newsgroups