SSL certificate is not being sent along with the authenticate request

Question

I am currently using a SOAP Web Service with JAVA in HTTP without any trouble. Recently, i've been asked to use SSL for security reasons. My SSL knowledge is near 0 so i will try to be as understandable as possible.

Problem is that neither my java program is working, nor SOAPUI, nor Curl is working,

JAVA programs says

Exception in thread "main" com.sun.xml.ws.client.ClientTransportException: request requires HTTP authentication: Access Denied

SOAPUi complains " Error: Access is denied. Client SSL Certificate Required ".

CURL does say errno=104.

For information, i'm dealing with APPLE. Reading their documentation, this particular error indicate that their server is rejecting the request because the certificate is not being sent along with the authenticate request.

Check List

It seems that SSL is working, please find below commands i tried

nc -z A.site.com 443 shows

Connection to A.site.com 443 port [tcp/https] succeeded!

openssl s_client -connect A.site.com:443 shows

---
SSL handshake has read 5725 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 17E2724B17F0BC77B438BE8D8101F828EF1B45866E4AD482943E8E61D3D2EFE6
    Session-ID-ctx:
    Master-Key: 346581691D9E97BF129D8C2458C9CA8C1899C7E03D03D0BACDEA42DE06D6022E31DCBB7111AFA5AF436EB3C27E5B9B23
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1429166085
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I decided to use a simple standard SOAP Request in a file that could be sent with openssl s_client in order to debug it.

cat auth.txt | openssl s_client -ign_eof -connect A.site.com:443 -state -debug

Debug is too long but everything is running smoothly until this point :

   Verify return code: 0 (ok)
---
write to 0x2c00ef0 [0x2c0c0c0] (666 bytes => 666 (0x29A))
0000 - 17 03 01 00 20 f8 6a 77-28 ab d1 bb 10 a9 55 6e   .... .jw(.....Un
0010 - e8 f6 f9 3b bd 7f 46 57-22 db 0b 7a 6a ff ea a6   ...;..FW"..zj...
0020 - 53 30 3b ae fb 17 03 01-02 70 d7 02 45 26 5c 59   S0;......p..E&\Y
0030 - 12 62 91 16 84 ab a0 bd-93 f4 df e9 7b ab 97 8e   .b..........{...
0040 - e7 aa 20 67 b0 a0 77 8f-ab 38 c3 96 98 4f c1 05   .. g..w..8...O..
0050 - a9 8b 8d 7c 49 c1 74 67-18 61 76 d0 7c 12 dd 28   ...|I.tg.av.|..(
0060 - 3d 8c c1 72 6a 3a ce c4-70 89 85 ac df 4d c8 b3   =..rj:..p....M..
0070 - 5c 69 8e 93 b1 45 8c 79-d6 d1 79 89 e6 46 22 06   \i...E.y..y..F".
0080 - ea 6b 94 dc 90 01 8a 9d-7a 99 31 f3 87 ab 33 89   .k......z.1...3.
0090 - c1 f2 eb ef af fa 62 f6-86 e2 77 11 e9 0f 5e 02   ......b...w...^.
00a0 - 7b 19 46 27 01 2f ab ca-7f f0 d8 04 74 67 2a de   {.F'./......tg*.
00b0 - 83 d1 dd d7 8d fd 40 f1-d5 5c 06 43 58 7f 17 a0   ......@..\.CX...
00c0 - 5d b9 a7 2b 05 de ad d5-0b a2 76 de cc 13 82 a4   ]..+......v.....
00d0 - a6 89 9f 9f 63 5c 90 ee-75 fa 7e 33 e0 e9 ab 38   ....c\..u.~3...8
00e0 - d0 37 77 a1 2e 65 16 53-37 be 25 3e f1 ba 88 17   .7w..e.S7.%>....
00f0 - 70 4c e8 f1 5e e8 9a 8b-92 01 15 c2 cf 32 35 0c   pL..^........25.
0100 - d1 8c 94 89 0f 69 fb 99-40 64 ef d0 fc c9 8d cf   .....i..@d......
0110 - 26 55 09 bd 04 b3 10 bc-9a 86 97 eb 0a e6 46 13   &U............F.
0120 - de 23 21 85 28 92 8e 12-e8 e3 49 de 92 19 4a 2d   .#!.(.....I...J-
0130 - 77 45 91 39 46 d6 ad 83-7f f5 aa d5 26 5a fb db   wE.9F.......&Z..
0140 - fb 1e 0f 96 a7 ab 82 08-dd 9e 42 27 49 79 bc 19   ..........B'Iy..
0150 - 82 b4 16 23 02 a1 ea 19-de 5e b4 33 c9 8c 50 c8   ...#.....^.3..P.
0160 - 7d 34 c7 5d 2e 5e 07 c2-af 4a b8 1f b0 52 53 48   }4.].^...J...RSH
0170 - ae ba a0 9d b5 94 e5 dc-dc 86 75 96 b5 ef 53 bc   ..........u...S.
0180 - 2e 07 c3 6c 55 cf 6a 85-23 2e 57 df 33 48 d4 df   ...lU.j.#.W.3H..
0190 - a9 ac 76 13 ad f6 8c 50-fe b3 36 ff 86 6d f1 d0   ..v....P..6..m..
01a0 - 58 43 31 4e 6a 78 63 72-87 06 2e 65 eb 44 0b f1   XC1Njxcr...e.D..
01b0 - 5f c0 e8 cb 3d 13 95 56-7a 6b f6 ff c0 7a cd ef   _...=..Vzk...z..
01c0 - 73 71 5f 1a d1 f1 e3 1b-92 25 5d c2 ca 7c 52 e9   sq_......%]..|R.
01d0 - b3 d2 2a fd 78 f2 6c 00-2f 41 c4 83 94 2d 43 3a   ..*.x.l./A...-C:
01e0 - d8 40 1e 3d 8e 55 86 c6-7e 6e f2 07 57 7c 6f 6a   .@.=.U..~n..W|oj
01f0 - 3f 2d a5 bd 55 b5 fe 11-3e a8 fd f6 98 c2 4b 5a   ?-..U...>.....KZ
0200 - 79 28 b2 c9 9c f9 25 55-24 d7 23 fc 8c 90 95 e7   y(....%U$.#.....
0210 - 62 ac 6e 2e 75 b9 71 76-0b a9 60 74 fa 8a 85 8b   b.n.u.qv..`t....
0220 - de a0 27 0a f6 c9 49 65-af c2 63 80 b1 e7 40 03   ..'...Ie..c...@.
0230 - 7e ca 99 c3 27 a8 3a c5-33 67 28 0c fb 40 25 34   ~...'.:.3g(..@%4
0240 - 66 5c ef 13 9e f7 7e c0-cd 1d d0 1c 30 09 9b 2d   f\....~.....0..-
0250 - 5a 11 f4 5b f0 0e 2a 1c-e9 07 78 31 e4 09 4c 86   Z..[..*...x1..L.
0260 - 79 39 64 ec 2f 8a 8f 80-61 0b f9 dc 08 44 af c3   y9d./...a....D..
0270 - 04 44 50 58 8a e6 5b a6-a4 77 15 51 b3 e2 72 23   .DPX..[..w.Q..r#
0280 - 30 31 b6 cb b4 06 b3 dd-b2 4d ed 74 dc 89 71 e0   01.......M.t..q.
0290 - 24 3b 0c 61 1d bd d2 4d-fb f4                     $;.a...M..
read from 0x2c00ef0 [0x2c078b0] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
read:errno=104
write to 0x2c00ef0 [0x2c0c0c0] (37 bytes => -1 (0xFFFFFFFFFFFFFFFF))

