We've been involved in many cases solving issues related to SSL.
The latest one I came across was at a customer site, where WSO2 ESB wants to communicate with an SSL end point(WCF) hosted on IIS 7.
The only thing here what we have to do is, importing the CA certificate of the WCF end point to the ESB's client-trustore.jks [which is under ESB_HOME\resources\security].
This worked well at the start - but in one machine it started to fail - with no clue at all..
This is where we need some handy SSL debugging tools - and the easiest one is setting the system property javax.net.debug=all. For example you need to start the WSO2 ESB as,
:\> sh wso2server.sh -Djavax.net.debug=all
Once you set this, it will print the entire SSL handshake.
By going through the logs, we could figure out the issue - where by mistake in this particular machine, in IIS, for this end point - 'Require SSL' being set to Accept, instead of Ignore.
What does that mean.. and why did that fail..?
When we set the above parameter to Accept, the server validates the client certificate only if it's been sent in the request from the client.
In our case at the ESB end we set following two system properties,
System.setProperty("javax.net.ssl.keyStore", "keyStorePath");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
When you set these two, the client will automatically attach the client certificate to the SSL handshake - in our case it failed because we were not expecting mutual authentication, so IIS didn't trust ESB as a client.
Another tool comes in handy while SSL debugging is openssl s_client.
Read more: F A C I L E L O G I N
The latest one I came across was at a customer site, where WSO2 ESB wants to communicate with an SSL end point(WCF) hosted on IIS 7.
The only thing here what we have to do is, importing the CA certificate of the WCF end point to the ESB's client-trustore.jks [which is under ESB_HOME\resources\security].
This worked well at the start - but in one machine it started to fail - with no clue at all..
This is where we need some handy SSL debugging tools - and the easiest one is setting the system property javax.net.debug=all. For example you need to start the WSO2 ESB as,
:\> sh wso2server.sh -Djavax.net.debug=all
Once you set this, it will print the entire SSL handshake.
By going through the logs, we could figure out the issue - where by mistake in this particular machine, in IIS, for this end point - 'Require SSL' being set to Accept, instead of Ignore.
What does that mean.. and why did that fail..?
When we set the above parameter to Accept, the server validates the client certificate only if it's been sent in the request from the client.
In our case at the ESB end we set following two system properties,
System.setProperty("javax.net.ssl.keyStore", "keyStorePath");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
When you set these two, the client will automatically attach the client certificate to the SSL handshake - in our case it failed because we were not expecting mutual authentication, so IIS didn't trust ESB as a client.
Another tool comes in handy while SSL debugging is openssl s_client.
Read more: F A C I L E L O G I N