Comments on: Simplest method to Implement 2 Way Authentication using SSL – Example With Source Code Available

By: imran

imran — Fri, 06 Aug 2021 05:49:57 +0000

Hi Pavan,

I have two distinct projects both on tomcat. Here, when I add a self-signed server certificate in the server.xml it works fine.
But I am trying to configure 2 Way Authentication with the below configuration.
Server.xml (Server)

System Properties set in the eclipse as below (Client):

-Djavax.net.debug=all
-Djavax.net.ssl.trustStore=/Users/imran.inamdar/work/Local/SPClient.jks
-Djavax.net.ssl.trustStorePassword=storeit
-Djavax.net.ssl.keyStore=/Users/imran.inamdar/work/Local/SPClient.jks
-Djavax.net.ssl.keyStorePassword=storeit

Error on Tomcat Console on Eclipse (Client):

javax.net.ssl|DEBUG|2A|http-nio-9090-exec-3|2021-08-06 11:10:43.240 IST|Alert.java:238|Received alert message (
“Alert”: {
“level” : “fatal”,
“description”: “bad_certificate”
}
)
javax.net.ssl|ERROR|2A|http-nio-9090-exec-3|2021-08-06 11:10:43.242 IST|TransportContext.java:361|Fatal (BAD_CERTIFICATE): Received fatal alert: bad_certificate (
“throwable” : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Error on Tomcat Console on Eclipse (Server):
javax.net.ssl|DEBUG|22|https-jsse-nio-7443-exec-5|2021-08-06 11:10:43.228 IST|CertificateMessage.java:1177|Consuming client Certificate handshake message (
“Certificate”: {
“certificate_request_context”: “”,
“certificate_list”: [
]
}
)
javax.net.ssl|ERROR|22|https-jsse-nio-7443-exec-5|2021-08-06 11:10:43.231 IST|TransportContext.java:361|Fatal (BAD_CERTIFICATE): Empty client certificate chain (
“throwable” : {
javax.net.ssl.SSLHandshakeException: Empty client certificate chain
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)

I got the same exception using cacerts and using OpenSSL too.

By: Steve

Steve — Mon, 19 Oct 2020 15:05:43 +0000

looks very simple. but may you explain why the keystore and truststore are set to the same shown in your config:
like on Tomcat:
keystoreFile=”C:\core-jks\MyServer.jks”
…
truststoreFile=”C:\core-jks\MyServer.jks”

and on client:

System.setProperty(“javax.net.ssl.trustStore”, “c://core-jks//MyClient.jks”);
….
System.setProperty(“javax.net.ssl.keyStore”, “c://core-jks//MyClient.jks”);

shouldn’t the trust store be the “cacerts”?

Thanks.

By: Mahesh

Mahesh — Fri, 02 Oct 2020 17:14:46 +0000

hi Pavan,
Where we need to configure connector, is it already configured in code or do we need to do explicitely?
Can i use Sprint Boot for this code to run?

Getting this error.

2020-10-02 13:07:50.261 ERROR 18348 — [ main] o.s.boot.SpringApplication : Application startup failed

By: John Smith

John Smith — Mon, 14 Sep 2020 13:26:22 +0000

Hi Pavan:

I am getting the following error:

java.lang.IllegalStateException: Failed to execute CommandLineRunner
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:779) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:760) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.afterRefresh(SpringApplication.java:747) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1162) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1151) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
at com.opencodez.SslClientApplication.main(SslClientApplication.java:41) [classes/:na]
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://localhost:8443/ssl-server-0.0.1-SNAPSHOT/hello”: Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at com.opencodez.HttpClient.run(HttpClient.java:24) ~[classes/:na]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:776) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
… 6 common frames omitted
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[na:1.8.0_121]
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_121]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_121]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_121]
at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_121]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[na:1.8.0_121]
at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) ~[na:1.8.0_121]
at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_121]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_121]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_121]
at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264) ~[na:1.8.0_121]
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[na:1.8.0_121]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[na:1.8.0_121]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138) ~[na:1.8.0_121]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032) ~[na:1.8.0_121]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[na:1.8.0_121]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.8.0_121]
at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
… 10 common frames omitted

2020-09-14 09:13:05.873 INFO 14088 — [ main] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@54a7079e: startup date [Mon Sep 14 09:10:41 EDT 2020]; root of context hierarchy
2020-09-14 09:13:05.874 INFO 14088 — [ main] o.s.j.e.a.AnnotationMBeanExporter : Unregistering JMX-exposed beans on shutdown

These are my steps:

step 1:
server certificate:
keytool -genkey -alias MyServer -keyalg RSA -validity 1825 -keystore “MyServer.jks” -storetype JKS -dname “CN=myserver.com,OU=MyCompany Name,O=My Organization,L=My Location,ST=My State,C=My Country Short Code”

step 2:
keytool -exportcert -alias MyServer -keystore MyServer.jks -file MyServer.cer

step 3:

client certificate:
keytool -genkey -alias MyClient -keyalg RSA -validity 1825 -keystore MyClient.jks -storetype JKS
-dname “CN=client.com,OU=Client Company,O=Client,L=CLient Location,ST=Client State,C=Client Country Short Code”

step 4:
keytool -exportcert -alias MyClient -keystore MyClient.jks -file MyClientPublic.cer

step 5:
–Add Server certificate to client truststore
C:\JDK-1.8.0.x64\jre\lib\security>keytool -importcert -alias MyServer -keystore MyClient.jks -file MyServer.cer

step 6:
–Add client certificate to server truststore
C:\JDK-1.8.0.x64\jre\lib\security>keytool -importcert -alias MyClient -keystore MyServer.jks -file MyClientPublic.cer

step 7:
https://localhost:8443/ssl-server-0.0.1-SNAPSHOT/hello

By: John Smith

John Smith — Mon, 14 Sep 2020 13:16:47 +0000

I am able to run the server but when I run the client I get the following error:

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://localhost:8443/ssl-server-0.0.1-SNAPSHOT/hello”: Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:312) ~[spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
at com.opencodez.HttpClient.run(HttpClient.java:24) ~[classes/:na]
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:776) [spring-boot-1.5.2.RELEASE.jar:1.5.2.RELEASE]
… 6 common frames omitted
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method) ~[na:1.8.0_121]
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_121]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_121]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_121]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_121]

I changed the password to “changeit” instead of “password” and I changed SslClientApplication.java in client project to:

System.setProperty(“javax.net.debug”, “all”);
System.setProperty(“jdk.tls.client.protocols”, “TLSv1.2”);
System.setProperty(“https.protocols”, “TLSv1.2”);
System.setProperty(“javax.net.ssl.trustStore”, “c://core-jks//MyClient.jks”);
System.setProperty(“javax.net.ssl.trustStorePassword”, “changeit”);
System.setProperty(“javax.net.ssl.keyStore”, “c://core-jks//MyClient.jks”);
System.setProperty(“javax.net.ssl.keyStorePassword”, “changeit”);

Here are my certificate steps:

step 2:
keytool -exportcert -alias MyServer -keystore MyServer.jks -file MyServer.cer

step 3:

step 4:
keytool -exportcert -alias MyClient -keystore MyClient.jks -file MyClientPublic.cer

step 5:
–Add Server certificate to client truststore
C:\JDK-1.8.0.x64\jre\lib\security>keytool -importcert -alias MyServer -keystore MyClient.jks -file MyServer.cer

step 6:
–Add client certificate to server truststore
C:\JDK-1.8.0.x64\jre\lib\security>keytool -importcert -alias MyClient -keystore MyServer.jks -file MyClientPublic.cer