Java Tls No Suitable Certificate Found Continuing Without Client Authentication

Menu

Unable to create ws client

2020-11-26

2020-12-01

  • Paskal Šimec

    Hi,

    I'm trying to make webservice call from my java application to ejbca but I'm constantly getting bad_certificate exception. EJBCA is configured fine and java code is based on documentation.
    I'm able to connect to web admin console throw browser with my superadmin certificate, as well as, make a command call throw ejbcawsracli.

    c_client command is working fine:

    openssl s_client -connect 10.135.11.39:8443 -cert superadmin.cer -key superadmin.pem

                                                                SSL                              handshake                              has                              read                              2421                              bytes                              and                              written                              2483                              bytes                              ---                              New,                              TLSv1                              /                              SSLv3,                              Cipher                              is                              ECDHE                              -                              RSA                              -                              AES256                              -                              SHA384                              Server                              public                              key                              is                              2048                              bit                              Secure                              Renegotiation                              IS                              supported                              Compression:                              NONE                              Expansion:                              NONE                              No                              ALPN                              negotiated                              SSL                              -                              Session:                              Protocol                              :                              TLSv1.2                              Cipher                              :                              ECDHE                              -                              RSA                              -                              AES256                              -                              SHA384                              Session                              -                              ID:                              5                              FBF5A351E20BD31B4519DEF29769B15FE843C30A42BBD852F7F6FFB3E4C9383                              Session                              -                              ID                              -                              ctx:                              Master                              -                              Key:                              B53DE0EB1EA8979D17AA9FF34294A82786007A59725A40CC7A3E6ABEA37D0B518CBDE5CCBB901DD70CEBEBACCEC57AF8                              Key                              -                              Arg                              :                              None                              Krb5                              Principal:                              None                              PSK                              identity:                              None                              PSK                              identity                              hint:                              None                              Start                              Time:                              1606375989                              Timeout                              :                              300                              (                              sec                              )                              Verify                              return                              code:                              0                              (                              ok                              )                              ---                              read:errno                              =                              0                            

    Bellow is SSL debug log from my java application:

                                                                upcoming                              handshake                              states                              :                              server                              finished                              [                              20                              ]                              ***                              ServerHelloDone                              Warning                              :                              no                              suitable                              certificate                              found                              -                              continuing                              without                              client                              authentication                              ***                              Certificate                              chain                              <                              Empty                              >                              ***                              update                              handshake                              state                              :                              certificate                              [                              11                              ]                              upcoming                              handshake                              states                              :                              client_key_exchange                              [                              16                              ]                              upcoming                              handshake                              states                              :                              certificate_verify                              [                              15                              ](                              optional                              )                              upcoming                              handshake                              states                              :                              client                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              client                              finished                              [                              20                              ]                              upcoming                              handshake                              states                              :                              server                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              server                              finished                              [                              20                              ]                              ***                              ECDHClientKeyExchange                              ECDH                              Public                              value                              :                              {                              4                              ,                              128                              ,                              73                              ,                              7                              ,                              228                              ,                              215                              ,                              76                              ,                              81                              ,                              91                              ,                              19                              ,                              150                              ,                              120                              ,                              7                              ,                              141                              ,                              127                              ,                              40                              ,                              237                              ,                              233                              ,                              222                              ,                              75                              ,                              89                              ,                              20                              ,                              96                              ,                              246                              ,                              170                              ,                              211                              ,                              44                              ,                              4                              ,                              53                              ,                              101                              ,                              39                              ,                              69                              ,                              192                              ,                              240                              ,                              112                              ,                              32                              ,                              253                              ,                              7                              ,                              46                              ,                              52                              ,                              91                              ,                              46                              ,                              27                              ,                              179                              ,                              80                              ,                              156                              ,                              193                              ,                              139                              ,                              96                              ,                              0                              ,                              233                              ,                              245                              ,                              27                              ,                              92                              ,                              124                              ,                              52                              ,                              50                              ,                              145                              ,                              64                              ,                              40                              ,                              167                              ,                              212                              ,                              90                              ,                              187                              ,                              38                              }                              update                              handshake                              state                              :                              client_key_exchange                              [                              16                              ]                              upcoming                              handshake                              states                              :                              certificate_verify                              [                              15                              ](                              optional                              )                              upcoming                              handshake                              states                              :                              client                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              client                              finished                              [                              20                              ]                              upcoming                              handshake                              states                              :                              server                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              server                              finished                              [                              20                              ]                              main                              ,                              WRITE                              :                              TLSv1                              .                              2                              Handshake                              ,                              length                              =                              77                              update                              handshake                              state                              :                              change_cipher_spec                              upcoming                              handshake                              states                              :                              client                              finished                              [                              20                              ]                              upcoming                              handshake                              states                              :                              server                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              server                              finished                              [                              20                              ]                              main                              ,                              WRITE                              :                              TLSv1                              .                              2                              Change                              Cipher                              Spec                              ,                              length                              =                              1                              ***                              Finished                              verify_data                              :                              {                              50                              ,                              70                              ,                              102                              ,                              24                              ,                              243                              ,                              88                              ,                              251                              ,                              45                              ,                              31                              ,                              113                              ,                              50                              ,                              118                              }                              ***                              update                              handshake                              state                              :                              finished                              [                              20                              ]                              upcoming                              handshake                              states                              :                              server                              change_cipher_spec                              [                              -                              1                              ]                              upcoming                              handshake                              states                              :                              server                              finished                              [                              20                              ]                              main                              ,                              WRITE                              :                              TLSv1                              .                              2                              Handshake                              ,                              length                              =                              96                              main                              ,                              READ                              :                              TLSv1                              .                              2                              Alert                              ,                              length                              =                              2                              main                              ,                              RECV                              TLSv1                              .                              2                              ALERT                              :                              fatal                              ,                              bad_certificate                              %%                              Invalidated                              :                              [                              Session                              -                              1                              ,                              TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384                              ]                              main                              ,                              called                              closeSocket                              ()                              main                              ,                              handling                              exception                              :                              javax                              .                              net                              .                              ssl                              .                              SSLHandshakeException                              :                              Received                              fatal                              alert                              :                              **                              bad_certificate                              **                            

