My application invokes a web service request. The provider of this web service is requesting for a certificate based authentication.
Unfortunately while making the handshake, the certificate is not being returned as part of the CertificateRequest step. Below is the log trace
Cert Authorities:
<Empty>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client
authentication
I have placed the keystore and the truststore using the below properties which is being picked up during the handshake (logged in the logs)
-Djavax.net.ssl.keyStore=$CMX_SSL_KEY_STORE
-Djavax.net.ssl.keyStorePassword=123456
-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=pkcs12
JAVA_OPTS= JAVA_OPTS="-D$PS_TOKEN$ENV_TOKEN $LOCAL_MEM_OPTS $GC_OPTS
$CMAX_OPTS $JMX_OPTS $CMX_SSL_TRUST_STORE_OPT $MQ_OPTS
$ADDITIONAL_JVM_OPTS $LOCAL_JVM_OPTS $CMX_SSL_KEY_STORE_OPT"
I don't have a private key as part of the keystore, as the vendor who provided the certificate refused to provide the private key. As part of the keystore, I have the whole chain of the certificate, but still its not working
Error seen in the logs is as below
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
Need some guidance to resolve this issue
I looked at
why doesn't java send the client certificate during SSL handshake?
which is on the same problem, but the solution provided by Bruno is failing. Not able to attach the certificate to the private key using the same alias
I don't have a private key as part of the keystore
Then you don't have a keystore: you have a truststore.
as the vendor who provided the certificate refused to provide the private key.
Of course he did. None of your beeswax.
You're supposed to provide your own private key and certificate in your own keystore.
You have a serious misunderstanding here.
Related
I'm working on a gRPC service, and we're using a CA certificate we generated ourselves for our server. Unfortunately, I can't seem to figure out how to tell grpc_cli about that certificate, and so I get "Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed."
I see an option for specifying the client cert and key, but not for the CA cert. What am I missing?
Following up from previously asked question.
We were provided with an x.509 v3 .pkcs12 certificate from Bloomberg.
For testing the webservice on Coldfusion, the certificate had to be encoded to DER for installing in the keystore.
I managed to install the certificate successfully using the link.
But getting the following error when calling the webservice.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Testing the same(.der) certificate on SoapUI threw the below error.
ERROR:java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
Note: The provided .p12 and the converted .pem certificates work as expected on SoapUI.
Any pointers?
I am getting the same error but i used open SSL to create a private key and .csr file. I am blocked can any one help on this?
I got a secure cluster NIFI with 3 nodes, configured with truststore.jks and keystore.jks
In my invokeHTTP, i've set "StandardSSLContextService" with keystore and trustore for https.
invokeHTTP works when i'm trying https://nifi:9443/nifi-api/controller/config
but not works when i'm trying "https://auth_server/oauth/access_token"
So when I'm trying use invokeHTTP to get token but it failed with this error :
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
thanks for helps
The StandardSSLContextService can be configured with a truststore, which is a Java KeyStore object which contains a collection of TrustedCertEntry objects -- each of which holds the public key and certificate information of a trusted entity. When Apache NiFi attempts to contact some other endpoint or service over HTTPS, it evaluates the received certificate identifying the service and attempts to validate that certificate. If the endpoint certificate is not directly contained in the truststore, it checks to see which certificate signed the leaf cert, and validate that one. This process continues up the certificate chain until either a cert is found that is trusted, or none are.
The error message you are receiving is stating that none of the certificates in the chain could be verified. As daggett pointed out, you could manually import the certificate of the service you want to validate into a custom truststore. If this is a service available on the public internet and signed by a generally trusted certificate authority (CA), you can also point your StandardSSLContextService to the default list provided by Java. The cacerts truststore is included automatically, and has a similar trusted entry list to modern browsers. It is found in $JAVA_HOME/jre/lib/security/cacerts. You can determine the value of $JAVA_HOME for your OS and Java version.
Truststore filename: /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/cacerts (example)
Truststore password: changeit (default value)
Truststore type: JKS
I have a Java client which is using the Apache HttpClient 4.1 library to make an HTTPs request to a server which doesn't require authentication. If I call that server with my browser or curl, the request is accepted. However from my Java client, I see the following (when debug is turned on)...
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
main, handling exception: java.net.SocketException: Connection reset
So it seems my client did the handshake in TLSv1 but then sent an SSLv2 ClientHello which the server didn't seem to like. According to this post it seems the server should not reject an SSLv2 ClientHello. Could it be something specific about this server that is making it reject this ClientHello?
I also noticed the below log output at the beginning of establishing the connection....
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Secure Global CA, O=SecureTrust Corporation, C=US
And then it goes on to add various entities as "trusted cert"s.
And the final exception I noticed was...
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
So could it be a problem with the certificate (or lack of) on my (client) side? But according to this post I thought the client was not required to provide a certificate.
Bottom line is I am not clear if the root of the problem is the SSLv2 Client Hello or the certs or both?
I had a similar problem like you. This is how I solved it. It may not cater to your exact problem, but give it a try.
SSLContextBuilder builder = new SSLContextBuilder();
builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(builder.build());
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();