Why client cert is not sent during SSL connection? CXF 2.7.9

Question

Background

My application is deployed in jboss 5, communicates with a Web service server which requires MASSL. (2-way SSL)

Issue

By looking at the log of SSL connection, client cert is not sent even it has been loaded at the beginning.

Log details as below, client cert is supposed to be sent after server hello is done.

[EDIT] Added more details based on reply

1. added CertificateRequest in log

2. Cient certificate actually matches above request - (a) algorithm is RSA, (b) signed by one the CAs speficied in the request

logs:

2016-11-25 09:32:38,434 INFO  [STDOUT] (http-0.0.0.0-8080-4) keyStore is : /XX/XX/my.jks
2016-11-25 09:32:38,434 INFO  [STDOUT] (http-0.0.0.0-8080-4) keyStore type is : jks
2016-11-25 09:32:38,434 INFO  [STDOUT] (http-0.0.0.0-8080-4) keyStore provider is :
2016-11-25 09:32:38,434 INFO  [STDOUT] (http-0.0.0.0-8080-4) init keystore
2016-11-25 09:32:38,440 INFO  [STDOUT] (http-0.0.0.0-8080-4) init keymanager of type SunX509
2016-11-25 12:00:04,420 INFO  [STDOUT] (http-0.0.0.0-8080-4) ***
2016-11-25 12:00:04,421 INFO  [STDOUT] (http-0.0.0.0-8080-4) found key for : mykey
2016-11-25 12:00:04,432 INFO  [STDOUT] (http-0.0.0.0-8080-4) chain [0] = [
[
  Version: V3
  Subject: CN=xx.xxx.xxx.com, OU=xxxxxxxx, O=xxxx, L=xxxx, ST=xxx, C=xx
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 Issuer: CN=abc AD Object CA1, DC=core, DC=dir, DC=def, DC=com

...

2016-11-25 12:00:05,520 INFO  [STDOUT] (http-0.0.0.0-8080-4) *** CertificateRequest
2016-11-25 12:00:05,521 INFO  [STDOUT] (http-0.0.0.0-8080-4) Cert Types:
2016-11-25 12:00:05,521 INFO  [STDOUT] (http-0.0.0.0-8080-4) RSA
2016-11-25 12:00:05,521 INFO  [STDOUT] (http-0.0.0.0-8080-4) Cert Authorities:
2016-11-25 12:00:05,521 INFO  [STDOUT] (http-0.0.0.0-8080-4) <CN=abc AD Object CA1, DC=core, DC=dir, DC=def, DC=com>
2016-11-25 12:00:05,521 INFO  [STDOUT] (http-0.0.0.0-8080-4) <CN=abc Policy CA1, O=gh Corporation Limited>
2016-11-25 12:00:05,522 INFO  [STDOUT] (http-0.0.0.0-8080-4) <CN=abc Root CA>

2016-11-25 09:32:39,475 INFO  [STDOUT] (http-0.0.0.0-8080-4) *** ServerHelloDone
2016-11-25 09:32:39,475 INFO  [STDOUT] (http-0.0.0.0-8080-4) *** Certificate chain
2016-11-25 09:32:39,475 INFO  [STDOUT] (http-0.0.0.0-8080-4) ***
2016-11-25 09:32:39,482 INFO  [STDOUT] (http-0.0.0.0-8080-4) *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
2016-11-25 09:32:39,482 INFO  [STDOUT] (http-0.0.0.0-8080-4) http-0.0.0.0-8080-4, WRITE: TLSv1 Handshake, length = 269
2016-11-25 09:32:39,482 INFO  [STDOUT] (http-0.0.0.0-8080-4) SESSION KEYGEN:
2016-11-25 09:32:39,483 INFO  [STDOUT] (http-0.0.0.0-8080-4) PreMaster Secret:

question

Did I missing something here?　

Answer 1

For anyone who is having same issue while using CXF (2.7.9), this is a doggy issue that CXF introduces.

CXF doesn't pick up keystore configured by VM argument "-Djavax.net.ssl.keyStore", but has its own solution. see http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport

Answer 2

client cert is supposed to be sent after server hello is done.

No it isn't. It is only supposed to be sent if:

• the server has requested it, with a CertificateRequest message
• the client has a certificate which is signed by one of the CAs specified by the server
• the client has a certificate which matches the certificate types specified by the server.

There is no evidence in your question that all these condtions apply.