Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-3915

JBoss 7.0.2 mutual certificate authentication fails on SSL Handshake

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Rejected
    • Affects Version/s: 7.0.2.Final
    • Fix Version/s: 7.1.0.Final
    • Component/s: Security
    • Labels:
    • Environment:
    • Steps to Reproduce:
      Hide

      Download 7.0.2 jboss
      Create certificates for the client and servers
      Import certificates and create keystore and truststore
      Make a browser request to the AS7 and expect mutually authenticated https protocol.

      Show
      Download 7.0.2 jboss Create certificates for the client and servers Import certificates and create keystore and truststore Make a browser request to the AS7 and expect mutually authenticated https protocol.

      Description

      The goal is to ask any clients to provide a client certificate and achieve mutual authentication between the client and the server.

      I have created a certification authority (CA) to sign the client and server certificates.

      I have imported the server certificate into the keystore and added an HTTPS connector to the standalone.xml configuration file to serve HTTPS requests on the 8443 port.

      I have imported the CA root certificate into the Certificate Manager under Authorities in client's Firefox.

      Everything works fine and when I request https://localhost:8443 I get a page with a valid server certificate.

      The problem is, when I import the client certificate into the Certificate Manager in Firefox and set the server configuration to verify client certificates (verify-client="true" in standalone.xml) I get a browser error:

      Secure Connection Failed:
      An error occurred during a connection to localhost:8443.
      SSL peer cannot verify your certificate.
      (Error code: ssl_error_bad_cert_alert)
      while the jboss log on the server states:

      11:01:31,142 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] (http-localhost-127.0.0.1-8443-1) Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:191) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
      at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:1144) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:952) [jbossweb-7.0.1.Final.jar:7.0.2.Final]
      at java.lang.Thread.run(Thread.java:662) [:1.6.0_30]

      To be sure it is a bug, I downgraded to the jboss-6.1.0.Final where everything works fine as expected, i.e. it is a only 7.0.2 version issue. I'm not sure about 7.1.x, since I haven't had the chance to try it yet.

      Btw, I followed this tutorial to get the PKI ready: http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                sovo Pavol Sovis
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: