Forum Discussion

thijsje's avatar
thijsje
New Contributor
14 years ago

SSL client authentication failing with SSLHandshakeException

Hi all,
I’m working on an application that requires authentication based on (TLS) client certifcates for its webservices. I’ve been strugging for days to get this to work with SoapUI - I keep getting SSLHandshakeExceptions. :-(
I’ve followed the tips on the link below:
https://www.eviware.com//forum/viewtopi ... tls#p15224

So far, I’ve:
1. added the line ‘-Dsun.security.ssl.allowUnsafeRenegotiation=true’ to the file ‘soapUI-3.6.1.vmoptions’.
2. Imported and exported the client certificate with it’s private key and the CA certifcate chain to a PFX file.
3. Installed the PFX-file as keystore on both global and project level, selected PFX as SSL keystore on the Request Properties. The certifcate shows ‘OK’ on the ‘Security Configurations -> Keystores/Certifcates’ tab, so SoapUI is able to access the certificate.
4. I also tried with a JKS keystore, including the private client key, but similair results.
I have correctly installed the CA certifcate that was used to certify the client certificate on the webserver. I’m pretty sure that this config is OK, since i can use a browser (with the client certificate installed) to get to the WSDL, hence, TLS client authentication is working.

Furthermore, SoapUI can connect without any problems over HTTPS when i disable the requirement for client authentication on the server.

I’m really pulling my hair out over this issue; any help is greatly appreciated. :-)

Thijs


Stack trace:
Tue Feb 08 12:15:04 CET 2011:ERROR:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at com.eviware.soapui.impl.wsdl.support.http.SoapUIMultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(SoapUIMultiThreadedHttpConnectionManager.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at com.eviware.soapui.impl.wsdl.submit.transports.http.support.methods.ExtendedPostMethod.readResponse(ExtendedPostMethod.java:80)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:202)
at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:123)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
  • thijsje's avatar
    thijsje
    New Contributor
    Addition:
    On the server erorr log i've found this:
    [error] client xxx.xxx.xx] Re-negotiation request failed
    [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
  • thijsje's avatar
    thijsje
    New Contributor
    As the error in the server log suggests (above), the last problem was caused by not allowing 'SSLInsecureRenegotiation'. Adding 'SSLInsecureRenegotiation on' to httpd.conf 'solved' the issue. SoapUI is now able to connect properly using the client certifcate.

    So, in order to get it working i needed to:
    1. Make sure the whole certificate chain was in my PFX file
    2. Allow SSLInsecureRenegotiation on the server (htttpd.conf file)
    3. Allow allowUnsafeRenegotiation on SoapUI (.vmoptions file)

    Hope this helps somebody, i spent quite some time on this. ;-)

    Futhermore, i really would like to switch back to the secure renegotiation. So if somebody got this to work properly, i would appreciate a quick tip ;-)