Comments (9)
Hello Hakan Altındağ,
Thank you so much for this video and all your help.
I am facing some build issues with client code.
The only difference I could see is you are using jdk 11 whereas in my local environment I am using jdk 8.
I will update you the final status of curl command once these issues are resolved.
Thanks,
Ishan Aggarwal
from mutual-tls-ssl.
Hi Ishan,
Thank you very much, I really appreciate your compliments :)
I would love to help you out with doing these tasks with curl command.
I am not so familiar yet with curl and https requests with certificates, so feel free anyone who reads this page to provide me feedback.
Curl requires PEM formatted files to do a request. Within this project we used mainly jks files and in some cases a p12 file.
What I did was the following steps:
- fast forward to mutual authentication based on root ca with the provided script within the project:
./script/configure-two-way-authentication-by-trusting-root-ca.sh black-hole
This configures the whole project with mutual authentication and also creates all the cert/keystores. It is basically all the steps within the readme within a script file. - build the project:
mvn clean verify
- start the server:
java -jar server/target/server.jar
- convert the truststore.jks to a p12 file:
keytool -importkeystore -srckeystore client/src/test/resources/truststore.jks -destkeystore client/src/test/resources/truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass secret -deststorepass secret
- convert the truststore.p12 to a pem file:
openssl pkcs12 -in client/src/test/resources/truststore.p12 -out client/src/test/resources/truststore.pem -passin pass:secret
- convert the client-signed.p12 to a pem file:
openssl pkcs12 -in client/src/test/resources/client-signed.p12 -out client/src/test/resources/client-signed.pem -passin pass:secret
- execute the curl command:
curl --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8443/api/hello
With the --cert command I load the client public and private key. With the --cacert I load my custom trusted certificates. I used secret
as password when converting my client certificate to a pem file and by passing the argument --pass
curl won't prompt for asking the password.
Hope this will work for you, please let me know if you succeeded.
from mutual-tls-ssl.
Hello Hakan Altındağ,
Thank you so much for your quick response.
As mentioned, I performed all the required steps. However, it seems to be not working as per the steps.
Please find below details -
curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello
- About to connect() to localhost port 8445 (#0)
- Trying 127.0.0.1...
- Connected to localhost (127.0.0.1) port 8445 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: client/src/test/resources/truststore.pem
CApath: none - unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
- NSS error -8178 (SEC_ERROR_BAD_KEY)
- Peer's public key is invalid.
- Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
Could you please help me further to debug this issue and run this example using curl command.
Thanks,
Ishan Aggarwal
from mutual-tls-ssl.
Could you push all your changes to a forked repo? In that way I am able to easily find the root cause of this failed request.
from mutual-tls-ssl.
Hello Hakan Altındağ,
I am using the same server side code and the script you mentioned to create the certificates and keystore, truststore etc.
There are no changes other than that. Please suggest should I still share the changes?
Thanks,
Ishan Aggarwal
from mutual-tls-ssl.
Than I am not quite sure what the cause would be, the only different what I still see is the port is different within your curl command: curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello
Could you check if your server is running on port 8443 or 8445?
If it is still not working, let's do a remote session with teamviewer
from mutual-tls-ssl.
Hello Hakan Altındağ,
As mentioned by you earlier, I have pushed all my changes to forked repository -
https://github.com/ishan-aggarwal/mutual-tls-ssl.git
Yes, I am using the server port 8445 in application.yml file for server application.
I am basically using server application and curl command as client to fetch the response from server.
I have used the script - configure-two-way-authentication-by-trusting-root-ca.sh for setting up all the required pre-requisites, made minor modifications to the script to make it work.
Client curl command used is
curl -v --cert client/src/test/resources/client-signed.pem --pass secret --cacert client/src/test/resources/truststore.pem https://localhost:8445/api/hello
About to connect() to localhost port 8445 (#0)
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 8445 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: client/src/test/resources/truststore.pem
CApath: none
unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
NSS error -8178 (SEC_ERROR_BAD_KEY)
Peer's public key is invalid.
Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
Please help me to make this example work using curl command.
Thank you in advance for all your help.
Thanks,
Ishan Aggarwal
from mutual-tls-ssl.
Thank you for pushing your code into a separate git repository.
I have analysed your changes and I can conclude that the creation of the certificates/keystores are correct. Unfortunately the server project couldn't be build because the pom was not correct.
I reverted the changes of the two files below to make fix the build for the server:
The client is also failing, but after adjusting the following expected Hello
message to Hello from server!
within the feature file and adjusting the port from 8443 to 8445 within the Constants.java and TestConstants.java the client build is also (almost) passing.
After applying these changes and rebuilding it with mvn clean verify
from the root directory I start the server with the following command: java -jar server/targer/server.jar
. After this I execute the curl command and it works.
Please have a look at this video where I show the changes step by step: Debug ishan-aggarwal-muutual-tls-ssl The video will be available in HD quality soon.
After your changes within the server project especially the pom.xml and LogCertificateAspect.java the server couldn't be build and therefor it was also not able to create the jar. So maybe you where using an older jar file when starting up the server and therefor the curl was also failing. But that is an assumption, I hope the explanation above and the video make sense, please let me know if it is working on your side after applying the changes.
from mutual-tls-ssl.
By the way @ishan-aggarwal I have added a gist for the specific commands to transform a keystore into something which will be accepted by the curl command. It is available here for if you need to bookmark it: curl-with-java-keystore.md
from mutual-tls-ssl.
Related Issues (19)
- javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty HOT 33
- 找不到客户端启动ssl认证的配置 HOT 4
- class path resource [identity.jks] cannot be resolved to URL because it does not exist HOT 5
- Asking help about the No Subject Alternative Name HOT 4
- Asking help about the check the Certificate Status with OCSP with TLS Connection? HOT 1
- Can't call the server with 2-way TLS based on trusting CA authority - javax.net.ssl.SSLHandshakeException: None of the TrustManagers trust this server certificate chain HOT 7
- A request for examples using standard servers with JAX-RS instead of SpringBoot HOT 1
- Server example with jersey and tomcat HOT 1
- Server example with jboss wildfly HOT 1
- alias does not exist HOT 2
- Missing instructions for running ClientRunnerIT HOT 3
- Server with HttpsServer from com.sun.net.httpserver HOT 12
- Build with mvn is not working HOT 2
- Specif CLASSPATH setting instructions would be beneficial HOT 3
- An explicit instructions which tell how I can run ClientRunnerIT would be beneficial. HOT 3
- Enable Client Cert validation only for a single end point at Service end (Spring Boot Java)? HOT 6
- All client tests fail, potential regression from a dependency HOT 7
- Invalid Keystore Format HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mutual-tls-ssl.