I have a Rest api and am trying to implement the security in it using 2 way SSL. I have server.jks placed at a certain location on the server where the application is deployed. Now I have another java application that is acting as a client. I have a identity.jks and trust.jks as below
{
client.ssl.key-store=/cucumber/dev/identity.jks
client.ssl.key-store-password=changeme
client.ssl.trust-store=/cucumber/dev/trust.jks
client.ssl.trust-store-password=changeme
}
however when my client makes a http post request to the api, I get bad certificate error with below logs getting generated at client side.
I am not getting what is missing here.
ssl logs:
{
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
ssl: Ignoring alias server: issuers do not match
ssl: KeyMgr: no matching key found
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 157, 56, 226, 111, 107, 118, 232, 80, 45, 243, 230, 40, 102, 248, 0, 45, 8, 136, 14, 177, 18, 135, 204, 179, 35, 160, 73, 134, 194, 251, 79, 36, 227, 96, 119, 125, 116, 170, 222, 179, 162, 179, 2, 227, 10, 51, 198, 142, 183, 70, 247, 39, 191, 105, 2, 173, 245, 11, 104, 11, 85, 19, 206, 95 }
[write] MD5 and SHA1 hashes: len = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 41 04 9D 38 E2 ..........BA..8.
0010: 6F 6B 76 E8 50 2D F3 E6 28 66 F8 00 2D 08 88 0E okv.P-..(f..-...
0020: B1 12 87 CC B3 23 A0 49 86 C2 FB 4F 24 E3 60 77 .....#.I...O$.`w
0030: 7D 74 AA DE B3 A2 B3 02 E3 0A 33 C6 8E B7 46 F7 .t........3...F.
0040: 27 BF 69 02 AD F5 0B 68 0B 55 13 CE 5F '.i....h.U.._
finagle/netty4-1, WRITE: TLSv1.2 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 93 55 61 AA 21 BB 29 A9 FA B2 D9 14 9A 34 DF 90 .Ua.!.)......4..
0010: D1 2B 4E D3 0C 8A 32 E0 EB 07 84 4C F1 27 4A 22 .+N...2....L.'J"
CONNECTION KEYGEN:
Client Nonce:
0000: 5B 6D 9A 26 BB 80 E0 FB 21 14 EF EE 2C 72 F1 E2 [m.&....!...,r..
0010: B6 7C 50 A1 94 9A 20 7D 3E 0C 6F 8A 4B 3A 60 AC ..P... .>.o.K:`.
Server Nonce:
0000: 5B 6D 9A 26 A3 CE 30 1A 70 FF DA 97 E5 35 D3 17 [m.&..0.p....5..
0010: E6 60 7E 74 91 3D 0A BC F3 27 B9 BB 63 97 34 39 .`.t.=...'..c.49
Master Secret:
0000: 5F 0D 19 8D 4A 34 95 68 5E 06 D7 3B F5 1A 1E 32 _...J4.h^..;...2
0010: 07 C4 19 06 66 A7 6E A6 18 50 32 56 67 9B A6 FB ....f.n..P2Vg...
0020: F5 DF 33 9A 66 09 2F 7A DF 37 95 4E 8D BF F7 10 ..3.f./z.7.N....
Client MAC write Secret:
0000: 21 8C 67 0B BF 0C A9 19 5B 6B 27 ED 75 4E AA 49 !.g.....[k'.uN.I
0010: 90 DE EA 37 CF D5 06 19 E9 1A 96 14 3D BC 02 26 ...7........=..&
0020: B4 BA 78 A8 AC D6 0D F9 79 38 FE 94 26 2F 82 2B ..x.....y8..&/.+
Server MAC write Secret:
0000: 3C 14 31 DF 62 00 A1 41 18 1E 21 0C E1 CB 0E EF <.1.b..A..!.....
0010: B4 99 85 96 3C 30 51 FF 3C 5B D5 4E 02 EA 2A 67 ....<0Q.<[.N..*g
0020: 54 C5 72 2B 0B 45 A1 CD BC E8 AB 34 CE FD 66 64 T.r+.E.....4..fd
Client write key:
0000: 18 CF 26 CE 55 12 3C 8F 9E 9F A7 80 4D 2C B0 71 ..&.U.<.....M,.q
0010: A7 0A B9 58 07 E9 2E 38 9D AE 49 61 72 3F D1 2C ...X...8..Iar?.,
Server write key:
0000: 0A DE 66 22 5C 2F 38 1E FE 59 79 25 A3 43 6F E1 ..f"\/8..Yy%.Co.
0010: 6D 80 44 2F 60 81 1F 34 C6 C6 1B A8 63 F0 7A 56 m.D/`..4....c.zV
... no IV derived for this protocol
finagle/netty4-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 74, 37, 55, 128, 217, 164, 34, 181, 144, 55, 30, 12 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 4A 25 37 80 D9 A4 22 B5 90 37 1E 0C ....J%7..."..7..
Padded plaintext before ENCRYPTION: len = 96
0000: 54 34 9D E3 6A 86 B0 CC FC A9 2D C8 E1 AF B4 2B T4..j.....-....+
0010: 14 00 00 0C 4A 25 37 80 D9 A4 22 B5 90 37 1E 0C ....J%7..."..7..
0020: F5 A8 F5 FD 3B C7 AE B1 DC FC A1 42 95 04 27 3E ....;......B..'>
0030: 3D DF 96 C1 36 36 CF 77 5B 31 37 6A 1A C0 C9 8C =...66.w[17j....
0040: CF D1 5F 1B 21 05 4E F8 07 28 0C 4E DE 30 32 D2 .._.!.N..(.N.02.
0050: 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F ................
finagle/netty4-1, WRITE: TLSv1.2 Handshake, length = 96
[Raw write]: length = 82
0000: 16 03 03 00 4D 0B 00 00 03 00 00 00 10 00 00 42 ....M..........B
0010: 41 04 9D 38 E2 6F 6B 76 E8 50 2D F3 E6 28 66 F8 A..8.okv.P-..(f.
0020: 00 2D 08 88 0E B1 12 87 CC B3 23 A0 49 86 C2 FB .-........#.I...
0030: 4F 24 E3 60 77 7D 74 AA DE B3 A2 B3 02 E3 0A 33 O$.`w.t........3
0040: C6 8E B7 46 F7 27 BF 69 02 AD F5 0B 68 0B 55 13 ...F.'.i....h.U.
0050: CE 5F ._
[Raw write]: length = 6
0000: 14 03 03 00 01 01 ......
[Raw write]: length = 101
0000: 16 03 03 00 60 36 7B 78 0F A1 87 60 1F F6 0F B8 ....`6.x...`....
0010: 72 88 86 82 35 28 57 25 59 65 D7 DB 2B 37 5C 35 r...5(W%Ye..+7\5
0020: CE 36 EC 8D 85 B0 96 8D C9 8A 9F C3 DF 88 15 65 .6.............e
0030: 3B 4A 78 7D 64 02 CD 18 92 C6 6C 47 21 24 DD 4C ;Jx.d.....lG!$.L
0040: 37 1B 9B 80 64 F3 6B 14 C9 FE 7F DA DF FF 8C 55 7...d.k........U
0050: ED CB 62 77 BF F5 E5 5F C3 99 BB 70 39 5F 28 17 ..bw..._...p9_(.
