I am writing a test class for a networking module which establishes a SSL connection used for sending messages. The Junit 4 test class sets up a client side keystore and truststore along with a server side keystore. These variables are used in setting up client side and server side SSLContexts from which I get SSLServerSocket and SSLSocket necessary for setting up a connection through their respective factories.
The SSLServerSocket successfully accepts the connection of my SSLSocket on localhost at the same port. However when I call the SSLSocket.getInputStream() method on the server side socket it hangs whereas calling the SSLSocket.getOutputStream() mehtod on the client side is successful. I am aware that this stage is responsible for initiating the SSL handshake but through my search I have found little on what could be causing a single side to hand. Someone elses post on a separate site mentioned that is could be a reverse dns lookup hanging how would I prevent this? I also tried explicitly starting the handshake in the first of the two Callable threads which hung in a similar fashion. This is my test class:
public class ReceiverClientThreadTest {
// ADD REG AND A SINGLE NETWORK
// ESTABLISH A TLS CONNECTION BETWEEN TWO POINTS WITH
private final static String KEY_MANAGER = "SunX509";
private final static String TLS_VERSION = "TLSv1.2";
private final static String RNG_ALGORITHM = "DEFAULT";
private final static String RNG_PROVIDER = "BC";
private static final String PROVIDER = "BC";
private static final String KEYSTORE_TYPE = "PKCS12";
private static KeyStore keyStore1, keyStore2, trustStore2;
private SSLSocket serverSocket;
private SSLSocket clientSocket;
#BeforeClass
public static void setUp() throws SQLException, GeneralSecurityException, OperatorCreationException, IOException {
String name1 = "localhost", name2 = "client";
KeyPair kp1 = SecurityUtilities.generateKeyPair();
KeyPair kp2 = SecurityUtilities.generateKeyPair();
X509Certificate cert1 = SecurityUtilities.makeV1Certificate(kp1.getPrivate(), kp1.getPublic(), name1);
X509Certificate cert2 = SecurityUtilities.makeV1Certificate(kp2.getPrivate(), kp2.getPublic(), name2);
keyStore1 = KeyStore.getInstance(KEYSTORE_TYPE, PROVIDER);
keyStore2 = KeyStore.getInstance(KEYSTORE_TYPE, PROVIDER);
trustStore2 = KeyStore.getInstance(KEYSTORE_TYPE, PROVIDER);
keyStore1.load(null, null);
keyStore1.setKeyEntry(name1, kp1.getPrivate(), "relaypass".toCharArray(), new X509Certificate[]{cert1});
// keyStore2.load(null, null);
// keyStore2.setKeyEntry(name2, kp2.getPrivate(), null, new X509Certificate[]{cert2});
trustStore2.load(null, null);
trustStore2.setCertificateEntry(name2, cert1);
// secureSocketManager = new SecureSocketManager(keyStore1, password);
}
#Before
public void init() throws IOException, GeneralSecurityException, InterruptedException, ExecutionException {
SSLServerSocket sslServerSocket = getSSLServerSocket();
SSLSocketFactory sslSocketFactory = getSSLSocketFactory();
ExecutorService pool = Executors.newFixedThreadPool(2);
Callable<SSLSocket> c1 = () -> {
return (SSLSocket) sslServerSocket.accept();
};
Callable<SSLSocket> c2 = () -> {
return (SSLSocket) sslSocketFactory.createSocket("localhost", 2048);
};
Future<SSLSocket> server = pool.submit(c1);
Thread.sleep(1000);
Future<SSLSocket> client = pool.submit(c2);
Thread.sleep(1000);
serverSocket = server.get();
clientSocket = client.get();
}
#After
public void tearDown(){
serverSocket = null;
clientSocket = null;
}
#org.junit.Test
public void endSession(){
Thread test = new Thread(new ReceiverClientThread(serverSocket));
test.start();
try (ObjectOutputStream output = new ObjectOutputStream(new BufferedOutputStream(clientSocket.getOutputStream()))) {
System.out.println("here");
}catch (IOException e){
fail();
}
}
private SSLServerSocket getSSLServerSocket() throws GeneralSecurityException, IOException {
char[] entryPassword = "relaypass".toCharArray();
// COULD ADD PROVIDER IN THESE FOR CONSISTENCY
