TLS handshake is completed but I can not see "certificate request" when I check with wireshark.
I am using netty as a server.
Please help me :)
I solved the problem. Netty did not send a request because my truststore was empty. Thanks.
Related
I'm trying to test my API using SoapUI 5.4.0. I added my website SSL certificate in Keystore and my clients SSL in Truststore. I added apikey in header and parameters in parameters section. But, still I'm getting:
response error 401 Unauthorized
Please help to fix this issue.
Have you sent the request with configured Keystore?
example:
below Screen I have configured the ssl keystore, hope you have also done the same.
And then while sending request , you need to point the ssl keystore. For every request which requires ssl you need to do this.
I've written a MIDlet server that handle tcp inputstream. I send xmlhttprequest with an http:// url from a html web page and it works fine. I want to do the same with an https url.
with my secureserverconnection instancied by a connector.open the accecptandopen() method return an exception.
handshake client send
As you can see the xmlhttprequest send an handshake hello but I've notices tls1.2 protocol then tls1.0 protocol and finally tls1.2.
Is it normal having 2 different protocol sent by the client. It is the first phase of the handshake protocol.
My Midlet java server respond with an Alert and a a "ssl3_get_client_hello:no shared cipher" error (IOException)
IOexception capture
I've specified the connector options like this : cipher : TLS_RSA_WITH_AES_128_GCM_SHA256 and TLSv1.2 protocol
tlsv1.2 server response
Have someone ever done it or can explain me why the cipher handshake is in error?
Yes it is normal for the client to try both protocols. The most likely scenario is that your device simply lacks any valid certificates, since J2ME devices are so old.
See:
"ssl3_get_client_hello:no shared cipher" in server depending on server certificate and key
I am in a big issue regarding TLSv1.2 and unable to resolve this.
Scenario:
Hostapd should act as an integrated EAP server.I have an openwrt device on which hostapdv2.6-devel is running.
2.Wpa_Supplicant is acting as a client and should talk to hostapd for successful authentication.wpa_supplicantv2.6-devel is running on a different openwrt device.
3.Two way SSL handshake(EAP-TLS) should happen successfully and hostapd should authenticate the client device without any issue.
4.Requirement is that this communication should take place on TLSv1.2 i.e. server (hostapd)is bound to send TLSv1.2.
Configuration:
EAP server(hostapd configuration):
1.Since by default server is sending TLSv1.0 to the client so I made it to send TLSv1.2 forcefully by recompiling the package for TLSv12 and install again on the router.
2.Created a configuration file, which has all the server certificate, ca certificate chain eap_server=1 etc.
3.Started the hostapd process on the device successfully.
client configuration(wpa_supplicant):
1.Created a configuration file, which has all client certificate, CA chain, identity, SSID etc.
2.Started the wpa_supplicant on the device successfully.
SSL transactions:
1.client send client hello message and TLSv1.2 in it.
2.Server responds with server hello message and TLSv1.2
3.Server sends its certificate, serverkeyexchange, certificate request message.
4.Afterward a fatal alert occurs "decode_error" and no more transaction are seen and authentication gets failed.
Please see the wireshark capture below.
ClientHello
ServerHello
Alert Message
Kindly help me to resolve this issue as its making my life difficult.
Please let me know if any other information is required.
Thanks.
I setup 2way ssl with Camel and CXF using the http conduit element etc.
I make a webservice call to an external party. All certificates are correctly installed (incoming traffic is succesfull, this is configured in Tomcat). After this post about secure renegotiation I finally received a response from the other party: HTTP response 403, forbidden.
I've been debugging with javax.net.debug=all and this excellent explanation.
I can see in the logging that a secure connection is succesfully setup:
*** Finished
verify_data: { 141, 25, 184, 254, 93, 9, 10, 48, 135, 161, 213, 57 }
***
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
and no other errors or warnings. How can I verify if my client certificate is sent to the server? (I can't use Wireshark but I have the javax.net.debug logging)
I found the answer in this post and by comparing the javax.net.debug output to the client auth example.
I don't see CertificateVerify in my log, only the one way ssl steps, so there is no client certificate sent.