0060: 4C 8B CF 85 05 L....
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 2A .*
finagle/netty4-1, READ: TLSv1.2 Alert, length = 2
finagle/netty4-1, RECV TLSv1.2 ALERT: fatal, bad_certificate
finagle/netty4-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: bad_certificate
finagle/netty4-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: bad_certificate
finagle/netty4-1, called closeOutbound()
finagle/netty4-1, closeOutboundInternal()
finagle/netty4-1, SEND TLSv1.2 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 80
0000: 4A 51 F2 C8 BA 3D 59 D1 E4 97 9D 88 98 EE 5A 44 JQ...=Y.......ZD
0010: 01 00 05 72 73 DF 87 14 B4 B8 2A 5D D8 D2 E8 92 ...rs.....*]....
0020: 86 DD 9F 47 6E 98 52 6F 76 53 96 9F B2 CF BF 22 ...Gn.RovS....."
0030: 27 20 18 FB 9D 82 CE D1 F0 6E D1 A8 73 67 E8 B5 ' .......n..sg..
0040: C8 72 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D .r..............
finagle/netty4-1, WRITE: TLSv1.2 Alert, length = 80
finagle/netty4-1, called closeInbound()
finagle/netty4-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
finagle/netty4-1, called closeOutbound()
finagle/netty4-1, closeOutboundInternal()
[Raw write]: length = 85
0000: 15 03 03 00 50 D3 44 48 4B 3F 93 CE 6F 0D D8 B5 ....P.DHK?..o...
0010: DE 8B 42 4F 3A EE 65 A5 7E 8A A0 20 2B 46 4D 35 ..BO:.e.... +FM5
0020: 68 E5 CB 1A 7B FD 6F F2 F2 E4 23 1A 71 C2 CF 16 h.....o...#.q...
0030: 73 10 0A B1 86 4D 84 51 BF C8 B7 9C A5 E9 AE 20 s....M.Q.......
0040: 07 73 AD B5 4D 85 81 66 10 5E 92 5B 8C DF D4 80 .s..M..f.^.[....
0050: 9E 6D 8C 7C DC .m...
Aug 10, 2018 3:59:03 PM com.twitter.finagle.netty4.channel.ChannelExceptionHandler exceptionCaught
WARNING: Unhandled exception in connection with clrv0000082211.ic.ing.net/10.44.39.4:8086, shutting down connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: bad_certificate
}
Related
I've received the following DATA frame from https://example.com (is contains the HTML file).
Stream: DATA, Stream ID: 1, Length 606
Length: 606
Type: DATA (0)
Flags: 0x01
.... ...1 = End Stream: True
.... 0... = Padded: False
0000 .00. = Unused: 0x00
0... .... .... .... .... .... .... .... = Reserved: 0x0
.000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
[Pad Length: 0]
Reassembled body in frame: 37
Data: 1f8b08003b81055200038d5441afd3300cbeef5798720169…
My understanding is that this data is gzipped. When I save the decrypted data to a file and give it a .gz extension and attempt to extract it with 7-Zip I get an error though. It can open the archive, see that there is a single file in there, but when I try to read it or extract it I just get an error.
This is a hex dump of the decrypted data.
0000 1f 8b 08 00 3b 81 05 52 00 03 8d 54 41 af d3 30
0010 0c be ef 57 98 72 01 69 5d f7 80 07 53 d7 56 20
0020 40 e2 02 1c e0 c2 31 6b dc d5 5a 93 94 24 ed 36
0030 a1 f7 df 71 db bd ae e5 ed 40 2b b5 8e 1d 7f fe
0040 6c c7 49 9e 49 93 fb 73 8d 50 7a 55 65 8b e4 f1
0050 87 42 66 0b e0 27 f1 e4 2b cc 3e 9f 84 aa 2b 84
0060 4f 46 09 d2 49 34 68 17 c3 16 85 5e 40 5e 0a eb
0070 d0 a7 41 e3 8b 70 13 40 94 4d 8c a5 f7 75 88 bf
0080 1b 6a d3 e0 a3 d1 1e b5 0f bb b0 01 e4 c3 2a 0d
0090 3c 9e 7c d4 85 df 8e 50 b7 90 b4 50 98 06 2d e1
00a0 b1 36 d6 4f fc 8f 24 7d 99 4a 6c 29 c7 b0 5f 2c
00b0 81 34 79 12 55 e8 72 51 61 7a 77 85 72 fe cc c9
00c0 74 0c 2e 81 73 e7 82 c1 b6 33 f2 0c 7f 7a b1 5f
00d0 8a fc b0 b7 a6 d1 32 cc 4d 65 6c 0c cf 8b 35 bf
00e0 af b6 e3 16 25 ec 9e 74 0c eb ab aa 16 52 92 de
00f0 cf 74 05 33 0d 0b a1 a8 3a c7 10 7c af 51 c3 0f
0100 a1 5d b0 84 e0 0b 56 2d 7a ca 05 7c c3 06 59 33
0110 2a 96 f0 c1 72 06 4b 70 bc 35 74 68 a9 b8 22 f6
0120 c2 43 ff 95 d4 4e 48 f7 e9 c7 f0 76 bd ae 4f 4f
0130 79 de a3 02 d1 78 73 83 ee fd cc e1 56 ee c5 24
0140 fe ce 58 89 36 b4 42 52 e3 62 b8 43 b5 9d 50 12
0150 71 45 fa b0 e4 7f 4b 8e 3c ca 09 c1 47 b8 d7 9b
0160 37 9b cd 04 b1 eb 45 28 31 37 56 78 32 cc 55 1b
0170 8d 53 d0 f7 0a 25 09 78 a1 c4 29 bc 64 f9 ae cb
0180 f2 e5 b4 65 f3 0e fe 4f 26 0f a3 34 2f e4 a4 98
0190 f3 8a cd fa 7e c3 f6 4f 69 d6 73 eb 58 ef b1 64
01a0 57 12 c3 37 89 fa 23 9a 75 f2 22 89 86 79 5c 24
01b0 5d 6a 3c 9e 4c f2 72 90 cb bb 27 a3 c9 aa c1 56
01c0 67 3f 4b 72 20 7b 3d b0 84 ce 8b 5d 45 ae e4 5e
01d0 78 03 3b 84 c6 b1 58 18 0b 54 55 8d f3 5d d5 5b
01e0 04 1c 10 1d cf 0f 7b e7 8d e2 01 73 2b f8 65 1a
01f0 ce f9 dc 39 81 67 e4 e1 e0 5d d0 f5 d5 eb 48 be
0200 34 8d 87 da 12 23 e7 86 4b 41 ba ef 27 f0 5a b8
0210 03 a7 de 07 ad d1 2a 72 8e 0d ab 24 aa 47 d6 09
0220 df 17 16 8b 34 e8 6e 8d 38 8a 8e c7 e3 8a 84 16
0230 2b 63 f7 d1 10 cf 45 97 68 41 f6 d5 58 e4 f0 8c
0240 a7 fa 18 ab 15 83 89 ac 07 4c a2 be 52 49 74 a9
0250 5b 34 5c 6f 7f 01 08 95 aa 8b f6 04 00 00
How do I decompress this data?
Looks right to me. I suspect this is a problem with however you have extracted the DATA Frame, or 7Zip (don't have that on my machine).
Running the following in GitBash in Windows downloads the gzipped file (which might be over HTTP/1.1 probably depending on the version of curl you have installed, but ignore that for now, because I don't think this is an HTTP/2 problem):
$ curl --raw --compress https://example.com > /tmp/index.html.gz
At this point you can look at the raw hex (using xxd /tmp/index.html.gz for example) and see it's the exact same as what you've posted:
00000000: 1f8b 0800 3b81 0552 0003 8d54 41af d330 ....;..R...TA..0
00000010: 0cbe ef57 9872 0169 5df7 8007 53d7 5620 ...W.r.i]...S.V
00000020: 40e2 021c e0c2 316b dcd5 5a93 9424 ed36 #.....1k..Z..$.6
00000030: a1f7 df71 dbbd aee5 ed40 2bb5 8e1d 7ffe ...q.....#+.....
00000040: 6cc7 499e 4993 fb73 8d50 7a55 658b e4f1 l.I.I..s.PzUe...
00000050: 8742 660b e027 f1e4 2bcc 3e9f 84aa 2b84 .Bf..'..+.>...+.
00000060: 4f46 09d2 4934 6817 c316 855e 405e 0aeb OF..I4h....^#^..
00000070: d0a7 41e3 8b70 1340 944d 8ca5 f775 88bf ..A..p.#.M...u..
00000080: 1b6a d3e0 a3d1 1eb5 0fbb b001 e4c3 2a0d .j............*.
00000090: 3c9e 7cd4 85df 8e50 b790 b450 9806 2de1 <.|....P...P..-.
000000a0: b136 d64f fc8f 247d 994a 6c29 c7b0 5f2c .6.O..$}.Jl).._,
000000b0: 8134 7912 55e8 7251 617a 7785 72fe ccc9 .4y.U.rQazw.r...
000000c0: 740c 2e81 73e7 82c1 b633 f20c 7f7a b15f t...s....3...z._
000000d0: 8afc b0b7 a6d1 32cc 4d65 6c0c cf8b 35bf ......2.Mel...5.
000000e0: afb6 e316 25ec 9e74 0ceb abaa 1652 92de ....%..t.....R..
000000f0: cf74 0533 0d0b a1a8 3ac7 107c af51 c30f .t.3....:..|.Q..
00000100: a15d b084 e00b 562d 7aca 057c c306 5933 .]....V-z..|..Y3
00000110: 2a96 f0c1 7206 4b70 bc35 7468 a9b8 22f6 *...r.Kp.5th..".
00000120: c243 ff95 d44e 48f7 e9c7 f076 bdae 4f4f .C...NH....v..OO
00000130: 79de a302 d178 7383 eefd cce1 56ee c524 y....xs.....V..$
00000140: fece 5889 36b4 4252 e362 b843 b59d 5012 ..X.6.BR.b.C..P.
00000150: 7145 fab0 e47f 4b8e 3cca 09c1 47b8 d79b qE....K.<...G...
00000160: 379b cd04 b1eb 4528 3137 5678 32cc 551b 7.....E(17Vx2.U.
00000170: 8d53 d0f7 0a25 0978 a1c4 29bc 64f9 aecb .S...%.x..).d...
00000180: f2e5 b465 f30e fe4f 260f a334 2fe4 a498 ...e...O&..4/...
00000190: f38a cdfa 7ec3 f64f 69d6 73eb 58ef b164 ....~..Oi.s.X..d
000001a0: 5712 c337 89fa 239a 75f2 2289 8679 5c24 W..7..#.u."..y\$
000001b0: 5d6a 3c9e 4cf2 7290 cbbb 27a3 c9aa c156 ]j<.L.r...'....V
000001c0: 673f 4b72 207b 3db0 84ce 8b5d 45ae e45e g?Kr {=....]E..^
000001d0: 7803 3b84 c6b1 5818 0b54 558d f35d d55b x.;...X..TU..].[
000001e0: 041c 101d cf0f 7be7 8de2 0173 2bf8 651a ......{....s+.e.
000001f0: cef9 dc39 8167 e4e1 e05d d0f5 d5eb 48be ...9.g...]....H.
00000200: 348d 87da 1223 e786 4b41 baef 27f0 5ab8 4....#..KA..'.Z.
00000210: 03a7 de07 add1 2a72 8e0d ab24 aa47 d609 ......*r...$.G..
00000220: df17 168b 34e8 6e8d 388a 8ec7 e38a 8416 ....4.n.8.......
00000230: 2b63 f7d1 10cf 4597 6841 f6d5 58e4 f08c +c....E.hA..X...
00000240: a7fa 18ab 1583 89ac 074c a2be 5249 74a9 .........L..RIt.
00000250: 5b34 5c6f 7f01 0895 aa8b f604 0000 [4\o..........
Then can use gunzip to view the file in the command line:
$ gunzip -c index.html.gz
<!doctype html>
<html>
<head>
<title>Example Domain</title>
...etc.
Or decompress it:
$ gunzip index.html.gz
$ cat index.html
<!doctype html>
<html>
<head>
<title>Example Domain</title>
...etc.
So I would guess either 7zip doesn't like reading this file (but it seems to from a quick search online) or you are corrupting the saving of the data somehow before opening it in 7zip.
I am working on integrating Webservice which has 2 way SSL.
One such service from same client is already integrated and works fine.
I mean Application A is already integrated with WS 1 hosted on Application B, it's working now.
Now I am integrating Application A with WS 2 hosted on Application B
The same keystore and truststore are in used for both services.
WS 1 works fine, WS 2 fails, I have no real clue of how this could happen. Details of SSL debug logs are below.
I verified the Cipher Suite it is same for both Webservices.
SSL Debug Logs for Failed SSL HandShake - WS 2:
Here I add appropriate ssl log, the difference I found between ssl logs for working service and service which is failing is the certificate chain is not sent by client.
[Raw read]: length = 5
0000: 16 03 01 00 0D .....
[Raw read]: length = 13
0000: 0D 00 00 05 02 01 02 00 00 0E 00 00 00 .............
tomcat-http-1, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
[read] MD5 and SHA1 hashes: len = 9
0000: 0D 00 00 05 02 01 02 00 00 .........
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
***** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1**
[write] MD5 and SHA1 hashes: len = 269
0000: 0B 00 00 03 00 00 00 10 00 01 02 01 00 4C 1E 64 .............L.d
0010: 17 BD D1 EC E9 14 82 08 12 17 01 1F 78 A0 6A 40 ............x.j#
0020: 16 24 A4 0D 54 B6 F4 CF B5 BB A0 BF 32 CD F5 BC .$..T.......2...
0030: EF 14 3C 8B 9B 72 7A 6D 27 93 59 6A AD 11 82 07 ..<..rzm'.Yj....
0040: 37 8C 68 01 EF 20 D6 0B 00 F4 0B 72 1F DE 0C 28 7.h.. .....r...(
0050: B9 47 D2 39 AB B6 E8 72 B9 6D A7 3F 0C F0 3F 1F .G.9...r.m.?..?.
0060: 3C CE 3C A2 E3 D6 CB 9D BA 5D 93 AF 26 B4 D2 83 <.<......]..&...