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX", "BCJSSE");
keyManagerFactory.init(keyStore1, entryPassword);
// specify TLS version e.g. TLSv1.3
SSLContext sslContext = SSLContext.getInstance(TLS_VERSION, "BCJSSE");
sslContext.init(keyManagerFactory.getKeyManagers(),null, null);
SSLServerSocketFactory fact = sslContext.getServerSocketFactory();
return (SSLServerSocket) fact.createServerSocket(2048 );
}
private SSLSocketFactory getSSLSocketFactory() throws GeneralSecurityException{
char[] entryPassword = "relaypass".toCharArray();
// COULD ADD PROVIDER IN THESE FOR CONSISTENCY
// KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KEY_MANAGER, "BCJSSE");
// keyManagerFactory.init(keyStore1, entryPassword);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "BCJSSE");
trustManagerFactory.init(trustStore2);
// specify TLS version e.g. TLSv1.3
SSLContext sslContext = SSLContext.getInstance(TLS_VERSION, "BCJSSE");
sslContext.init(null,trustManagerFactory.getTrustManagers(), null);
return sslContext.getSocketFactory();
}
This is the class which it is testing and the only relevant line, the one where the code hangs is commented as such:
public class ReceiverClientThread implements Runnable {
private final SSLSocket sslSocket;
public ReceiverClientThread(SSLSocket sslSocket) {
this.sslSocket = sslSocket;
}
public void run() {
try (ObjectInputStream input = new ObjectInputStream(new BufferedInputStream(sslSocket.getInputStream()))) {
System.out.println("here");
} catch (IOException e) {
}
}
}
Thanks
You could set a timeout on your sslSocket, so that if it hangs during stream read, it will only hang for a set period of time and then will throw an exception. This way the thread will not just hang indefinitely.
sslSocket.setSoTimeout(120000); // timeout of 2 min
Related
I have written a simple TLS server and client using basically the same code offered in the "Java Cryptography Tools and Techniques" the server successfully accepts the client but there must be an issue with the connection because whenever I try to send data from the client to the server the client hangs. The same is true if I call SSLSocket.startHandshake() so there must be a handshake issue. As I mentioned however all of the Server and Client code is basically guaranteed to be correct. I have looked into the code which generates the Certificate but cannot see any issue with it I have no idea whats wrong and its driving me nuts. It has nothing to to with the ordering of the ObjectInputStream and its counterpart by the way. This is the Server code:
public class ServerTask implements Runnable {
private KeyStore serverStore;
private char[] passwd;
public ServerTask(KeyStore serverStore, char[] passwd) {
this.serverStore = serverStore;
this.passwd = passwd;
}
public void run() {
try {
SSLContext sslContext = SSLContext.getInstance("TLSv1.3", "BCJSSE");
KeyManagerFactory keyMgrFact = KeyManagerFactory.getInstance(
"PKIX", "BCJSSE");
keyMgrFact.init(serverStore, passwd);
sslContext.init(keyMgrFact.getKeyManagers(), null, null);
SSLServerSocketFactory fact = sslContext.getServerSocketFactory();
SSLServerSocket sSock = (SSLServerSocket) fact.createServerSocket(2048);
SSLSocket sslSock = (SSLSocket) sSock.accept();
try (DataInputStream input = new DataInputStream(new BufferedInputStream(sslSock.getInputStream()))) {
String test =input.readUTF();
System.out.println();
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}
This is the client code:
public class ClientTask implements Runnable {
private KeyStore trustStore;
public ClientTask(KeyStore trustStore){
this.trustStore = trustStore;
}
public void run(){
try
{
SSLContext sslContext = SSLContext.getInstance("TLSv1.3", "BCJSSE");
TrustManagerFactory trustMgrFact =
TrustManagerFactory.getInstance("PKIX", "BCJSSE");
trustMgrFact.init(trustStore);
sslContext.init(null, trustMgrFact.getTrustManagers(), null);
SSLSocketFactory fact = sslContext.getSocketFactory();
SSLSocket cSock = (SSLSocket)fact.createSocket("localhost", 2048);
try (DataOutputStream output = new DataOutputStream(new BufferedOutputStream(cSock.getOutputStream()))) {
output.writeUTF("feck dis");
System.out.println("dd");
}
}
catch (Exception e)
{
System.out.println(e.getMessage());
}
}
}
Main has this code:
public static void main(String[] args) {
try {
final String PROVIDER = "BC";
final String KEYSTORE_TYPE = "PKCS12";
KeyStore keyStore1, trustStore2;
Phaser phaser = new Phaser();
String name1 = "localhost", name2 = "client";
KeyPair kp1 = SecurityUtilities.generateKeyPair();
X509Certificate cert1 = SecurityUtilities.makeV1Certificate(kp1.getPrivate(), kp1.getPublic(), name1);
keyStore1 = KeyStore.getInstance(KEYSTORE_TYPE, PROVIDER);
trustStore2 = KeyStore.getInstance(KEYSTORE_TYPE, PROVIDER);
keyStore1.load(null, null);
keyStore1.setKeyEntry(name1, kp1.getPrivate(), null, new X509Certificate[]{cert1});
trustStore2.load(null, null);
trustStore2.setCertificateEntry(name2, cert1);
Thread server = new Thread(new ServerTask(keyStore1, "relaypass".toCharArray()));
Thread client = new Thread(new ClientTask(trustStore2));
server.start();
Thread.sleep(3000);
client.start();
System.out.println();
}catch (GeneralSecurityException | OperatorCreationException | IOException | InterruptedException e){}
}
Finally the methods which build the certificate and get the keypair are as follows:
public class SecurityUtilities {
private static final String ASYMMETRIC_KEY_ALG = "RSA";
private static final String PROVIDER = "BC";
private static final String SIGNATURE_ALG = "SHA384with" + ASYMMETRIC_KEY_ALG;
private static final String SECURE_RANDOM_ALG = "SHA1PRNG";
private static long serialNumberBase = System.currentTimeMillis();
static{
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
}
/**
* Generate an RSA keypair
* #return return the keypair
* #throws GeneralSecurityException
*/
public static KeyPair generateKeyPair()
throws GeneralSecurityException
{
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ASYMMETRIC_KEY_ALG, PROVIDER);
keyPairGenerator.initialize(new RSAKeyGenParameterSpec(3072, RSAKeyGenParameterSpec.F4));
return keyPairGenerator.generateKeyPair();
}
/**
* Generate a self signed V1 X509Certificate for use by the server to authenticate and sign new users into the network
* it pertains to.
* #param caPrivateKey The private key for use in signing
* #param caPublicKey the public key of the certificate
* #param name The name of the self signing party
* #return The Certificate
* #throws GeneralSecurityException
* #throws OperatorCreationException
*/
public static X509Certificate makeV1Certificate(PrivateKey caPrivateKey, PublicKey caPublicKey, String name)
throws GeneralSecurityException, OperatorCreationException
{
X509v1CertificateBuilder v1CertBldr = new JcaX509v1CertificateBuilder(
new X500Name("CN=" + name),
calculateSerialNumber(),
calculateDate(0),
calculateDate(24 * 365 * 100),
new X500Name("CN=" + name),
caPublicKey);
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SIGNATURE_ALG).setProvider(PROVIDER);
return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(v1CertBldr.build(signerBuilder.build(caPrivateKey)));
}
/**
* A date utilitiy for calculating how much time in the future a certificate will be valid for
* #param hoursInFuture the number of hours you want the certificate to be valid for
* #return the Date of that number of hours in the future from the current time
*/
private static Date calculateDate(int hoursInFuture){
long secs = System.currentTimeMillis() / 1000;
return new Date((secs + (hoursInFuture * 60 * 60)) * 1000);
}
/**
* A method for soliciting a distinct serial number for certificate generation for multiple threads
* #return the SerialNumber
*/
private static synchronized BigInteger calculateSerialNumber(){
return BigInteger.valueOf(serialNumberBase++);
}
I have been over every article I could find on what the problem could be but cannot find any reason why the handshake here should fail. Any help is appreciated.
I tried all day do make a server TLS/SSL HTTPS with java. Can someone help me?