I understood,reading other threads, that read:errno=104 means that connection has been reseted by the server.

At this point, i decided to use PEM files instead of keystore. I thought that using CURL to grab more information could be a good idea. And i don't understand error returned, which is, btw, the same as SOAPUi.

curl -k -d @auth.txt --cacert PEMCertificateSentByApple.pem --key myprivatekey.pem:myprivatekeypassword https://A.Site.com/services/

Error: Access is Denied. Client SSL Certificate Required

What means "the certificate is not being sent along with the authenticate request" ?

Can someone help me on this matter ?

Regards,

pierre

Answer 1

Resolved ! Even if it sounds silly, i wasn't sure if i had to use cert cacert key or any other options. Based on what you said, adding both --cert and --key it works.

Thanks Daniel

To be as precise as possible i had minor fixes to do.

1. I began to write curl command as follows

curl -k -d @auth.txt --cert PEMCertificateSentByApple.pem --key myprivatekey.pem:myprivatekeypassword https://A.Site.com/services/

I had an error this way. Complaining curl: (58) unable to set private key file: 'mykey' type PEM

To fix, reading man page, i had to add --pass option instead of using :

2. Even this way, I wasn't able to get any data in return (curl wasn't complaining at all but blank page) so I had to add -H option as follows

   curl -H "Content-Type: text/xml; charset=utf-8" -d @auth.txt --cert PEMCertificateSentByApple.pem --key myprivatekey.pem --pass myprivatekeypassword https://A.Site.com/services/

It is working this way.

Answer 2

Your command line doesn't send the client certificate. You need --cert for that. You only send the private key (with --key) right now. (Which of course is pointless.)