5 Replies Latest reply on Nov 29, 2017 5:27 AM by paramjindal

SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

ray2017 Nov 15, 2017 9:48 AM

The application in Wildfly tries invoking Service in SAG behind a Loadbalancer and it seem the Handshake fails, with client certificate not received from client

Wildfly SSL Configuration is as below

Security Ream

<security-realm name="WebSocketRealm">

<server-identities>

<ssl>

</ssl>

</server-identities>

</authentication>

</security-realm>

HTTPS Listener

<https-listener name="https" verify-client="REQUESTED" security-realm="WebSocketRealm" socket-binding="https"/>

Am I missing something.

Error when the external service is invoked by wildfly - The c

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] *** ServerHelloDone

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] *** Certificate chain

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] ***

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] *** ClientKeyExchange, DH

.........

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] %% Invalidated: [Session-2, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384]

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] default task-53, called closeSocket()

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] default task-53, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] default task-53, called close()

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] default task-53, called closeInternal(true

1. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

paramjindal Nov 20, 2017 2:34 AM (in response to ray2017)

You have configured SSL (keystore and truststore) on https listener and as you said wildfly is invoking an external service and this request is failing.

https-listener will be in action only for the incoming requests on wildfly and will *NOT* be considered for outgoing requests and since request is originating from wildfly so this configuration won't help.

From the logs also it is clear that the client i.e. wildfly is not presenting any certificate as the certificate chain is empty :

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] *** Certificate chain
TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611] default task-53 INFO [stdout] ***

So I would recommend to use configure the keystore and truststore using the java options like the following :

$JBOSS_HOME/bin/standalone.sh -Djavax.net.ssl.keyStore=$JBOSS_HOME/standalone/configuration/client.keystore -Djavax.net.ssl.trustStore=$JBOSS_HOME/standalone/configuration/client.truststore -Djavax.net.ssl.keyStorePassword=client -Djavax.net.ssl.trustStorePassword=client
Actions
2. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

ray2017 Nov 27, 2017 6:07 PM (in response to paramjindal)

I tried same and its till fails. Running a tcpdump and checking the logs from Loadbalancer it shows wildfly (client) did not present any certificate.
Actions
3. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

paramjindal Nov 28, 2017 5:56 AM (in response to ray2017)

Check the output of the client's (wildfly) keystore using the below command :

keytool -list -keystore <your-keystore.jks> -v

May be there is no private key entry in your keystore.
Actions
4. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

ray2017 Nov 28, 2017 3:22 PM (in response to ray2017)

Keystore has Private and Trusted Entries
Actions
5. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

paramjindal Nov 29, 2017 5:27 AM (in response to ray2017)

Another possibility could be your client's (wildfly) certificate CA is not trusted by the server means it is not present in the trusted certificate authorities list present by the server just before the ServerHelloDone message in the below logs.

TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO [stdout] *** ServerHelloDone
TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO [stdout] *** Certificate chain
TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO [stdout] ***
TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO [stdout] *** ClientKeyExchange, DH

So check the list of trusted certificate authorities list present by the server before ServerHelloDone and match it with the client's root certificate.
Actions

Go to original post