I'm currently facing some troubles by reaching my https-endpoint for my alexa-custom-skill.
My endpoint is an internal PC on my network. For reaching this web server I use a DDNS (<server>.linkpc.net) for my router. The router itself has a port forwarding (443 => internal WebServer Port). That means the current architecture is:
Alexa => Router (.linkpc.net):443 => :
=> RESPONSE => ROUTER => Alexa
I also created a self-signed certificate, that is placed inside a jks and loaded by my WebServer.
This solution works well, by calling the URL (<server>.linkpc.net/xxx/xxx) via browser from outside my network. I receive a message that connection is unsecured due to an untrusted certificate (my self-signed one). But that is a normal behaviour.
I imported the self-signed certificate to own "SSL certificate" via Amazon DEV Console (PEM Format).
From my point of view, everything should be fine, but I get the following error by sending a request to Amazon Dev Console:
"The remote endpoint could not be called, or the response it returned was invalid."
If I'm going to copy the xml-text and insert it into JSON chapter I got:
"There was an exception during the SSL handshake. Please check the
certificate you have provided."
I also created a BreakPoint in Eclipse. It works by using a Browser, but it didn't by using Alexa Dev Console. No response in the code. That means, from my personal point of view, the request is not even reaching my WebServer at all. There are three possible explanations (maybe):
The router provides the wrong certificate to Alexa (strange, because it should not work as a proxy and shouldn't need the self-signed certificate?!)
Self-Signed certificate was wrongly built for Amazon Alexa ?!
A bug inside amazon dev console (unlikely)
Could you please support? :-)
Greetings
Richard
Related
Our application uses Apache HttpClient 4.5.3 and we are observing a very weird behavior with communication between our client and the server using SNI capability
The server is configured to return a Go Daddy signed certificate if the SSL request comes in the with the server name expected from our client(ie: the host name of the server) and it will return a self signed certificate for all other domain names
Behavior observed
The client receives the correct server certificate on all server except on our production machine
The client code is running in an application deployed on tomcat 8, we have noticed that initial requests to the endpoint go through successfully. After some time of running we receive an SSL exception on the client.
The error is because the server is not sending the correct certificate(it sends the default self signed certificate)
If we restart the tomcat server on which the client is deployed, the calls again start to go through successfully.
We have used javax.net.debug for debugging purposes in the past but we cannot use it in this case as we need to restart the tomcat server for its effect to take place and when we restart the tomcat server, the calls to the endpoint server start to succeed.
Also the javax.net.debug logs a lot of information which will flood our logs and hence we wanted it enabled only for a specific request.
We are hoping to log only the Client Hello(which contains the server_name passed to the endpoint)
I have read through
https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#OwnX509ETM
But not sure of what we can use to print only the SSL server name indicator pushed down to the server.
I had the same concern as yours, then firstly I was thinking about dynamically adding environment variable, but it's always taking old value. Then I found out that javax.net.debug environment variable is read once only with static block in SSLSocketFactory.java. The full source code is available here.
static {
String s = java.security.AccessController.doPrivileged(
new GetPropertyAction("javax.net.debug", "")).toLowerCase(Locale.ENGLISH);
DEBUG = s.contains("all") || s.contains("ssl");
}
I have a certificate which i need to pass along with the SOAP Request in JMeter.
I have edited the system.properites file to add
javax.net.ssl.keyStore= path to keystore file
javax.net.ssl.keyStorePassword=password
I am still getting the error You need valid client certificate from DHW to access page.
Am I missing somethig here?
The same request is working well from SOAP_UI.
There is a lot that can be going wrong here.
Here is my guess though...
The server is most likely setup for mutual authentication. You can test this by running your java client with the following system property: -Djavax.net.debug=ssl
You should see the ssl handshake and see if the server is requesting a client certificate or not. The messaging will be VERY verbose and you will have to diligently look though the log output to see what is actually occurring.
Hopefully, in the output you will see a list of Certificate Authorities (CAs) that the server trusts. Your client's certificate MUST be signed by one of these CAs. If not, the client won't even attempt to send its client certificate.
