5 Replies Latest reply on Jun 16, 2016 2:07 AM by jaikiran pai

    Connection fails when using verify-client in undertow

    Jaroslav Simak Newbie


        I have tried to use verify-client (both REQUIRED or REQUESTED) in undertow module, but the connection from an web service subscriber always fails.


      java version "1.8.0"

      Java(TM) SE Runtime Environment (build pap3280sr2fp10-20160108_01(SR2 FP10))

      IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc-32 20160106_284759 (JIT enabled, AOT enabled)

      J9VM - R28_20160106_1341_B284759

      JIT  - tr.r14.java_20151209_107110.02

      GC  - R28_20160106_1341_B284759

      J9CL - 20160106_284759)

      JCL - 20151231_01 based on Oracle jdk8u71-b15



      The JRE has been patched to unrestricted security policy.


      wildfly 10.0.0.Final



      I have configured https, providing a ssl-realm


                <security-realm name="SSLRealm">


                          <ssl protocol="TLS">

                              <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="#######"/>




                          <truststore provider="jks" path="server.truststore" relative-to="jboss.server.config.dir" keystore-password="#######"/>




      and an https-listener


        <https-listener name="default-https" security-realm="SSLRealm" socket-binding="https" verify-client="REQUIRED"/>


      I have patched

        <http-connector name="http-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm"/>


      Thus, the https conection works.



      As I need mutual client authentication I added


















      to web.xml.



      I call the webservice from locally - on the AIX box. The certificated are issued by an official CA. The server and client keystores and truststores contains actually the same certificates.


      After I switched ssl debugging on I see


      main, WRITE: TLSv1.2 Change Cipher Spec, length = 1

      %% Invalidated:  [Session-1, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384]

      main, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

      main, WRITE: TLSv1.2 Alert, length = 2

      main, Exception sending alert: java.net.SocketException: Invalid argument

      main, called closeSocket()


      I don't know what SSL going on here. Possibly, the client is already verified and the SSL fails to process "Change Cipher Spec" operation.

      The connection works without the verify-client parameter.

      I will appreciate an idea. Thanks.



      The full ssl debug log is attached.