Skip to content

Websocket ssl connection failure (empty chain) #9636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
RedCollarPanda opened this issue Jun 29, 2017 · 4 comments
Closed

Websocket ssl connection failure (empty chain) #9636

RedCollarPanda opened this issue Jun 29, 2017 · 4 comments
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@RedCollarPanda
Copy link

RedCollarPanda commented Jun 29, 2017
edited by philwebb
Loading

Good day! Maybe this is not the right place to ask such question as mine, but I ran into the issue, that looks like a bug and I did not get any help at stackoverflow. The link to the question there is here

So as it is said in question I have a simple chat application with websocket (STOMP). I have configured ssl connection with mutal auth. Server side code with simple ssl is here and client side is here .

In short - I pass trustedKeyStore and KeyStore to my client and try to connect. As I see on websocket connect faze something goes wrong and client cannot find "Warning: no suitable certificate found - continuing without client authentication" and connection closes.

So if you need - I can repost question and details from stackoverflow, if you need - I can provide some more details and so on.

So questions are :

  1. What is wrong?

  2. Can someone say - can I pass certificates and keys DIRECTLY to some classes to ensure that connection will use them 100% ? Any way to setup them (not by System.setProperty etc) ?

My keystores are:

CLIENT

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: 1
Creation date: Jun 29, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=client3@mail.ru, CN=client3, OU=client3, O=client3, L=client3, ST=client3, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 2
Valid from: Wed Jun 28 16:14:54 MSK 2017 until: Thu Jun 28 16:14:54 MSK 2018
Certificate fingerprints:
	 MD5:  60:22:7C:63:6D:BE:E1:02:39:0B:CD:AD:DB:E2:40:A5
	 SHA1: BC:03:09:84:A1:C8:46:CA:4A:60:AA:74:1F:49:76:04:5E:2C:9E:9E
	 SHA256: B5:53:8E:13:CE:34:AF:A8:42:EA:43:6E:FA:A7:7E:B1:F9:49:2F:BF:BE:45:43:9A:99:D8:15:B9:32:60:1C:42
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74   69 66 69 63 61 74 65     ted Certificate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6A CE 21 1B 6C 78 3A B9   37 69 36 26 0D FB E0 A1  j.!.lx:.7i6&....
0010: B6 57 80 C3                                        .W..
]
]

Certificate[2]:
Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]



*******************************************
*******************************************


Alias name: trust
Creation date: Jun 29, 2017
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

SERVER

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Jun 28, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=localhost@mail.com, CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 1
Valid from: Wed Jun 28 16:07:14 MSK 2017 until: Thu Jun 28 16:07:14 MSK 2018
Certificate fingerprints:
	 MD5:  8A:F3:C1:30:4B:89:82:97:93:D8:E7:A5:B7:71:CF:F6
	 SHA1: 9F:A0:EE:D9:A5:E3:5E:CE:11:43:4A:5A:AB:98:80:36:26:7A:96:77
	 SHA256: 64:23:64:A1:B3:BE:0C:D6:EE:DD:E9:B4:92:73:6A:E6:04:3B:91:45:80:05:F5:AB:66:70:5E:A1:4C:8C:44:79
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74   69 66 69 63 61 74 65     ted Certificate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1A FD F6 D3 E0 6A F0 56   3E 4A 75 E0 1F 76 BC 1C  .....j.V>Ju..v..
0010: C2 DE A7 28                                        ...(
]
]

TRUSTED (both client and server have the same)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: my_ca
Creation date: Jun 28, 2017
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

Thank you!
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 29, 2017
@snicoll
Copy link
Member

snicoll commented Jun 30, 2017

We don't use the tracker for questions , let's continue the discussion on the stackoverflow question you've already raised.

@snicoll snicoll closed this as completed Jun 30, 2017
@snicoll snicoll added for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 30, 2017
@RedCollarPanda
Copy link
Author

As you say - but what if we will not find the answer? Is this a bug? What about adding certificates by some class methods? (not via System)

@RedCollarPanda
Copy link
Author

So again - as in stackowerflow question said - I managed to connect via curl, but could not connect via websocket. I guess this is a bug?

@wilkinsona
Copy link
Member

I've commented again on your question on Stack Overflow. I've yet to see anything to suggest that this is a bug in Spring Boot so, please, let's keep the discussion on Stack Overflow where it belongs for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@snicoll @wilkinsona @RedCollarPanda @spring-projects-issues