Skip to content

Websocket ssl connection failure (empty chain) #9636

Closed
@RedCollarPanda

Description

@RedCollarPanda

Good day! Maybe this is not the right place to ask such question as mine, but I ran into the issue, that looks like a bug and I did not get any help at stackoverflow. The link to the question there is here

So as it is said in question I have a simple chat application with websocket (STOMP). I have configured ssl connection with mutal auth. Server side code with simple ssl is here and client side is here .

In short - I pass trustedKeyStore and KeyStore to my client and try to connect. As I see on websocket connect faze something goes wrong and client cannot find "Warning: no suitable certificate found - continuing without client authentication" and connection closes.

So if you need - I can repost question and details from stackoverflow, if you need - I can provide some more details and so on.

So questions are :

  1. What is wrong?

  2. Can someone say - can I pass certificates and keys DIRECTLY to some classes to ensure that connection will use them 100% ? Any way to setup them (not by System.setProperty etc) ?

My keystores are:

CLIENT

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: 1
Creation date: Jun 29, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=client3@mail.ru, CN=client3, OU=client3, O=client3, L=client3, ST=client3, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 2
Valid from: Wed Jun 28 16:14:54 MSK 2017 until: Thu Jun 28 16:14:54 MSK 2018
Certificate fingerprints:
	 MD5:  60:22:7C:63:6D:BE:E1:02:39:0B:CD:AD:DB:E2:40:A5
	 SHA1: BC:03:09:84:A1:C8:46:CA:4A:60:AA:74:1F:49:76:04:5E:2C:9E:9E
	 SHA256: B5:53:8E:13:CE:34:AF:A8:42:EA:43:6E:FA:A7:7E:B1:F9:49:2F:BF:BE:45:43:9A:99:D8:15:B9:32:60:1C:42
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74   69 66 69 63 61 74 65     ted Certificate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6A CE 21 1B 6C 78 3A B9   37 69 36 26 0D FB E0 A1  j.!.lx:.7i6&....
0010: B6 57 80 C3                                        .W..
]
]

Certificate[2]:
Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]



*******************************************
*******************************************


Alias name: trust
Creation date: Jun 29, 2017
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

SERVER

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Jun 28, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=localhost@mail.com, CN=localhost, OU=localhost, O=localhost, L=localhost, ST=localhost, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 1
Valid from: Wed Jun 28 16:07:14 MSK 2017 until: Thu Jun 28 16:07:14 MSK 2018
Certificate fingerprints:
	 MD5:  8A:F3:C1:30:4B:89:82:97:93:D8:E7:A5:B7:71:CF:F6
	 SHA1: 9F:A0:EE:D9:A5:E3:5E:CE:11:43:4A:5A:AB:98:80:36:26:7A:96:77
	 SHA256: 64:23:64:A1:B3:BE:0C:D6:EE:DD:E9:B4:92:73:6A:E6:04:3B:91:45:80:05:F5:AB:66:70:5E:A1:4C:8C:44:79
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74   69 66 69 63 61 74 65     ted Certificate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1A FD F6 D3 E0 6A F0 56   3E 4A 75 E0 1F 76 BC 1C  .....j.V>Ju..v..
0010: C2 DE A7 28                                        ...(
]
]

TRUSTED (both client and server have the same)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: my_ca
Creation date: Jun 28, 2017
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Issuer: EMAILADDRESS=ca@ca.com, CN=ca, OU=ca, O=ca, L=ca, ST=ca, C=RU
Serial number: 9952f188496b2545
Valid from: Wed Jun 28 15:39:04 MSK 2017 until: Sat Jun 26 15:39:04 MSK 2027
Certificate fingerprints:
	 MD5:  F7:52:34:FD:3C:AC:91:DE:E0:20:4B:D4:D1:44:47:23
	 SHA1: EE:D5:38:9B:6F:73:CD:0F:BF:32:0F:4E:D8:47:E6:1D:60:4F:36:FE
	 SHA256: CD:F6:4F:58:9E:99:DC:1D:E0:09:28:8E:FA:1C:52:9E:EC:CB:59:74:9E:C0:59:6C:B0:96:29:C5:3C:00:67:F7
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A9 07 92 74 27 B9 48 09   CB 44 C7 19 4E 65 02 E8  ...t'.H..D..Ne..
0010: FA B5 E0 40                                        ...@
]
]

Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    for: stackoverflowA question that's better suited to stackoverflow.com

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions