5 Replies Latest reply on Nov 29, 2017 5:27 AM by Paramvir Jindal

    SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL

    BUNTY RAY Newbie

      The application in Wildfly tries invoking  Service in SAG behind a Loadbalancer and it seem the Handshake fails, with client certificate not received from client

       

      Wildfly SSL Configuration is as below

       

      Security Ream

      <security-realm name="WebSocketRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="xxxxx"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="yyyy"/>

                      </authentication>

                  </security-realm>

       

       

      HTTPS Listener

      <https-listener name="https" verify-client="REQUESTED" security-realm="WebSocketRealm" socket-binding="https"/>

                    

      Am I missing something.

       

       

      Error when the external service is invoked by wildfly - The c

       

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** ServerHelloDone

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** Certificate chain

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] ***

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** ClientKeyExchange, DH

      .........

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] %% Invalidated:  [Session-2, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384]

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] default task-53, called closeSocket()

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] default task-53, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

      TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] default task-53, called close()

        TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] default task-53, called closeInternal(true

       

       

        • 1. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL
          Paramvir Jindal Newbie

          You have configured SSL (keystore and truststore) on https listener and as you said wildfly is invoking an external service and this request is failing.

           

          https-listener will be in action only for the incoming requests on wildfly and will *NOT* be considered for outgoing requests and since request is originating from wildfly so this configuration won't help.

           

          From the logs also it is clear that the client i.e. wildfly is not presenting any certificate as the certificate chain is empty :

           

          TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** Certificate chain

          TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] ***

           

          So I would recommend to use configure the keystore and truststore using the java options like the following :

           

          $JBOSS_HOME/bin/standalone.sh -Djavax.net.ssl.keyStore=$JBOSS_HOME/standalone/configuration/client.keystore -Djavax.net.ssl.trustStore=$JBOSS_HOME/standalone/configuration/client.truststore -Djavax.net.ssl.keyStorePassword=client -Djavax.net.ssl.trustStorePassword=client

          • 2. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL
            BUNTY RAY Newbie

            I tried same and its till fails. Running a tcpdump and checking the logs from Loadbalancer it shows wildfly (client) did not present any certificate.

            • 3. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL
              Paramvir Jindal Newbie

              Check the output of the client's (wildfly) keystore using the below command :

               

              keytool -list -keystore <your-keystore.jks> -v

               

              May be there is no private key entry in your keystore.

              • 4. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL
                BUNTY RAY Newbie

                 

                Keystore has Private and Trusted Entries

                • 5. Re: SSL Handshake Error When Calling F5 Loadbalancer over 2 Way SSL
                  Paramvir Jindal Newbie

                  Another possibility could be your client's (wildfly) certificate CA is not trusted by the server means it is not present in the trusted certificate authorities list present by the server just before the ServerHelloDone message in the below logs.

                   

                  TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** ServerHelloDone

                  TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** Certificate chain

                  TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] ***

                  TS:[13/11/2017T21:43:21] CID:[1e6210d0-9500-4411-8aa7-0a02be6d6611]   default task-53 INFO  [stdout] *** ClientKeyExchange, DH

                   

                  So check the list of trusted certificate authorities list present by the server before ServerHelloDone and match it with the client's root certificate.