    Could you, please, provide some help?

  • Tomas Gustavsson

    Your issue is noted in the log above:
    "Warning: no suitable certificate found - continuing without client authentication"

    The recommended way is to use clientToolBox to test first so that you know everything is working as it should, then you can start with your own code.

    Are you using superadmin certificate for the Java code as well? Then it's a matter of your java code not doing client certificate authentication.
    If you are using a certificate issued by another CA than superadmin you need to add this CA to the truststore.jks in JBoss/WildFly (there is a helper command for this 'ant javatruststore').

    Cheers,
    Tomas
    Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information.
    https://www.primekey.com/products/software/

  • Paskal Šimec

    Hi Tomas,

    I moved to docker ejbca (https://hub.docker.com/r/primekey/ejbca-ce) due to a poorly configured server.
    New wsdl is deployed to location https://xxx:18443/ejbca/ejbcaws/ejbcaws?wsdl and everything is working fine (tested using SoapUI - auth with p12).
    Unfortunately I still can't successfully invoke service methods. When I create a client and call the getTemplates method, I get an error:
    org.ejbca.core.protocol.ws.client.gen.AuthorizationDeniedException_Exception: Error no client certificate received used for authentication.

    Bellow is code snippet:

                                                                System                              .                              setProperty                              (                              "javax.net.ssl.trustStore"                              ,                              CAProxyProperties                              .                              getInstance                              ().                              getEjbcaWSTrustStore                              ());                              System                              .                              setProperty                              (                              "javax.net.ssl.trustStorePassword"                              ,                              CAProxyProperties                              .                              getInstance                              ().                              getEjbcaWSTrustStorePassword                              ());                              System                              .                              setProperty                              (                              "javax.net.ssl.keyStore"                              ,                              CAProxyProperties                              .                              getInstance                              ().                              getEjbcaWSKeyStore                              ());                              System                              .                              setProperty                              (                              "javax.net.ssl.keyStorePassword"                              ,                              CAProxyProperties                              .                              getInstance                              ().                              getEjbcaWSKeyStorePassword                              ());                              QName                              qname                              =                              new                              QName                              (                              EJBCAWS_NAMESPACE_URI                              ,                              EJBCAWS_SERVICE_NAME                              );                              client                              =                              new                              EjbcaWSService                              (                              new                              URL                              (                              CAProxyProperties                              .                              getInstance                              ().                              getEjbcaWSUrl                              ()),                              qname                              );                              port                              =                              client                              .                              getEjbcaWSPort                              ();                            

    truststore & keystore = superadmin.p12

    Thanks,
    Paskal

  • Tomas Gustavsson

    I hope your
    CAProxyProperties.getInstance().getEjbcaWSUrl() is port 8443?

    I assume here that it works with clientToolBox as well using the same certificate?

    You will have to enable (TLS) debugging of your client.

  • Paskal Šimec

    After changing the javax.net.ssl.trustStore to ManagementCA-chain.jks everything worked!

    Can you give me advice on how to configure CA to support DNAME with two SERIALNUMBERs like:
    SERIALNUMBER=12312313, CN=Mislav Komic, STREET=TEST, L=TEST, SERIALNUMBER=12332123123, O=TEST, STREET=Ilica 28, L=Zagreb

    Thanks,
    Paskal

  • Tomas Gustavsson

    Add multiple serialNumber fields in the end entity profile to allow it (that's your local policy enforcement).


Log in to post a comment.

vernoncred1989.blogspot.com

Source: https://sourceforge.net/p/ejbca/discussion/123122/thread/8eea1ac603/

0 Response to "Java Tls No Suitable Certificate Found Continuing Without Client Authentication"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel