I have tried to use verify-client (both REQUIRED or REQUESTED) in undertow module, but the connection from an web service subscriber always fails.
java version "1.8.0"
Java(TM) SE Runtime Environment (build pap3280sr2fp10-20160108_01(SR2 FP10))
IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc-32 20160106_284759 (JIT enabled, AOT enabled)
J9VM - R28_20160106_1341_B284759
JIT - tr.r14.java_20151209_107110.02
GC - R28_20160106_1341_B284759
J9CL - 20160106_284759)
JCL - 20151231_01 based on Oracle jdk8u71-b15
The JRE has been patched to unrestricted security policy.
I have configured https, providing a ssl-realm
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="#######"/>
<truststore provider="jks" path="server.truststore" relative-to="jboss.server.config.dir" keystore-password="#######"/>
and an https-listener
<https-listener name="default-https" security-realm="SSLRealm" socket-binding="https" verify-client="REQUIRED"/>
I have patched
<http-connector name="http-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm"/>
Thus, the https conection works.
As I need mutual client authentication I added
I call the webservice from locally - on the AIX box. The certificated are issued by an official CA. The server and client keystores and truststores contains actually the same certificates.
After I switched ssl debugging on I see
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
%% Invalidated: [Session-1, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1.2 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Invalid argument
main, called closeSocket()
I don't know what SSL going on here. Possibly, the client is already verified and the SSL fails to process "Change Cipher Spec" operation.
The connection works without the verify-client parameter.
I will appreciate an idea. Thanks.
The full ssl debug log is attached.
ssl_debug.txt.zip 38.6 K