tomcat - Client certificate is not sent to server -


i trying set two-way ssl authentication soap web-service running on jboss 4.2.3. have created ca purpose root ca , 2 intermediate ca-s (development , production environments).

however trying test setup client certificate signed 1 of intermediate ca-s, have run problems.

the server set root ca in jvm-s cacerts keystore , relevant intermediate ca in keystore used tomcat connector truststore. complete connector config following:

<connector port="443" address="${jboss.bind.address}"            protocol="http/1.1" sslenabled="true"            maxthreads="150" scheme="https" secure="true"            clientauth="true" sslprotocol="tls"            keystorefile="keystore.p12"            keystorepass="******" keystoretype="pkcs12"            emptysessionparth="true" enablelookups="false" acceptcount="100"            truststorefile="truststore.jks"            truststorepass="******" truststoretype="jks"            disableuploadtimeout="true" />

connecting openssl s_client can see, "acceptable client certificate ca names" lists our intermediate ca. providing correct client certificate , key in -cert , -key options. far can understand openssl output, certificate never sent. tried concatenating client certificate, intermediate , root ca single pem file, present entire chain, didn't either.

the s_client command line following:

openssl s_client -host localhost -port 443 -cert client_cert.crt -key client_key.key -capath /etc/ssl/certs/ -debug -state

the same behaviour observerd when try test service google chrome , relevant certificates installed in windows. wireshark output looks same - certificate requested, correct acceptable ca presented, browser never gives me choice of certificate , empty client certificate message sent server.

so question - missing here? have assumed acceptable ca list should used client decide certificates send, making decision go otherwise , no certificate sent. again assuming, server configured correctly, because expected ca sent in negotiation, missing on client side?

edit:

as requested @bruno, looked @ key usage of certificates. used client certificate gives followin information when printed openssl x509 -noout -text -in client.cer

        x509v3 basic constraints: critical             ca:false         x509v3 key usage: critical             .....         x509v3 extended key usage:              tls web client authentication

looking @ - empty key usage field seems culprit. values should there? can't seem figure out phrase google such information. i'll have @ ca management software then.

thanks hint given @bruno, investigated key usage part of client certificates. turns out, generating certificates empty key usage attribute.

i have configured our ca management software generate certificates followin key usage/extended key usage attributes. confess don't understand, each of these does, made system work now. have not added potentially dangerous here.

        x509v3 key usage: critical             digital signature, non repudiation, key encipherment, data encipherment, key agreement         x509v3 extended key usage:             tls web client authentication

after googling around information key usage bits, stumbled upon this question explained things somewhat.


Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } &l
Read more

ruby on rails - Seeing duplicate requests handled with Unicorn -

recently upgraded our ec2 instances c3.large in order boost more unicorn workers handle increased traffic our site. (6xworkers per machine - 2 ec2 instances). when did this, started seeing duplicate records being created! looks somehow, maybe 2 unicorn workers attempting process same request? in nginx logs see 1 [post] request particular rails controller - yet 2 records being created in database. i'm hitting kind of race condition issue - have no idea how debug this. doesn't happen time, when it's frustrating well. noticed 2 database records within 5 seconds of each other. (and yes disable button when user clicks submit button). unicorn 4.8.2 ruby 1.9.3 rails 3.2.14 any great! thanks! although may not fix problem, upgrade ruby 2.0.0. there blog mentioning idea upgrade ruby 2.0.0 if using unicorn. for example: https://www.digitalocean.com/community/articles/how-to-optimize-unicorn-workers-in-a-ruby-on-rails-app specifically: if using ruby 1.9,
Read more