0070: 68 7A D2 6B 9A 10 D6 A3 95 36 D7 C1 0F C6 F4 79 hz.k.....6.....y
0080: F9 8F 3D 4D 8C D0 E0 46 E2 5A 32 46 42 19 60 09 ..=M...F.Z2FB.`.
0090: 62 15 EE F8 5C 24 A8 78 27 CD A6 22 5F 5E 94 35 b...\$.x'.."_^.5
00A0: 6B 95 C6 42 34 4B D0 98 74 DE 92 9C 8E 79 0E 3A k..B4K..t....y.:
00B0: 07 D6 17 63 E0 CE CE 8A C0 26 A5 51 A7 E4 35 8A ...c.....&.Q..5.
00C0: 5B 2F 1C A6 3A 0B 49 65 24 24 DC F8 39 42 80 38 [/..:.Ie$$..9B.8
00D0: 03 0D 49 F4 61 32 90 8B BC B6 46 47 6E C0 8B C5 ..I.a2....FGn...
00E0: 00 2F 3D AB 56 5E 04 6A AD 27 D2 39 A3 22 C5 CB ./=.V^.j.'.9."..
00F0: 9D D5 8C 47 B7 89 D1 C2 C2 CC AE F7 ED 4D 97 2F ...G.........M./
0100: 4E 4B AA 2A C5 96 A9 2C 4B 28 E0 09 44 NK.*...,K(..D
tomcat-http-1, WRITE: TLSv1 Handshake, length = 269
[Raw write]: length = 274
0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................
0010: 01 00 4C 1E 64 17 BD D1 EC E9 14 82 08 12 17 01 ..L.d...........
0020: 1F 78 A0 6A 40 16 24 A4 0D 54 B6 F4 CF B5 BB A0 .x.j#.$..T......
0030: BF 32 CD F5 BC EF 14 3C 8B 9B 72 7A 6D 27 93 59 .2.....<..rzm'.Y
0040: 6A AD 11 82 07 37 8C 68 01 EF 20 D6 0B 00 F4 0B j....7.h.. .....
0050: 72 1F DE 0C 28 B9 47 D2 39 AB B6 E8 72 B9 6D A7 r...(.G.9...r.m.
0060: 3F 0C F0 3F 1F 3C CE 3C A2 E3 D6 CB 9D BA 5D 93 ?..?.<.<......].
0070: AF 26 B4 D2 83 68 7A D2 6B 9A 10 D6 A3 95 36 D7 .&...hz.k.....6.
0080: C1 0F C6 F4 79 F9 8F 3D 4D 8C D0 E0 46 E2 5A 32 ....y..=M...F.Z2
0090: 46 42 19 60 09 62 15 EE F8 5C 24 A8 78 27 CD A6 FB.`.b...\$.x'..
00A0: 22 5F 5E 94 35 6B 95 C6 42 34 4B D0 98 74 DE 92 "_^.5k..B4K..t..
00B0: 9C 8E 79 0E 3A 07 D6 17 63 E0 CE CE 8A C0 26 A5 ..y.:...c.....&.
00C0: 51 A7 E4 35 8A 5B 2F 1C A6 3A 0B 49 65 24 24 DC Q..5.[/..:.Ie$$.
00D0: F8 39 42 80 38 03 0D 49 F4 61 32 90 8B BC B6 46 .9B.8..I.a2....F
00E0: 47 6E C0 8B C5 00 2F 3D AB 56 5E 04 6A AD 27 D2 Gn..../=.V^.j.'.
00F0: 39 A3 22 C5 CB 9D D5 8C 47 B7 89 D1 C2 C2 CC AE 9.".....G.......
0100: F7 ED 4D 97 2F 4E 4B AA 2A C5 96 A9 2C 4B 28 E0 ..M./NK.*...,K(.
0110: 09 44 .D
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 93 71 B9 48 72 57 3D 0A BB 31 75 96 FD 0D ...q.HrW=..1u...
0010: CA 96 42 DD C9 44 B7 A8 B1 F1 A9 C1 C3 27 9F 5F ..B..D.......'._
0020: 9D 52 23 E3 36 AC EA A5 3A 05 1F F8 8D 5D 14 21 .R#.6...:....].!
CONNECTION KEYGEN:
Client Nonce:
0000: 53 8F 60 0E 0B DC B6 61 EB F5 3D C8 8C 7E 62 6D S.`....a..=...bm
0010: 5C 42 CB 7A 31 BC B0 0B D5 6F 0F B2 3C D7 3D A2 \B.z1....o..<.=.
Server Nonce:
0000: 53 8F 60 0E 6A EF 4B 22 15 D3 FB 2B 47 60 66 59 S.`.j.K"...+G`fY
0010: 95 FF 2F 5A 5E CD 24 FD AB BC 53 DA AE DE EE 6E ../Z^.$...S....n
Master Secret:
0000: 81 91 2E C9 84 28 03 2A 96 B7 50 3F 4E A6 F6 6D .....(.*..P?N..m
0010: BA E6 A3 97 90 BA 36 43 7F CC 09 DC 6C 49 23 2A ......6C....lI#*
0020: 08 F9 9A 28 37 E9 6A 7D A7 3D DF 5C 1D EE B8 C8 ...(7.j..=.\....
Client MAC write Secret:
0000: 02 6B 86 CF 08 1C F8 E1 3F 37 56 C3 E9 56 AF 7E .k......?7V..V..
0010: 8C AA 30 AD ..0.
Server MAC write Secret:
0000: 60 3E 08 7B D0 B4 23 48 79 D9 56 4E 98 17 AD 9D `>....#Hy.VN....
0010: E1 DA 9D 33 ...3
Client write key:
0000: 42 6D F6 86 E0 A5 CD 25 C1 32 EB C0 40 82 70 7C Bm.....%.2..#.p.
Server write key:
0000: 3D 28 B3 C1 E6 23 94 5F 3E F9 66 77 B1 42 EE AF =(...#._>.fw.B..
Client write IV:
0000: D1 AF 77 1A 7B 63 55 99 0D 20 EA 5F C9 35 C8 33 ..w..cU.. ._.5.3
Server write IV:
0000: 69 95 12 2F F0 85 8D 2B 8F 1F 96 73 A6 1A D7 10 i../...+...s....
tomcat-http-1, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01 ......
*** Finished
verify_data: { 69, 40, 167, 235, 209, 255, 39, 90, 171, 21, 67, 200 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 45 28 A7 EB D1 FF 27 5A AB 15 43 C8 ....E(....'Z..C.
Padded plaintext before ENCRYPTION: len = 48
0000: 14 00 00 0C 45 28 A7 EB D1 FF 27 5A AB 15 43 C8 ....E(....'Z..C.
0010: F5 F5 5A E3 50 8B BE B4 0A 9C 72 2E FA D7 A2 CD ..Z.P.....r.....
0020: 9A AB 6B FD 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ..k.............
tomcat-http-1, WRITE: TLSv1 Handshake, length = 48
tomcat-http-1, waiting for close_notify or alert: state 1
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
tomcat-http-1, READ: TLSv1 Alert, length = 2
tomcat-http-1, RECV TLSv1 ALERT: fatal, handshake_failure
tomcat-http-1, called closeSocket()
tomcat-http-1, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
tomcat-http-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
tomcat-http-1, called close()
tomcat-http-1, called closeInternal(true)
Please help me if you find any clue of what's going wrong here.
I solved this problem by installing Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files + importing ca certificate. Just importing certificate did not work.
I am using the below code to generate public and private keys:
using (var rsaProvider = new RSACryptoServiceProvider(cspParams))
{
try
{
// Export public key
publicKey = rsaProvider.ToXmlString(false);
// Write public key to file
publicKeyFile = File.CreateText(publicKeyFileName);
publicKeyFile.Write(publicKey);
// Export private/public key pair
//privateKey = rsaProvider.ToXmlString(true);
privateKey = rsaProvider.ToXmlString(true);
// Write private/public key pair to file
privateKeyFile = File.CreateText(privateKeyFileName);
privateKeyFile.Write(privateKey);
}
catch (Exception ex)
{
}
finally
{
rsaProvider.PersistKeyInCsp = false; // dont srotre in windows key container
}
}
The public key that is generated contains a key and an expontent:
<RSAKeyValue
<Modulus>rx39KaNggx7IFO/CT2XTi/aHdgEnZq0f6E2lKFVbObZ9ws0wCsRftfomOOy2z8/jFXn7NLOuiC+MvO6AsSb8nSCO0PY08TklmFBzsFxsq7CLWubL8TDV0wq7AtVpovdJkywc+O4wnz8ZTn38nAgNnQ6Ga+hIJspFCYZS01jkx30=
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
But when I look at the public key of a certificate from Internet Explorer it shows:
RSA (2048 Bits).
30 82 01 0a 02 82 01 01 00 bf 61 0a 29 10 1f 5e
fe 34 37 51 08 f8 1e fb 22 ed 61 be 0b 0d 70 4c
50 63 26 75 15 b9 41 88 97 b6 f0 a0 15 bb 08 60
e0 42 e8 05 29 10 87 36 8a 28 65 a8 ef 31 07 74
6d 36 97 2f 28 46 66 04 c7 2a 79 26 7a 99 d5 8e
c3 6d 4f a0 5e ad bc 3d 91 c2 59 7b 5e 36 6c c0
53 cf 00 08 32 3e 10 64 58 10 13 69 c7 0c ee 9c
42 51 00 f9 05 44 ee 24 ce 7a 1f ed 8c 11 bd 12
a8 f3 15 f4 1c 7a 31 69 01 1b a7 e6 5d c0 9a 6c
7e 09 9e e7 52 44 4a 10 3a 23 e4 9b b6 03 af a8
9c b4 5b 9f d4 4b ad 92 8c ce b5 11 2a aa 37 18
8d b4 c2 b8 d8 5c 06 8c f8 ff 23 bd 35 5e d4 7c
3e 7e 83 0e 91 96 05 98 c3 b2 1f e3 c8 65 eb a9
7b 5d a0 2c cc fc 3c d9 6d ed cc fa 4b 43 8c c9
d4 b8 a5 61 1c b2 40 b6 28 12 df b9 f8 5f fe d3
b2 c9 ef 3d b4 1e 4b 7c 1c 4c 99 36 9e 3d eb ec
a7 68 5e 1d df 67 6e 5e fb 02 03 01 00 01
Is this the same type of key containing an exponent or is it encoded, or simply a different type of encryption?
It's just a different encoding of the same information. One is XML, using base-64 encoding for the modulus and exponent numbers. The other is a hexadecimal encoding of the information using the Distinguished Encoding Rules (DER) common with PKI protocols. It's a "SEQUENCE" containing two "INTEGER" elements: the modulus and the exponent, as defined in the PKCS #1 standard.
30 - SEQUENCE tag
82 01 0a - length is 266 bytes
02 - INTEGER tag (modulus)
82 01 01 - length is 257 bytes
00 bf 61 0a 29 10 1f 5e
fe 34 37 51 08 f8 1e fb 22 ed 61 be 0b 0d 70 4c
50 63 26 75 15 b9 41 88 97 b6 f0 a0 15 bb 08 60
e0 42 e8 05 29 10 87 36 8a 28 65 a8 ef 31 07 74
6d 36 97 2f 28 46 66 04 c7 2a 79 26 7a 99 d5 8e
c3 6d 4f a0 5e ad bc 3d 91 c2 59 7b 5e 36 6c c0
53 cf 00 08 32 3e 10 64 58 10 13 69 c7 0c ee 9c
42 51 00 f9 05 44 ee 24 ce 7a 1f ed 8c 11 bd 12
a8 f3 15 f4 1c 7a 31 69 01 1b a7 e6 5d c0 9a 6c
7e 09 9e e7 52 44 4a 10 3a 23 e4 9b b6 03 af a8
9c b4 5b 9f d4 4b ad 92 8c ce b5 11 2a aa 37 18
8d b4 c2 b8 d8 5c 06 8c f8 ff 23 bd 35 5e d4 7c
3e 7e 83 0e 91 96 05 98 c3 b2 1f e3 c8 65 eb a9
7b 5d a0 2c cc fc 3c d9 6d ed cc fa 4b 43 8c c9
d4 b8 a5 61 1c b2 40 b6 28 12 df b9 f8 5f fe d3
b2 c9 ef 3d b4 1e 4b 7c 1c 4c 99 36 9e 3d eb ec
a7 68 5e 1d df 67 6e 5e fb
02 - INTEGER tag (public exponent)
03 - length is 3 bytes
01 00 01 (65,537 [F4])
I am trying to create a CNG (Windows Cryptography API Next Generation) key handle by calling NCryptOpenKey() and using the certificate's thumbprint as the key name parameter:
LPCWSTR keyName = L"\0xe0\0xf5\0xdf\0x72\0x7f\0x81\0x92\0xfa\0xae\0x8a\0x4b\0xf1\0xd5\0x53\0xc1\0xbe\0x40\0x18\0x90\0xdc";
NCryptOpenKey( hProvider, &hKey, keyName, 0, 0 );
Using this keyName the key cannot be found, but I can see the certificate with that thumbprint when I look it up in certmgr.msc ("e0 f5 df 72 7f 81 92 fa ae 8a 4b f1 d5 53 c1 be 40 18 90 dc"). What could possibly be the problem here?
Edit: What I essentially want to do (as I found out by the help of the people on stack overflow ;)) is to create a NCRYPT_KEY_HANDLE from a certificate stored in the Windows certificate store.
The thumbprint and the key name usually has no relationship.
To get the name of the key that is associated with a certificate use CertGetCertificateContextProperty with CERT_KEY_PROV_INFO_PROP_ID.
Certificates don't contain the private keys. CERT_CONTEXT can have a CERT_KEY_PROV_INFO_PROP_ID property which say where to find a related private key. It is used by system function CryptAcquireCertificatePrivateKey and other high-level cryptography functions. This property is the only information about private key location in CNG.
Also, you can open every stored key in loop and compare private key BLOB with certificate's one.
If you want to try my example, here is a code:
DATA_BLOB key;
FILE *fil = _wfopen(L"D:\\222.p8", L"rb");
if(fil)
{
fseek(fil, 0 ,2);
key.cbData = ftell(fil);
fseek(fil, 0, 0);
key.pbData = new BYTE[key.cbData];
fread(key.pbData, 1, key.cbData, fil);
fclose(fil);
} else {
MessageBox(L"Cannot open file", L"Error", MB_ICONERROR);
return;
}
BCryptBuffer nameBuf;
nameBuf.BufferType = NCRYPTBUFFER_PKCS_KEY_NAME;
nameBuf.pvBuffer = L"killme";
nameBuf.cbBuffer = 14;
NCryptBufferDesc parList;
parList.ulVersion = NCRYPTBUFFER_VERSION;
parList.cBuffers = 1;
parList.pBuffers = &nameBuf;
// No error handlers!!!
NCRYPT_PROV_HANDLE hProv;
NCRYPT_KEY_HANDLE hKey;
NCryptOpenStorageProvider( &hProv, L"Microsoft Software Key Storage Provider", 0 );
NCryptImportKey( hProv, NULL, NCRYPT_PKCS8_PRIVATE_KEY_BLOB, &parList, &hKey, key.pbData, key.cbData, 0 );
NCryptFreeObject( hKey );
NCryptFreeObject( hProv );
return;
And this is my file (in HEX):
30 82 02 78 02 01 00 30 0D 06 09 2A 86 48 86 F7
0D 01 01 01 05 00 04 82 02 62 30 82 02 5E 02 01
00 02 81 81 00 BB 13 C9 C6 4A 18 1F 11 1D D3 CB
E4 6A E2 F4 46 8C 1D 67 7F F2 6E 16 67 C6 81 B9
D9 93 56 45 0B D5 EA 0F EB 7F F3 1D 83 07 19 3B
A7 1C 84 82 23 88 44 65 13 79 78 EA E0 B7 AD A8
4D B6 3C 9B D4 74 48 51 0D E8 60 59 19 D8 28 2B
49 FE BC 8D BF 62 0D 44 70 70 76 2D 83 5B 2E DE
9E 97 40 D3 BE 23 36 BB 02 3B F0 17 F2 EA 9A 97
28 41 39 7F A1 98 6E CB A3 9F 5B B3 81 D8 66 73
D5 19 63 35 E9 02 03 01 00 01 02 81 80 02 BA 5C
CF 35 C0 B8 F5 EB 45 18 61 B7 51 4C 95 EE C5 CA
FE E9 A3 C3 53 36 13 7E DD F6 5B B9 5C 07 D2 DC
47 E7 30 BE 0B 18 17 BD 1A 9D BC 2C ED A4 62 0D
9B 45 6D 31 A2 49 EB 65 5B 3A 14 BE 2C F4 DC C8
9B 94 2C 5A EF 1E 43 00 3E 88 00 D3 F1 0F 6A E3
14 C1 4D C8 7E 77 BD C8 41 92 8B 7D 2A B5 36 1A
61 81 9C 38 F1 34 C4 C3 73 57 67 25 4C 93 59 9B
C7 1B 10 39 F2 B2 2F 85 ED 69 B4 43 01 02 41 00
EC D9 DD B0 C8 F3 BC 39 77 9F 15 20 D5 80 C7 E3
F5 36 DB F0 BF AC 27 9E 82 A1 CB 64 F0 26 5A 31
97 C5 75 B0 CB 42 E3 0D AC F1 69 AF 02 1C 0F F5
38 7A 75 5C 87 41 16 D7 57 E5 A5 78 BB A4 6E 89
02 41 00 CA 33 BF CA 34 F6 17 F8 F8 1F 0C FF EE
62 18 09 22 BD 45 DC 2E E7 5D 6C 0F 66 0E 21 3D
74 61 35 79 19 56 91 1B 90 93 12 AD BA FA 31 23
4D D2 AE F8 0F 00 46 DE 6B F4 31 62 E3 88 5F 80
35 B4 61 02 41 00 C7 78 AC C6 28 57 6D 5C 10 AC
7F C4 C9 4A CE 0D E4 04 B1 B2 CE 1A 14 BB E0 54
96 D1 89 97 23 3A C5 11 5D 8E E9 80 89 6C 89 0C
3F EF 4E 1D 88 2B 03 C7 CE 73 80 CD 86 89 11 D3
AC 4A 43 ED B5 D1 02 41 00 A7 E7 E3 0A 31 82 6D
93 B3 CE 6D 08 15 56 E5 A8 A8 6D 4D 96 B2 68 33
9E A9 06 D1 12 EF 2A 36 12 A6 55 D1 19 BC 2F 08
C2 08 FB EC 08 63 CD 9A F6 EA 4B E2 A9 F6 C6 E4
47 22 5B D9 01 9C C0 7B E1 02 41 00 E1 94 F0 BB
B8 7E E6 CF 38 E0 8D 6B F7 BB E2 47 A2 B6 E4 EB
A5 C7 15 62 76 C4 BA B8 DC 81 06 24 EB B1 46 9B
EE 5D AC A5 A6 EB 93 2E B4 E7 F8 A3 CD FB 40 C1
C9 F9 27 DF 31 8B BB EE 29 4F 63 6D
My Connection to my test application keeps terminating in the same place without any errors.
I think perhaps something is triggering the channel/connection to close, but I don't know what it could be. Where exactly it closes changes slightly if I change printouts in the code, so the timing appears to be on a different thread.
I've been working on this for four days now and list myself as officially stuck.
Here is my connection code:
final HttpQueryRequestImpl realRequest = (HttpQueryRequestImpl) getPredecessorQueryResolver().resolvePredecessorResults(getPredecessorResults(), getQueryRequest(), getId());
// Configure the client.
// TODO determine if this ClientBootstrap object can be reused. Indications in the doucmentation
// seem to say yes, with caveats. Reusing the pool would improve performance. Caveats must be investigated.
final ClientBootstrap bootstrap = new ClientBootstrap(
new NioClientSocketChannelFactory(
Executors.newCachedThreadPool(),
Executors.newCachedThreadPool()));
// Set up the event pipeline factory.
bootstrap.setPipelineFactory(new HttpSnoopClientPipelineFactory());
// TODO audit and timestamp logging
if (logger.isInfoEnabled()) {
logger.info("Starting connection to !" + realRequest.getUri());
}
// Start the connection attempt.
// ChannelFuture future = bootstrap.connect(new InetSocketAddress(realRequest.getHost(), realRequest.getPort()));
logger.info(realRequest.getHost() + " " + realRequest.getPort());
ChannelFuture future = bootstrap.connect(new InetSocketAddress("myname.organization.com", 8443));
// register some things to happen after the channel completes
future.addListener(new ChannelFutureListener() {
#Override
public void operationComplete(ChannelFuture future) throws Exception {
if (!future.isSuccess()) {
logger.error("Error connecting to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri());
bootstrap.releaseExternalResources();
} else {
if (logger.isInfoEnabled()) {
logger.info("Connected to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri());
}
// Send the HTTP request.
Channel channel = future.getChannel();
HttpRequest request = new DefaultHttpRequest(
HttpVersion.HTTP_1_1, HttpMethod.GET, "/factorial");
request.setHeader(HttpHeaders.Names.HOST, "myname.organization.com");
request.setHeader(HttpHeaders.Names.CONNECTION, HttpHeaders.Values.CLOSE);
request.setHeader(HttpHeaders.Names.ACCEPT_ENCODING, HttpHeaders.Values.GZIP);
ChannelFuture writeFuture = channel.write(request);
writeFuture.addListener(new ChannelFutureListener() {
#Override
public void operationComplete(ChannelFuture future) throws Exception {
logger.info("Wrote data complete");
// TODO once bootstrap is reused, get rid of this
// Shut down executor threads to exit.
// bootstrap.releaseExternalResources();
}
});
}
}
});
This is what my output looks like with SSL debugging enabled:
32 [main] INFO nettyliteserver.remotequeries.HttpsQuery - Starting connection to !https://myname.organization.com:8443/factorial
32 [main] INFO nettyliteserver.remotequeries.HttpsQuery - myname.organization.com 8443
***
found key for : myname.organization.com
chain [0] = [
[
Version: V1
Subject: CN=myname.organization.com, OU=myname.organization.com, O=myname.organization.com, L=myname.organization.com, ST=myname.organization.com, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 94642469145065852073118930371145672868332389407646565010478303790446281089121119363888463093443199472593726155607365724815252704927244864250811984977900576391208121343883948799873869280369621492901495505803717080952775289840654752626694613842653754724186814688913115288788127483906065658243886585022651573993
public exponent: 65537
Validity: [From: Fri Mar 09 13:29:22 EST 2012,
To: Sat Mar 09 13:29:22 EST 2013]
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
SerialNumber: [ 71c8]
]
Algorithm: [SHA1withRSA]
Signature:
0000: C5 55 9C 1D 76 CE 05 87 45 0D C3 15 9C DB 0B 3A .U..v...E......:
0010: 70 0E 50 0C DB DB B4 62 2F BA A3 30 48 C0 D2 E9 p.P....b/..0H...
0020: 45 9C 3C C0 4A 84 7B 21 51 78 93 F1 63 4C 61 37 E.<.J..!Qx..cLa7
0030: 21 97 E8 38 F9 62 C5 EA 02 53 28 4F F8 EC 01 F2 !..8.b...S(O....
0040: 08 70 DB 96 D5 1D 9E 0A 89 33 D3 1D C8 79 8B C1 .p.......3...y..
0050: 6E 07 C4 98 FA 55 85 80 D4 10 AF A7 E5 A7 94 FA n....U..........
0060: 45 CB DA 7C FA 66 C6 FC 69 A4 B2 05 01 C6 DC 8E E....f..i.......
0070: AC 15 7D A2 FC 25 DF FE 19 80 D4 27 07 EA D6 3F .....%.....'...?
0080: 5C 73 5F 63 0B 4E 02 FC 49 EA 76 69 FA 82 5B 1B \s_c.N..I.vi..[.
0090: 3B 45 6B 95 DC 8F C2 E8 A9 6C 10 CD 9B E0 59 D7 ;Ek......l....Y.
00A0: DC E6 69 2C F9 DB 99 F7 7F E3 76 81 13 CD B3 FE ..i,......v.....
00B0: 1D AD 32 7D 6F 74 A9 12 4B 06 E2 9F E9 1F EF 8A ..2.ot..K.......
00C0: 1F CA 1D B8 08 47 00 1D 19 53 87 0A E3 FA B4 B5 .....G...S......
00D0: 99 4F B9 97 5D D0 EE 0D DD 09 5F 3C 41 31 D6 18 .O..]....._<A1..
00E0: 5C 39 01 8E DA D9 27 85 FE 0F C5 EE 00 A3 27 44 \9....'.......'D
00F0: C0 A1 42 EA 13 5B 66 3B 64 E3 EA 9B 23 20 0B C6 ..B..[f;d...# ..
0100: 66 DB AB 79 77 97 3E 4A D0 C7 79 C4 D2 E7 BD 1A f..yw.>J..y.....
0110: F3 90 39 A2 A4 69 A9 A1 4E A3 0B 92 93 9F 8F 4F ..9..i..N......O
0120: C3 4F CE E7 20 D6 45 4D 9B E0 B2 58 EC 96 19 99 .O.. .EM...X....
0130: E0 F3 BB E4 EF 7E 1D C7 C3 48 8B D0 7D 2D 8C 3A .........H...-.:
0140: 1A AF 77 3A 83 F4 51 C9 D6 DE BE 24 3B 03 7C A9 ..w:..Q....$;...
0150: 4B 5C C4 6E 59 AB E2 02 63 73 CE 98 8A D0 45 D5 K\.nY...cs....E.
0160: 6C FE 23 79 93 69 D5 74 0D AF FE 23 AE BB 3F E4 l.#y.i.t...#..?.
0170: 9C 05 87 E1 2E 91 51 D6 44 55 7E 66 73 1D BB C2 ......Q.DU.fs...
0180: F3 E8 4D CA 50 D9 6D 2A AD 84 EF C7 70 4B 15 EA ..M.P.m*....pK..
0190: C4 E0 33 3E 44 89 A3 97 8C 32 17 FD B9 DD 22 FB ..3>D....2....".
01A0: 08 CF 1E 49 78 B7 2F 8E 60 66 58 3D 57 6F 21 72 ...Ix./.`fX=Wo!r
01B0: D3 87 38 9C DD EB 60 D8 BD 06 A8 04 FD 2D 59 EA ..8...`......-Y.
01C0: 82 A8 E8 E7 73 81 1E DE FD 51 33 0C F7 47 AE 34 ....s....Q3..G.4
01D0: 58 57 DD CE FD 12 68 A6 A8 2E 58 4F C7 6A 1E 27 XW....h...XO.j.'
01E0: 39 EF C7 BE 75 32 96 99 6B 1B E6 23 2A A5 0E 2F 9...u2..k..#*../
01F0: 35 0A 0C 0C FA 92 65 1D DC 17 56 57 C4 08 89 48 5.....e...VW...H
]
chain [1] = [
[
Version: V1
Subject: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 4096 bits
modulus: 806866056348410276765741718640530245144236832502515305762072630647553277327953919063172921502880537921571234334570551528531888439605163701867371172813984927986527584575335107418628498623377289440387978453125866503947773575289298639780740830349842738718874502642354354786938153803982142709595698253667527748252780647208422256786989310056682111281793756866001585577762899819782647308899956239433307951381179494148030342543127196354965114705680137760255253494869690234155019595101679874833401305309080790668924554791611347641826073186513714032079267845800910995372117962695304732667441462587341743926848435668491205343373472147947564642450777593350053051331533112897445884090255314793988795654376385927964164743689070718825504556057816253883950563232708345137230621100544965407234099088514072120925433729718654307794068734283314839693884400349895261851764957828001331060077733384251643023885026867016629337741393451760864161087662305445338147618921663305526880031574988450298248773113067904762125722376437187045162922144483754266350990810318433387352520742359961188082219224300651116723774686748606066644650420169490565673256120050113505389581136874611045622641221693918773655462724374483166653830081719164259720121105179323613660081321
public exponent: 65537
Validity: [From: Fri Mar 09 13:29:15 EST 2012,
To: Sat Mar 09 13:29:15 EST 2013]
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
SerialNumber: [ c1e2c18c f327ad81]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 8A EB 65 0E 88 09 BE 9A BA 88 FB CA 9A D4 53 F4 ..e...........S.
0010: B0 5C 91 67 BD C9 35 67 2D 37 78 2D 5C E6 4B 26 .\.g..5g-7x-\.K&
0020: E9 8E 20 3D DE 92 9B 29 A7 CB CC 5F 4E E3 CD 1A .. =...)..._N...