This is my code
static class MyHandler implements HttpHandler {
#Override
public void handle(HttpExchange t) throws IOException {
System.out.println("called");
String response = "This is the response";
t.sendResponseHeaders(200, response.length());
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
os.close();
}
}
static HttpsServer server = null;
static int port = 9000;
public static void main(String[] args) throws Exception {
String keystoreFilename = "/home/kratess/" + "mykey.keystore";
char[] storepass = "mypassword".toCharArray();
char[] keypass = "mypassword".toCharArray();
String alias = "alias";
FileInputStream fIn = new FileInputStream(keystoreFilename);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(fIn, storepass);
// display certificate
Certificate cert = keystore.getCertificate(alias);
System.out.println(cert);
// setup the key manager factory
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, keypass);
// setup the trust manager factory
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(keystore);
server = HttpsServer.create(new InetSocketAddress(port), 0);
// create ssl context
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
// setup the HTTPS context and parameters
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
server.setHttpsConfigurator(new HttpsConfigurator(sslContext) {
public void configure(HttpsParameters params) {
try {
// initialise the SSL context
SSLContext c = SSLContext.getDefault();
SSLEngine engine = c.createSSLEngine();
params.setNeedClientAuth(true);
params.setCipherSuites(engine.getEnabledCipherSuites());
params.setProtocols(engine.getEnabledProtocols());
// get the default parameters
SSLParameters defaultSSLParameters = c.getDefaultSSLParameters();
params.setSSLParameters(defaultSSLParameters);
} catch (Exception ex) {
ex.printStackTrace();
System.out.println("Failed to create HTTPS server");
}
}
});
System.out.println("server started at " + port);
server.createContext("/test", new MyHandler());
server.setExecutor(null);
server.start();
}
The server starts but it and the certificate doesn't work on chrome.
The certificate print in the console and is all complete.
Chrome gives that response ERR_EMPTY_RESPONSE
Also, HttpHandler isn't called.
Where am I wrong? If this solution doesn't work can someone suggest me what I have to use? I need to code this HTTPS for creating a WebHook page (required SSL)
I'm developing an hybrid cordova app which might connect to different servers. Some of them do require a client certificate.
On an Android mobile the corresponding root cert + client certificate is installed.
On Chrome browser I get the following dialog to choose the corresponding client certificate for the Web connection.
With the cordova plugin cordova-client-cert-authentication the same dialog pops up for Http(s) requests within the WebView.
My question is how to achieve a automatic certificate selection on Http(s) requests on the native Android platform without explicitly declaring the corresponding client certificate. Or is there something similiar to the user selection of certificate like implemented on Chrome?
This is the current implementation, which throws a handshake exception:
try {
URL url = new URL( versionUrl );
HttpsURLConnection urlConnection = ( HttpsURLConnection ) url.openConnection();
urlConnection.setConnectTimeout( 10000 );
InputStream in = urlConnection.getInputStream();
}
catch(Exception e)
{
//javax.net.ssl.SSLHandshakeException: Handshake failed
}
You can use a certificate previously installed in Android KeyChain (the system key store) extending X509ExtendedKeyManager to configure the SSLContext used by URLConnection
The certificate is referenced by an alias that you need. To prompt user for selection with a dialog similar to chrome use:
KeyChain.choosePrivateKeyAlias(this, this, // Callback
new String[] {"RSA", "DSA"}, // Any key types.
null, // Any issuers.
null, // Any host
-1, // Any port
DEFAULT_ALIAS);
This is the code to configure the SSL connection using a custom KeyManager. It uses the default TrustManager and HostnameVerifier. You will need to configure them if the server is using a self signed certificate not present in Android default truststore (trusting all certificates is not recommended)
//Configure trustManager if needed
TrustManager[] trustManagers = null;
//Configure keyManager to select the private key and the certificate chain from KeyChain
KeyManager keyManager = KeyChainKeyManager.fromAlias(
context, mClientCertAlias);
//Configure SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] {keyManager}, trustManagers, null);
//Perform the connection
URL url = new URL( versionUrl );
HttpsURLConnection urlConnection = ( HttpsURLConnection ) url.openConnection();
urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
//urlConnection.setHostnameVerifier(hostnameVerifier); //Configure hostnameVerifier if needed
urlConnection.setConnectTimeout( 10000 );
InputStream in = urlConnection.getInputStream();
Finally here you have and a full implementation of the custom X509ExtendedKeyManager extracted from here and here that is in charge of selecting the client certificate. I have extracted the required code.
public static class KeyChainKeyManager extends X509ExtendedKeyManager {
private final String mClientAlias;
private final X509Certificate[] mCertificateChain;
private final PrivateKey mPrivateKey;
/**
* Builds an instance of a KeyChainKeyManager using the given certificate alias.
