11 Replies Latest reply on Apr 29, 2016 5:43 AM by nickarls

WF10 client authentication

nickarls Apr 27, 2016 7:26 AM

I'm following

https://github.com/wildfly/quickstart/tree/10.x/helloworld-war-ssl

without any specific errors but when I access https://localhost:8443 with Chrome and pick the imported certificate from the list I just get a

"This site can't be reached. localhost unexpectedly closed the connection (ERR_CONNECTION_CLOSED)"

With IE I get a complaint that the server certificate is not trusted and another certificate list. When I repeat the procedure I get a

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to..."

even if the settings are all on

Any pointers in where I should start debugging the problem?

1. Re: WF10 client authentication

mchoma Apr 27, 2016 7:39 AM (in response to nickarls)

For debugging use -Djavax.net.debug=all system property. Also important can be java version you use. Can you list java -version here?
Actions
2. Re: WF10 client authentication

mchoma Apr 27, 2016 9:29 AM (in response to mchoma)

Also configure security debugging logging:

/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
Actions
3. Re: WF10 client authentication

nickarls Apr 27, 2016 2:28 PM (in response to nickarls)

Thanks, I'll try to increase the mentioned log levels. I'm on JDK 8 but I have a hard time believing it makes a difference
Actions

4. Re: WF10 client authentication

nickarls Apr 28, 2016 4:05 AM (in response to mchoma)

I'm getting a

10:04:39,186 DEBUG [io.undertow.request.io] (default I/O-8) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
  at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577)
  at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:668)
  at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:608)
  at io.undertow.protocols.ssl.SslConduit.access$600(SslConduit.java:63)
  at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1034)
  at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
  at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1646)
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1614)
  at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1541)
  at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575)
  ... 6 more


10:04:39,187 TRACE [org.xnio.safe-close] (default I/O-8) Closing resource org.xnio.nio.NioSocketStreamConnection@3e63b626
10:04:39,187 TRACE [org.xnio.nio] (default I/O-8) Cancelling key sun.nio.ch.SelectionKeyImpl@10301045 of java.nio.channels.SocketChannel[connected ishut local=/127.0.0.1:8443 remote=/127.0.0.1:50530] (same thread)
10:04:39,188 TRACE [org.xnio.listener] (default I/O-8) Invoking listener io.undertow.server.AbstractServerConnection$CloseSetter@22446ea6 on channel io.undertow.protocols.ssl.UndertowSslConnection@81e77d4
10:04:39,188 DEBUG [io.undertow.request] (default I/O-8) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException
  at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:783)
  at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:609)
  at io.undertow.protocols.ssl.SslConduit.access$600(SslConduit.java:63)
  at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1034)
  at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
  at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)

The whole scenario is that I'm trying to authenticate with a SmartCard. The card itself is working (tested on the manufacturer test site). So far I've

* Generated a keystore for the HTTPS listener

* Defined

                <https-listener name="https" verify-client="REQUIRED" security-realm="OSTiRealm" socket-binding="https"/>

and

            <security-realm name="OSTiRealm">
                <server-identities>
                    <ssl>
                        <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="keypassword" key-password="keypassword"/>
                    </ssl>
                </server-identities>
            </security-realm>

If I take out the verify-client, I can access the HTTPS 8443 just fine (with the standard certificate complaint) but with verify-client on it's no go. I would have expected at least the client-side dialog for picking of certificate to authenticate with to appear. Or is the self-signed server certificate a problem?

Update. Nope, the problem persists even after I import the server certificate into Chrome

Just accessing the 8443 shouldn't need any client keystores and domains yet? Or do I have to export the certificate from the SmartCard and import it to some keystore? I'm a bit confused as this is my first venture into this area

5. Re: WF10 client authentication

mchoma Apr 28, 2016 6:31 AM (in response to nickarls)

Could you set -Djavax.net.debug=all property for wildfly? It logs detailed SSL handshake information. It will show you what is really going on.

There is definitely missing authentication truststore part (that wildfly server trust client certificate) in your security realm configuration. That is described in quickstart you mentioned before.

<authentication>
<truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="keypassword"/>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>

Exception you attached is general error and mean SSL handshake error. What IMHO could happened:
- certificate request was send from server, but client for some reason doesn't behave accordingly (dialog box doesn't appear)
- certificate request was send from server, client provided certificate but server can't verify - certificate is not trusted
- Regarding client certificate dialog doesn't show. Is it possible browser by default use implicitly certificate on your smart card. Is your environment configured like that?
Actions
6. Re: WF10 client authentication

nickarls Apr 28, 2016 7:51 AM (in response to mchoma)
Well, I got around five kilorows of text ;-)

(in the tutorial, I assume the <authentication> must be inside the realm?)

I'm a bit confused about the client store. At the point where the tutorial says you can test the SSL and you will be asked to trust the certificate. Client-authentication is required but the import of the client cert into the browser hasn't yet be done. Alternatively, shouldn't my client pop up a list of certificates which could be used for the auhtentication?

Thanks for the help,
Nik

ssl_log.zip 75.2 KB
Actions
7. Re: WF10 client authentication

mchoma Apr 28, 2016 8:22 AM (in response to nickarls)

Better 5k, than no ;P

These lines means client didn't send client certificate to server:

14:31:21,407 INFO [stdout] (default task-45) *** Certificate chain
14:31:21,407 INFO [stdout] (default task-45) ***
14:31:21,407 INFO [stdout] (default task-45) default task-45, fatal error: 42: null cert chain
14:31:21,407 INFO [stdout] (default task-45) javax.net.ssl.SSLHandshakeException: null cert chain
14:31:21,407 INFO [stdout] (default task-45) %% Invalidated: [Session-31, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
14:31:21,407 INFO [stdout] (default task-45) default task-45, SEND TLSv1.1 ALERT: fatal, description = bad_certificate
14:31:21,407 INFO [stdout] (default task-45) default task-45, WRITE: TLSv1.1 Alert, length = 2
14:31:21,408 INFO [stdout] (default I/O-3) default I/O-3, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain

, thats why SSL handshake fails.

So from my point of view problem seems to be in setting of client side (browser) truststore.

Yes, <authentication> should be in <realm> element. I will repair it.
Regarding "you can test the SSL and you will be asked to trust the certificate" - it is about server -> client authentication.
Actions
8. Re: WF10 client authentication

nickarls Apr 28, 2016 9:02 AM (in response to mchoma)

Pardon my n00bishness but I noticed that the SmartCard client has installed two certificates into the client (one for login and one for signing). Should I export the one used for login into the client truststore?

Thanks in advance,
Nik
Actions

9. Re: WF10 client authentication

nickarls Apr 29, 2016 2:47 AM (in response to nickarls)

Did a fresh start in a VirtualBoxed Linux. This time I imported the root and user certificates that the SmartCard client had installed in Firefox and they went into the client truststore without problems. I also have accepted the self-signed certificate so that FireFox is OK with it. Still, when I access the page I get the attached log which boils down to

07:15:56,019 INFO  [stdout] (default task-2) *** Certificate chain
07:15:56,021 INFO  [stdout] (default task-2) <Empty>
07:15:56,021 INFO  [stdout] (default task-2) ***
07:15:56,022 INFO  [stdout] (default task-2) default task-2, fatal error: 42: null cert chain
07:15:56,028 INFO  [stdout] (default task-2) javax.net.ssl.SSLHandshakeException: null cert chain
07:15:56,028 INFO  [stdout] (default task-2) %% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
07:15:56,028 INFO  [stdout] (default task-2) default task-2, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
07:15:56,028 INFO  [stdout] (default task-2) default task-2, WRITE: TLSv1.2 Alert, length = 2

I am bit at loss *which* certificate is bad since everything was imported fine.

Thanks in advance,

Nik

debug.zip 13.2 KB

10. Re: WF10 client authentication

mchoma Apr 29, 2016 4:59 AM (in response to nickarls)

I assume you cant import client private key from your SmartCard into browser directly. I assume your private key can not leave hardware. You must somehow configure your browser to communicate with SmartCard. That if certificate request comes from server, browser acces SmartCard and provide certificate.

What I suggest:
- Try to make quickstart work without SmartCard. It means import JKS client private key into your browser as quickstart suggests.
- If that works try to use SmartCard, consult documentation of SmartCard how to make it work with browser
Actions
11. Re: WF10 client authentication

nickarls Apr 29, 2016 5:43 AM (in response to mchoma)

I got it to work! I pretty much imported every certificate they SmartCard provider had on their list. Apparently they were not quite the same as the exported certificates.

Thanks for your help!
Actions

Go to original post