0030: FA 5B EB 0D 42 DC 17 05 4E D6 34 72 43 46 6C 55 .[..B...N.4rCFlU
0040: 99 FF AC 00 2E BF 28 5D 4A 6A 21 DE 72 9E 6C 7A ......(]Jj!.r.lz
0050: A6 10 28 27 21 72 0F 69 09 04 D3 FB A7 83 DF 81 ..('!r.i........
0060: E2 78 BD 0B 4F D7 AA B4 CC E2 E4 3B A5 30 A3 14 .x..O......;.0..
0070: B4 83 75 DC E6 8C 01 9A B2 BA FF 0D 3F AA F1 30 ..u.........?..0
0080: A0 33 A9 CC 13 08 72 8F E2 75 1D 3B 30 B8 82 3C .3....r..u.;0..<
0090: 9A A0 A3 68 18 60 C0 1F E4 2E 06 D6 1B B8 46 6F ...h.`........Fo
00A0: AB D3 C9 AD 89 E6 E7 48 12 0F 90 A5 B8 A2 17 51 .......H.......Q
00B0: 41 AF 1E 62 6C D2 48 B2 41 C6 CE 1D 4E B1 F7 90 A..bl.H.A...N...
00C0: 34 26 E0 5D 95 7B BD 93 BA 4C D1 7A 08 A9 1E 57 4&.].....L.z...W
00D0: 03 EE F2 EC BD 8E 36 43 1D 4F 9E 39 56 A8 E4 B6 ......6C.O.9V...
00E0: 44 6C D5 D3 8C F0 FE 1F 87 87 67 2D E6 05 7E BA Dl........g-....
00F0: 18 FB 6C 0B D8 80 19 08 27 8F 60 09 A6 BA 68 55 ..l.....'.`...hU
0100: 05 13 A8 9C 04 06 F8 24 A1 52 DB 67 69 2E FE 12 .......$.R.gi...
0110: A5 23 D1 2E 56 EA 54 08 83 DD 91 43 45 8B F6 97 .#..V.T....CE...
0120: 01 65 CC 32 4C FA D6 89 81 83 B4 21 92 F4 EC 29 .e.2L......!...)
0130: 68 87 51 A0 FC B7 7D BD 90 F8 A1 F8 68 82 CF 03 h.Q.........h...
0140: 4E 9C C2 FA AF 4A D3 AD 0B AB AB 73 4B B4 95 B0 N....J.....sK...
0150: EC 64 6B 8E 2B D4 E1 41 96 19 EC E9 6B 92 51 8A .dk.+..A....k.Q.
0160: D8 C1 87 FC DB B4 12 BD 14 AB 5C 07 73 AA DE CE ..........\.s...
0170: E5 05 8F E9 CC 9F C4 2A B6 0F 5D 40 8E 7A 82 7E .......*..]#.z..
0180: CD 28 88 8F 01 3E 6C EF E7 01 58 2E C9 3F 0E 44 .(...>l...X..?.D
0190: 4D 1A 2B BB 0D 51 76 38 26 D4 89 5C 9B AB 63 FA M.+..Qv8&..\..c.
01A0: 4B 63 7C DC 0E 05 01 BB E4 97 73 03 4F 83 71 1E Kc........s.O.q.
01B0: B6 CB A6 62 F9 21 1B F2 24 D3 85 1D E6 31 87 E4 ...b.!..$....1..
01C0: D6 74 09 70 C3 D0 4C 35 7E F1 49 5A 60 B7 02 72 .t.p..L5..IZ`..r
01D0: 04 C9 83 AD 5E 63 1F 7B 97 4C 35 7F 15 88 D5 5D ....^c...L5....]
01E0: DA 3B F6 80 9B 07 E5 86 4B 67 F6 B2 66 DE 81 6C .;......Kg..f..l
01F0: FF B6 99 D1 06 EF 3A 27 68 8D F2 EE 72 C4 48 64 ......:'h...r.Hd
]
***
adding as trusted cert:
Subject: CN=myname.organization.com, OU=myname.organization.com, O=myname.organization.com, L=myname.organization.com, ST=myname.organization.com, C=US
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Algorithm: RSA; Serial number: 0x71c8
Valid from Fri Mar 09 13:29:22 EST 2012 until Sat Mar 09 13:29:22 EST 2013
adding as trusted cert:
Subject: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Issuer: C=US, CN=myname.organization.com, ST=myname.organization.com, L=myname.organization.com, EMAILADDRESS=myname.organization.com, OU=myname.organization.com, O=myname.organization.com
Algorithm: RSA; Serial number: 0xc1e2c18cf327ad81
Valid from Fri Mar 09 13:29:15 EST 2012 until Sat Mar 09 13:29:15 EST 2013
trigger seeding of SecureRandom
done seeding SecureRandom
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
985 [main] INFO nettyliteserver.ssl.FlexibleErrorSslHandler - handleDownstream
That's where it terminates. I've changed the printouts around a bit so that sometimes I also get one more line, the printout from logger.info("Connected to " + realRequest.getHost() + ":" + realRequest.getPort() + " " + realRequest.getUri()); but I really don't know what is causing it to shut down.
I tried overriding the netty SSLHandler and on all it's public operations added a printout, but the close(), channelConnected(), channelDisconnected(), etc methods are never being called. Neither is handshake().
My pipeline is set up to do a handshake:
public class HttpSnoopClientPipelineFactory implements ChannelPipelineFactory {
public ChannelPipeline getPipeline() throws Exception {
// Create a default pipeline implementation.
ChannelPipeline pipeline = pipeline();
// Enable HTTPS
SSLEngine engine =
SecureChatSslContextFactory.getClientContext().createSSLEngine();
engine.setUseClientMode(true);
System.out.println("HERE!!!!!!!!!!!!");
pipeline.addLast("ssl", new SslHandler(engine));
pipeline.addLast("codec", new HttpClientCodec());
// Remove the following line if you don't want automatic content decompression.
pipeline.addLast("inflater", new HttpContentDecompressor());
// Uncomment the following line if you don't want to handle HttpChunks.
//pipeline.addLast("aggregator", new HttpChunkAggregator(1048576));
pipeline.addLast("handler", new HttpSnoopClientHandler());
return pipeline;
}
}
My custom SSLHandler is really the same as the library's SslHandler, I just overrode the methods to add printouts before delegating to the super version.
It looks like the only thing being called on it is handleDownstream()
You need to call SslHandler.handshake() by yourself after the connect success.
Something like:
future.getChannel().getPipeline(SslHandler.class).handshake();
This needs to get done in your ChannelFuture that gets returned by the connect method or a SimpleChannelUpstreamHandler implementation that you add to the ChannelPipeline
Netty documentation states:
Handshake
If isIssueHandshake() is false (default) you will need to take care of
calling handshake() by your own. In most situations were SslHandler is
used in 'client mode' you want to issue a handshake once the
connection was established. if setIssueHandshake(boolean) is set to
true you don't need to worry about this as the SslHandler will take
care of it.
see javadoc
So, you should set isIssueHandshake on SslHandler before estamblishing the connection:
SslHandler sslHandler = new SslHandler(engine);
setIssueHandshake(boolean);
pipeline.addLast("ssl", sslHandler);