The cause was that I copied the CXF http conduit example from their website, but somehow the ciphersuite filter it contained was too strict.
I needed to track this down and found the following.
In Java 11, I enabled SSL logging by adding this option to the tomcat server process I was using:
-Djavax.net.debug=ssl:handshake:verbose:keymanager.
Next, I ran my test and studied the logs. The general format of all messages begin like this (so I won't repeat this because it clutters up the important content).
javax.net.ssl|DEBUG|22|http-bio-8443-exec-1|2023-02-06 18:01:35.705 GMT|CertificateMessage.java:366|Produced ClientHello handshake message
Client Side Logs: Successful mutual authentication
The following shows the SSL handshake messages that occurred during a successful two way certificate authentication.
Produced ClientHello handshake message
Consuming ServerHello handshake message
Consuming server Certificate handshake message <<< Receiving Server cert
Consuming ECDH ServerKeyExchange handshake message
Consuming CertificateRequest handshake message <<< Server asking for client cert
Consuming ServerHelloDone handshake message
Produced client Certificate handshake message <<< Sending client cert
Produced ECDHE ClientKeyExchange handshake message
Produced CertificateVerify handshake message
Produced ChangeCipherSpec message
Produced client Finished handshake message
Consuming ChangeCipherSpec message
Consuming server Finished handshake message
I highlighted the lines that show the server cert being received and the client cert being sent. I should note that the above is the logs as viewed on the client side of the connect.
The SSL Spec (See https://www.rfc-editor.org/rfc/rfc5246#section-7.4.6) says:
This [the Client Certificate message] is the first message the client can send after receiving a
ServerHelloDone message. This message is only sent if the server
requests a certificate
And once the ClientKeyExchange message is sent, we know that no client certificate was sent because again the spec says:
This message is always sent by the client. It MUST immediately
follow the client certificate message, if it is sent. Otherwise,
it MUST be the first message sent by the client after it receives
the ServerHelloDone message.
Since the ServerHelloDone message was printed, and then the ClientKeyExchange message was printed, therefore the ClientCertificate message was not sent because if it were being sent it needed to be sent immediately after the SeverHelloDone and before the ClientKeyExchange.
This test was performed using Java 11. I don't have the web libraries handy but this was not a SpringBoot application.
Server Side Logs: Successful mutual authentication with certs
For completeness, the following shows the messages that are logged by the server side of the two way authentication using certificates.
Consuming ClientHello handshake message
Ignore unavailable extension: supported_versions
Produced ServerHello handshake message
Produced server Certificate handshake message <<< Sending server cert
Produced ECDH ServerKeyExchange handshake message
Produced CertificateRequest handshake message <<< Request client send cert
Produced ServerHelloDone handshake message
Consuming client Certificate handshake message << Receiving clients cert
Consuming ECDHE ClientKeyExchange handshake message
Consuming CertificateVerify handshake message
Consuming ChangeCipherSpec message
Consuming client Finished handshake message
Produced ChangeCipherSpec message
Produced server Finished handshake message
Summary
This answer highlights the messages logged for the two way (aka mutual) authentication using X.509 certificates in a Java web application that both received incoming requests (and required mutual authentication) and making a REST call to another server that also required two way authentication.
Some of the log messages shown contain a large amount of additional information such as the actual certificate information and detailed values from the SSL specification. None of that data is shown because it makes it harder to see the important messages and it is not needed to understand the answer.
If you needed to see exactly what was sent in a certificate then the detailed logs provide that information.
Later, I tried this with a SpringBoot application using spring-boot-starter-parent:2.7.3 and it also worked when running with
mvn spring-boot:run -Dspring-boot.run.jvmArguments="-Djavax.net.debug=ssl:handshake:verbose:keymanager"
Will SSL protocol ask for handshake after intial handshake ?
I mean once handshake is done and data transfer is happening. Is there any case in which handshake/authentication needs to be done ? If so, in which case ?
Yes. Either of the peers can request a new handshake at any time: to strengthen the cipher suite, ask for a client certificate, etc, or just to negotiate a new session key.