If you have access to the server, you can create your own CA and then sign the clients certificate with that new CA and that will work. I actually just did that yesterday. :D
The issue is resolved. I was giving only single backspace instead of two backspaces as per java conventions. It works fine with this minor modification.
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
There is a wsdl which I wanted to access, the point here is I cannot access this WSDL as it is giving SSL Error. I wanted to know what all is needed here?
What I have done from my side :
Lets say Server A wants to access a WSDL which is implemented in Server B, now there has to be exchange of certificates between these two servers right? What all exchanges it should happen?
I have created a certificate request using "Create certificate Request" from IIS and shared this certificate request with Server B, from Server B We have got a p7b file. Now what exactly we have to do from here? Is the approach what we followed correct or we are deviating from the actual problem?
I got the clarification finally. Thanks for the support whatever you have given.
As conveyed above here was the problem,
Server A wants to access WSDL from Server B, and We are created a "Certificate request File" (P10b) file and shared with Server B, Now they have provided us with (P7b) file. Here was my doubt as to how to proceed.
Explanation :
P10b : "Certificate request" created by Server A in this case. This is a certificate request which means "This is my domain and I wanted to open a request for secured access" . Now this is what we share with Server B (Where wsdl is being implemented). Now since we want to access something from Server B over secured layer, Server B has to sign this request (signing here means approving any request which comes from Server A since this request holds the server name from where it is originating), Now this signing will be done by Server B which is when the certificate will be transformed from p10b to p7b which is what Server B will do and it will send this information to Server A.
Now at Server A we have this certificate called p7b, Server A will now have to convert this P7b to p12b which is the final version of the certificate. This conversion is a kind of decrypting technique which will be done by only the private key of Server A (which means only Server A can decrypt this) Once Server A converts this p7b to p12b which is the final version of certificate, now the server A can have access to the secured resources of Server B by using this certificate. If Server A want's to access WSDL from browser then the browser should have this certificate imported which can be done from the settings on the browser. If the wsdl has to be accessed from a soap UI then this can be done by SSL settings on SOAP UI.
I hope I have made clear. Please let me know if it's not clear anywhere.
I had faced the same issue with my remote spring service when I had converted it from normal http to https.All you need to do is generated certificate for requested application your application and register it with trust store of ServerB from where you want to access application. You can check following links to achieve that
Digital Certificate: How to import .cer file in to .truststore file using?
How to import a jks certificate in java trust store
http://singztechmusings.wordpress.com/2011/05/08/https-communication-how-it-works/
Hope this will give you very good insight.
We have configure a Big F5 load balancer virtual server for a particular IP address which redirects incoming https requests to several Windows servers where there is functionality to generate responses.
I am using SoapUI to test access to these windows servers via the IP address of virtual server in the Big F5.
Using Server and Client certificates generated by the organization where the we have also this set up and sending requests via SoapUI I get the predicted responses back.
The business requirements call for Commercially signed certificates by Thawte.
We created a Certifcate Servcice Request (CSR) to generate a Server certificate and its private key and then we had it signed by Thawte, and also requested a Client Commercially signed certificate from Thawte.
We loaded both certificates in SoapUI client and the Big F5 load balancer but we attempting to test the requests we get the "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" error.
My questions are:
How can I monitor where exactly the 2 way SSL handshake is terminated
The actual reason what exactly is happening?.. why using commercially signed certificates this does not work now?
Any replies are welcome. Thanks.
However when we swithch Serverto commercially signed by Thawte
This is possibly due to the Java security feature. If so you need to edit the soapui-4.x.x.vmoptions file located at soapui-4.x.x\bin folder and add -Dsun.security.ssl.allowUnsafeRenegotiation=true to the end.
You may also need to export the certificate as a pfx file and set it up in soapUI preference page. For details you can check http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx and http://forums.devarticles.com/java-development-38/javax-net-ssl-sslhandshakeexception-received-fatal-alert-handshake-failure-11809.html .
The client is a SoapUI request that has not changed except a different client certificate
That suggests that the server doesn't trust the new client certificate, which in turn implies that the client certificate wasn't even sent because it wasn't signed by one of the server's trusted signers. Closing the connection is the server's only real option in this circumstance, as there isn't an SSL alert for it.
Make sure you have address translation on and the SNAt set to Auto Map for your VIP