SSL certificate is not being sent along with the authenticate request

SSL certificate is not being sent along with the authenticate request

https://stackoverflow.com/questions/29667946/ssl-certificate-is-not-being-sent-along-with-the-authenticate-request

Asked 10 years, 6 months ago Modified 10 years, 6 months ago Viewed 2k times 1

I am currently using a SOAP Web Service with JAVA in HTTP without any trouble. Recently, i’ve been asked to use SSL for security reasons. My SSL knowledge is near 0 so i will try to be as understandable as possible.

Problem is that neither my java program is working, nor SOAPUI, nor Curl is working,

JAVA programs says

Exception in thread “main” com.sun.xml.ws.client.ClientTransportException: request requires HTTP authentication: Access Denied

SOAPUi complains “ Error: Access is denied. Client SSL Certificate Required “.

CURL does say errno=104.

For information, i’m dealing with APPLE. Reading their documentation, this particular error indicate that their server is rejecting the request because the certificate is not being sent along with the authenticate request.

Check List

It seems that SSL is working, please find below commands i tried

nc -z A.site.com 443 shows

Connection to A.site.com 443 port [tcp/https] succeeded!

openssl s_client -connect A.site.com:443 shows

---

SSL handshake has read 5725 bytes and written 331 bytes — New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES128-SHA Session-ID: 17E2724B17F0BC77B438BE8D8101F828EF1B45866E4AD482943E8E61D3D2EFE6 Session-ID-ctx: Master-Key: 346581691D9E97BF129D8C2458C9CA8C1899C7E03D03D0BACDEA42DE06D6022E31DCBB7111AFA5AF436EB3C27E5B9B23 Key-Arg : None Krb5 Principal: None Start Time: 1429166085 Timeout : 300 (sec) Verify return code: 0 (ok) —

I decided to use a simple standard SOAP Request in a file that could be sent with openssl s_client in order to debug it.

cat auth.txt | openssl s_client -ign_eof -connect A.site.com:443 -state -debug

Debug is too long but everything is running smoothly until this point :

Verify return code: 0 (ok)

write to 0x2c00ef0 [0x2c0c0c0] (666 bytes => 666 (0x29A)) 0000 - 17 03 01 00 20 f8 6a 77-28 ab d1 bb 10 a9 55 6e …. .jw(…..Un 0010 - e8 f6 f9 3b bd 7f 46 57-22 db 0b 7a 6a ff ea a6 …;..FW”..zj… 0020 - 53 30 3b ae fb 17 03 01-02 70 d7 02 45 26 5c 59 S0;……p..E&\Y 0030 - 12 62 91 16 84 ab a0 bd-93 f4 df e9 7b ab 97 8e .b……….{… 0040 - e7 aa 20 67 b0 a0 77 8f-ab 38 c3 96 98 4f c1 05 .. g..w..8…O.. 0050 - a9 8b 8d 7c 49 c1 74 67-18 61 76 d0 7c 12 dd 28 …|I.tg.av.|..( 0060 - 3d 8c c1 72 6a 3a ce c4-70 89 85 ac df 4d c8 b3 =..rj:..p….M.. 0070 - 5c 69 8e 93 b1 45 8c 79-d6 d1 79 89 e6 46 22 06 \i…E.y..y..F”. 0080 - ea 6b 94 dc 90 01 8a 9d-7a 99 31 f3 87 ab 33 89 .k……z.1…3. 0090 - c1 f2 eb ef af fa 62 f6-86 e2 77 11 e9 0f 5e 02 ……b…w…^. 00a0 - 7b 19 46 27 01 2f ab ca-7f f0 d8 04 74 67 2a de {.F’./……tg. 00b0 - 83 d1 dd d7 8d fd 40 f1-d5 5c 06 43 58 7f 17 a0 ……@...CX… 00c0 - 5d b9 a7 2b 05 de ad d5-0b a2 76 de cc 13 82 a4 ]..+……v….. 00d0 - a6 89 9f 9f 63 5c 90 ee-75 fa 7e 33 e0 e9 ab 38 ….c..u.~3…8 00e0 - d0 37 77 a1 2e 65 16 53-37 be 25 3e f1 ba 88 17 .7w..e.S7.%>…. 00f0 - 70 4c e8 f1 5e e8 9a 8b-92 01 15 c2 cf 32 35 0c pL..^……..25. 0100 - d1 8c 94 89 0f 69 fb 99-40 64 ef d0 fc c9 8d cf …..i..@d…… 0110 - 26 55 09 bd 04 b3 10 bc-9a 86 97 eb 0a e6 46 13 &U…………F. 0120 - de 23 21 85 28 92 8e 12-e8 e3 49 de 92 19 4a 2d .#!.(…..I…J- 0130 - 77 45 91 39 46 d6 ad 83-7f f5 aa d5 26 5a fb db wE.9F…….&Z.. 0140 - fb 1e 0f 96 a7 ab 82 08-dd 9e 42 27 49 79 bc 19 ……….B’Iy.. 0150 - 82 b4 16 23 02 a1 ea 19-de 5e b4 33 c9 8c 50 c8 …#…..^.3..P. 0160 - 7d 34 c7 5d 2e 5e 07 c2-af 4a b8 1f b0 52 53 48 }4.].^…J…RSH 0170 - ae ba a0 9d b5 94 e5 dc-dc 86 75 96 b5 ef 53 bc ……….u…S. 0180 - 2e 07 c3 6c 55 cf 6a 85-23 2e 57 df 33 48 d4 df …lU.j.#.W.3H.. 0190 - a9 ac 76 13 ad f6 8c 50-fe b3 36 ff 86 6d f1 d0 ..v….P..6..m.. 01a0 - 58 43 31 4e 6a 78 63 72-87 06 2e 65 eb 44 0b f1 XC1Njxcr…e.D.. 01b0 - 5f c0 e8 cb 3d 13 95 56-7a 6b f6 ff c0 7a cd ef _…=..Vzk…z.. 01c0 - 73 71 5f 1a d1 f1 e3 1b-92 25 5d c2 ca 7c 52 e9 sq_……%]..|R. 01d0 - b3 d2 2a fd 78 f2 6c 00-2f 41 c4 83 94 2d 43 3a ...x.l./A…-C: 01e0 - d8 40 1e 3d 8e 55 86 c6-7e 6e f2 07 57 7c 6f 6a .@.=.U..~n..W|oj 01f0 - 3f 2d a5 bd 55 b5 fe 11-3e a8 fd f6 98 c2 4b 5a ?-..U…>…..KZ 0200 - 79 28 b2 c9 9c f9 25 55-24 d7 23 fc 8c 90 95 e7 y(….%U$.#….. 0210 - 62 ac 6e 2e 75 b9 71 76-0b a9 60 74 fa 8a 85 8b b.n.u.qv..`t…. 0220 - de a0 27 0a f6 c9 49 65-af c2 63 80 b1 e7 40 03 ..’…Ie..c…@. 0230 - 7e ca 99 c3 27 a8 3a c5-33 67 28 0c fb 40 25 34 ~…’.:.3g(..@%4 0240 - 66 5c ef 13 9e f7 7e c0-cd 1d d0 1c 30 09 9b 2d f.…~…..0..- 0250 - 5a 11 f4 5b f0 0e 2a 1c-e9 07 78 31 e4 09 4c 86 Z..[..*…x1..L. 0260 - 79 39 64 ec 2f 8a 8f 80-61 0b f9 dc 08 44 af c3 y9d./…a….D.. 0270 - 04 44 50 58 8a e6 5b a6-a4 77 15 51 b3 e2 72 23 .DPX..[..w.Q..r# 0280 - 30 31 b6 cb b4 06 b3 dd-b2 4d ed 74 dc 89 71 e0 01…….M.t..q. 0290 - 24 3b 0c 61 1d bd d2 4d-fb f4 $;.a…M.. read from 0x2c00ef0 [0x2c078b0] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) read:errno=104 write to 0x2c00ef0 [0x2c0c0c0] (37 bytes => -1 (0xFFFFFFFFFFFFFFFF))

I understood,reading other threads, that read:errno=104 means that connection has been reseted by the server.

At this point, i decided to use PEM files instead of keystore. I thought that using CURL to grab more information could be a good idea. And i don’t understand error returned, which is, btw, the same as SOAPUi.

curl -k -d @auth.txt --cacert PEMCertificateSentByApple.pem --key myprivatekey.pem:myprivatekeypassword https://A.Site.com/services/

Error: Access is Denied. Client SSL Certificate Required

What means “the certificate is not being sent along with the authenticate request” ?

Can someone help me on this matter ?

Regards,

pierre

javasslcurlsoapopenssl

Share Improve this question Follow asked Apr 16, 2015 at 7:20 Tanc’s user avatar Tanc 66733 gold badges66 silver badges2626 bronze badges Add a comment 2 Answers Sorted by: 2

Your command line doesn’t send the client certificate. You need –cert for that. You only send the private key (with –key) right now. (Which of course is pointless.) Share Improve this answer Follow answered Apr 16, 2015 at 7:44 Daniel Stenberg’s user avatar Daniel Stenberg 59k1919 gold badges160160 silver badges232232 bronze badges Sign up to request clarification or add additional context in comments. 2 Comments Tanc Over a year ago Thanks for posting Daniel. I understand now that –cert option is missing. Sorry to be a pain (i have no experience on this subject) but would you so kind to explain which file i have to use. Actually, i have two PEM files. My private key file ( generated on my server) and PEM file sent by APPLE. Daniel Stenberg Over a year ago You must specify both the client cert and the private key to curl. Both –cert and –key. 0

Resolved ! Even if it sounds silly, i wasn’t sure if i had to use cert cacert key or any other options. Based on what you said, adding both –cert and –key it works.

Thanks Daniel

To be as precise as possible i had minor fixes to do.

I began to write curl command as follows

curl -k -d @auth.txt –cert PEMCertificateSentByApple.pem –key myprivatekey.pem:myprivatekeypassword https://A.Site.com/services/

I had an error this way. Complaining curl: (58) unable to set private key file: ‘mykey’ type PEM

To fix, reading man page, i had to add –pass option instead of using :

Even this way, I wasn't able to get any data in return (curl wasn't complaining at all but blank page) so I had to add -H option as follows

curl -H "Content-Type: text/xml; charset=utf-8" -d @auth.txt --cert PEMCertificateSentByApple.pem --key myprivatekey.pem --pass myprivatekeypassword https://A.Site.com/services/

It is working this way. Share Improve this answer Follow answered Apr 16, 2015 at 11:46