* If for any reason retrieval of the credentials from the system {#link android.security.KeyChain} fails,
* a {#code null} value will be returned.
*/
public static KeyChainKeyManager fromAlias(Context context, String alias)
throws CertificateException {
X509Certificate[] certificateChain;
try {
certificateChain = KeyChain.getCertificateChain(context, alias);
} catch (KeyChainException e) {
throw new CertificateException(e);
} catch (InterruptedException e) {
throw new CertificateException(e);
}
PrivateKey privateKey;
try {
privateKey = KeyChain.getPrivateKey(context, alias);
} catch (KeyChainException e) {
throw new CertificateException(e);
} catch (InterruptedException e) {
throw new CertificateException(e);
}
if (certificateChain == null || privateKey == null) {
throw new CertificateException("Can't access certificate from keystore");
}
return new KeyChainKeyManager(alias, certificateChain, privateKey);
}
private KeyChainKeyManager(
String clientAlias, X509Certificate[] certificateChain, PrivateKey privateKey) {
mClientAlias = clientAlias;
mCertificateChain = certificateChain;
mPrivateKey = privateKey;
}
#Override
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
return mClientAlias;
}
#Override
public X509Certificate[] getCertificateChain(String alias) {
return mCertificateChain;
}
#Override
public PrivateKey getPrivateKey(String alias) {
return mPrivateKey;
}
#Override
public final String chooseServerAlias( String keyType, Principal[] issuers, Socket socket) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
#Override
public final String[] getClientAliases(String keyType, Principal[] issuers) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
#Override
public final String[] getServerAliases(String keyType, Principal[] issuers) {
// not a client SSLSocket callback
throw new UnsupportedOperationException();
}
}
}
I did not test it. Report any error!
If your URLs are still in development stage (not production version), you can skip those SSL/NON-SSL certificates installing to access the URLs.
Here is how to skip SSL validation :
Call when activity onCreate() or where your need before accessing URL.
public static void skipSSLValidation() {
try {
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
/* Create a new array with room for an additional trusted certificate. */
return new X509Certificate[0];
}
#Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
#Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
#Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
} catch (Exception e) {
// pass
}
}
Note : If your HTTPS URLs are valid, you will no require to use server-generated certificates. You should using this method for testing/development only. For release/production you don't have to use this method.
I am very new to Cryptography using Java. I have to build a program that exchanges certificate before any data communication takes place. I am using sslSockets to build basic client-server program and I am not using HTTP/S, this is just to get extra security. (Would like to know difference between Socket and SSLSocket.. does it mean everything is automatically encrypted?)
Here's my UPDATED Server Code:
public class SSLServerExample {
final static String pathToStores = "C:/Users/XXX/Desktop/sslserverclientprogram";
final static String keyStoreFile = "keystore.jks";
final static String passwd = "changeit";
final static int theServerPort = 8443;
static boolean debug = false;
public static void main(String args[]) throws Exception {
String trustFilename = pathToStores + "/" + keyStoreFile;
// System.out.println("Verifying KeyStore File of Client..");
System.setProperty("javax.net.ssl.keyStore", trustFilename);
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
if (debug)
System.setProperty("javax.net.debug", "all");
System.out.println("Setting up SSL parameters");
// Initialize socket connection
SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
SSLServerSocket sslServerSocket = (SSLServerSocket)sslssf.createServerSocket(theServerPort);
System.out.println("Server Started..Waiting for clients");
sslServerSocket.setNeedClientAuth(true);
SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();
//sslSocket.startHandshake();
System.out.println("Client Connected!");
InputStream sslIS = sslSocket.getInputStream();
OutputStream sslOS = sslSocket.getOutputStream();
sslServerSocket.setNeedClientAuth(true);
final int RSAKeySize = 1024;
final String newline = "\n";
Key pubKey = null;
Key privKey = null;
boolean flag = sslSocket.getNeedClientAuth();
System.out.println("Flag value: "+ flag);
The flag results in False, even though I set it as true and client sends data which is decrypted by the server without authenticating each other.
Am I missing something?
Please help.
PS: My Client code:
public class SSLClientExample {
final static String pathToStores = "C:/Users/XXX/Desktop/sslserverclientprogram";
final static String trustStoreFile = "cacerts.jks";
final static String passwd = "changeit";
final static String INPUT_FILE = "E:/workspace/input.txt";
final static String theServerName = "localhost";
final static int theServerPort = 8443;
static boolean debug = false;
public static void main(String args[]) throws Exception {
String trustFilename = pathToStores + "/" + trustStoreFile;
System.out.println("Validating KeyStore file of Server..");
System.setProperty("javax.net.ssl.trustStore", trustFilename);
System.setProperty("javax.net.ssl.trustStorePassword", passwd);
if (debug)
System.setProperty("javax.net.debug", "all");
SSLSocketFactory sslssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslSocket = (SSLSocket)sslssf.createSocket(theServerName, 8443);
System.out.println("Connected to Server!");
You have to invoke sslServerSocket.setNeedClientAuth(true); before accepting incoming client connections. You are modifying the server socket's configuration after the connection has already been established.
I have been trying to get a 2-way ssl/https proxy working with Camel. I have been able to set up the Jetty Component using 2-way ssl and am now attempting to get it working with the Http4 component to complete the client side of the proxy.
When I route the jetty traffic to a log component, all is well and the 2 way ssl trust chain is fine. When I throw in the Http4 component, it blows up with a peer not authenticated exception. I am using Camel 2.7.0
Here is what I have so far
public static void main(String[] args) throws Exception {
CamelContext context = new DefaultCamelContext();
JettyHttpComponent jetty = context.getComponent("jetty", JettyHttpComponent.class);
SslSelectChannelConnector sslConnector = new SslSelectChannelConnector();
sslConnector.setPort(9443);
sslConnector.setKeystore("/home/brian/jboss.keystore");
sslConnector.setKeyPassword("changeit");
sslConnector.setTruststore("/home/brian/jboss.truststore");
sslConnector.setTrustPassword("changeit");
sslConnector.setPassword("changeit");
sslConnector.setNeedClientAuth(true);
Map<Integer, SslSelectChannelConnector> connectors = new HashMap<Integer, SslSelectChannelConnector>();
connectors.put(9443, sslConnector);
jetty.setSslSocketConnectors(connectors);
final Endpoint jettyEndpoint = jetty.createEndpoint("jetty:https://localhost:9443/service");
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(new File("/home/brian/User2.p12")), "Password1234!".toCharArray());
X509KeyManager keyManager = new CTSKeyManager(keystore, "user2", "Password1234!".toCharArray());
KeyManager[] keyManagers = new KeyManager[] { keyManager };
X509TrustManager trustManager = new EasyTrustManager();
TrustManager[] trustManagers = new TrustManager[] { trustManager };
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(keyManagers, trustManagers, null);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("https", 443, new SSLSocketFactory(sslcontext,
SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)));
HttpComponent http4 = context.getComponent("http4", HttpComponent.class);
http4.setClientConnectionManager(new ThreadSafeClientConnManager(registry));
final Endpoint https4Endpoint = http4
.createEndpoint("https4://soafa-lite-staging:443/axis2/services/SigActService?bridgeEndpoint=true&throwExceptionOnFailure=false");
context.addRoutes(new RouteBuilder() {
#Override
public void configure() {
from(jettyEndpoint).to(https4Endpoint);
}
});
context.start();
context.stop();
}
private static class EasyTrustManager implements X509TrustManager {
#Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
#Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
#Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
private static class CTSKeyManager extends X509ExtendedKeyManager {
private final KeyStore keystore;
private final char[] privateKeyPassword;
private final String privateKeyAlias;
public CTSKeyManager(KeyStore keystore, String privateKeyAlias, char[] privateKeyPassword) {
this.keystore = keystore;
this.privateKeyAlias = privateKeyAlias;
this.privateKeyPassword = privateKeyPassword;
}
#Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
String[] serverAliases = null;
try {
List<String> aliasList = new ArrayList<String>();
int count = 0;
Enumeration<String> aliases = keystore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
aliasList.add(alias);
count++;
}
serverAliases = aliasList.toArray(new String[count]);
} catch (Exception e) {
}
return serverAliases;
}
#Override
public PrivateKey getPrivateKey(String alias) {
PrivateKey privateKey = null;
try {
privateKey = (PrivateKey) keystore.getKey(alias, privateKeyPassword);
} catch (Exception e) {
}
return privateKey;
}
#Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
return privateKeyAlias == null ? null : new String[] { privateKeyAlias };
}
#Override
public X509Certificate[] getCertificateChain(String alias) {
X509Certificate[] x509 = null;
try {
Certificate[] certs = keystore.getCertificateChain(alias);
if (certs == null || certs.length == 0) {
return null;
}
x509 = new X509Certificate[certs.length];
for (int i = 0; i < certs.length; i++) {
x509[i] = (X509Certificate) certs[i];
}
} catch (Exception e) {
}
return x509;
}
#Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
return privateKeyAlias;
}
#Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
return privateKeyAlias;
}
#Override
public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine) {
return privateKeyAlias;
}
#Override
public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
return privateKeyAlias;
}
}
}
As far as I can tell, the trust should be fine between all keystores/truststores used on both sides of the proxy connections.
Here is my stack trace
[ qtp25584663-14] HttpProducer DEBUG Executing http POST method: https4://soafa-lite-staging:443/axis2/services/SigActService?bridgeEndpoint=true&throwExceptionOnFailure=false
[ qtp25584663-14] DefaultErrorHandler DEBUG Failed delivery for exchangeId: ID-ubuntu-46528-1303140195358-0-1. On delivery attempt: 0 caught: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
[ qtp25584663-14] DefaultErrorHandler ERROR Failed delivery for exchangeId: ID-ubuntu-46528-1303140195358-0-1. Exhausted after delivery attempt: 1 caught: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:561)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
at org.apache.camel.component.http4.HttpProducer.executeMethod(HttpProducer.java:187)
at org.apache.camel.component.http4.HttpProducer.process(HttpProducer.java:101)
at org.apache.camel.impl.converter.AsyncProcessorTypeConverter$ProcessorToAsyncProcessorBridge.process(AsyncProcessorTypeConverter.java:50)
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:77)
at org.apache.camel.processor.SendProcessor$2.doInAsyncProducer(SendProcessor.java:104)
at org.apache.camel.impl.ProducerCache.doInAsyncProducer(ProducerCache.java:272)
at org.apache.camel.processor.SendProcessor.process(SendProcessor.java:98)
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:77)
at org.apache.camel.processor.DelegateAsyncProcessor.processNext(DelegateAsyncProcessor.java:98)
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:89)
at org.apache.camel.processor.interceptor.TraceInterceptor.process(TraceInterceptor.java:99)
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:77)
at org.apache.camel.processor.RedeliveryErrorHandler.processErrorHandler(RedeliveryErrorHandler.java:299)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:208)
at org.apache.camel.processor.DefaultChannel.process(DefaultChannel.java:269)
at org.apache.camel.processor.UnitOfWorkProcessor.process(UnitOfWorkProcessor.java:109)
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:77)
at org.apache.camel.processor.DelegateAsyncProcessor.processNext(DelegateAsyncProcessor.java:98)
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:89)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:68)
at org.apache.camel.component.jetty.CamelContinuationServlet.service(CamelContinuationServlet.java:109)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:534)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1351)
at org.eclipse.jetty.servlets.MultiPartFilter.doFilter(MultiPartFilter.java:97)
at org.apache.camel.component.jetty.CamelMultipartFilter.doFilter(CamelMultipartFilter.java:41)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:473)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:929)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:403)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:864)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
at org.eclipse.jetty.server.Server.handle(Server.java:352)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:596)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1068)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:805)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:426)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:508)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.access$000(SelectChannelEndPoint.java:34)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:451)
at java.lang.Thread.run(Thread.java:662)
Ok working now, as it turns out, I had a fundamental misunderstanding of endpoints and protocols within Camel. I should have been registering a scheme with the the https4 protocol and setting my SSLSocketFactory/SSLContext on it. Since it Was registering a scheme with https it was never been using by the Http4 component.
Here is my working solution with 2 caveats.
Why can't I pass in a SchemeRegistry to the ThreadSafeClientConnManager and it is not used when constructing the HttpClient? I have to the HttpClientConfigurer instead
Jetty has an issue where the Keystore and Truststore must be set by path on the SslSelectChannelConnector instead of via SSLContext (bug is in at least jetty 7.2.2 and 7.4.0 ->latest)
Code:
public class CamelProxy {
/**
* #param args
*/
public static void main(String[] args) throws Exception {
CamelContext context = new DefaultCamelContext();
final Endpoint jettyEndpoint = configureJetty(context);
final Endpoint https4Endpoint = configureHttpClient(context);
context.addRoutes(new RouteBuilder() {
#Override
public void configure() {
from(jettyEndpoint).to("log:com.smithforge.request?showAll=true").to(https4Endpoint);
}
});
context.start();
context.stop();
}
private static Endpoint configureHttpClient(CamelContext context) throws Exception {
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(new File("/home/brian/User2.p12")), "Password1234!".toCharArray());
KeyStore truststore = KeyStore.getInstance("JKS");
truststore.load(new FileInputStream(new File("/home/brian/jboss.truststore")), "changeit".toCharArray());
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance("SunX509");
keyFactory.init(keystore, "Password1234!".toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance("SunX509");
trustFactory.init(truststore);
SSLContext sslcontext = SSLContext.getInstance("TLSv1");
sslcontext.init(keyFactory.getKeyManagers(), trustFactory.getTrustManagers(), null);
SSLSocketFactory factory = new SSLSocketFactory(sslcontext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
SchemeRegistry registry = new SchemeRegistry();
final Scheme scheme = new Scheme("https4", 443, factory);
registry.register(scheme);
HttpComponent http4 = context.getComponent("http4", HttpComponent.class);
http4.setHttpClientConfigurer(new HttpClientConfigurer() {
#Override
public void configureHttpClient(HttpClient client) {
client.getConnectionManager().getSchemeRegistry().register(scheme);
}
});
http4.setClientConnectionManager(new ThreadSafeClientConnManager());
return http4
.createEndpoint("https4://soafa-lite-staging:443/axis2/services/SigActService?bridgeEndpoint=true&throwExceptionOnFailure=false");
}
private static Endpoint configureJetty(CamelContext context) throws Exception {
JettyHttpComponent jetty = context.getComponent("jetty", JettyHttpComponent.class);
SslSelectChannelConnector sslConnector = new SslSelectChannelConnector();
sslConnector.setPort(4443);
sslConnector.setKeystore("/home/brian/jboss.keystore");
sslConnector.setKeyPassword("changeit");
sslConnector.setTruststore("/home/brian/jboss.truststore");
sslConnector.setTrustPassword("changeit");
sslConnector.setPassword("changeit");
sslConnector.setNeedClientAuth(true);
sslConnector.setAllowRenegotiate(true);
Map<Integer, SslSelectChannelConnector> connectors = new HashMap<Integer, SslSelectChannelConnector>();
connectors.put(4443, sslConnector);
jetty.setSslSocketConnectors(connectors);
return jetty.createEndpoint("jetty:https://localhost:4443/service");
}
// .to("log:com.smithforge.response?showHeaders=true");
}
I got to work a ssl proxy with the following code
The route
public class MyRouteBuilder extends RouteBuilder {
public void configure() {
configureSslForJetty();
configureSslForHttp4();
from("jetty:https://0.0.0.0:4443/topython/?matchOnUriPrefix=true")
.to("https4://backend.fake.com:4444/?q=ssl&bridgeEndpoint=true&throwExceptionOnFailure=false");
}
...
Configuration for jetty (provide a certificate when we are acting as a server)
private void configureSslForJetty()
{
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("c:\\Projects\\blah\\fakefilter.jks");
ksp.setPassword("123456");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("export-password");
SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);
JettyHttpComponent jettyComponent = getContext().getComponent("jetty", JettyHttpComponent.class);
jettyComponent.setSslContextParameters(scp);
}
Configuration for https4 (what certificate signers do we trust when acting as a client)
private void configureSslForHttp4()
{
KeyStoreParameters trust_ksp = new KeyStoreParameters();
trust_ksp.setResource("c:\\Projects\\blah\\fakeca.jks");
trust_ksp.setPassword("123456");
TrustManagersParameters trustp = new TrustManagersParameters();
trustp.setKeyStore(trust_ksp);
SSLContextParameters scp = new SSLContextParameters();
scp.setTrustManagers(trustp);
HttpComponent httpComponent = getContext().getComponent("https4", HttpComponent.class);
httpComponent.setSslContextParameters(scp);
}
}
Things worth noting
you need to configure component https4 not http4
-Djavax.net.debug=ssl in the command line provided lots of helpful logging
Looks like you're having problems with 'unsafe ssl renegotiation'. Please verify that you're using the latest JDK/JRE (at least 1.6.0_24).