[Webtest] Client Authentication in R_1812

Bueche, Stefan Bueche, Stefan" <Stefan.Bueche@partner.commerzbank.com
Mon, 12 Dec 2011 12:15:29 +0100


Hello everybody,

we use Webtest for an Java application requiring client authentication with=
 a client certificate. The whole process ist set up correctly, at least fro=
m my limited understanding of the issue, and it is running with R_1804. Now=
 we want to upgrade to R_1812, because we have some issues with JavaScript =
and would like to see if the new release can handle them. Unfortunately, R_=
1812 doesn't seem to send the client certificate to the server.

Configuration:
- keystore-client.jks containing the client's key
- truststore-client.jks containing the server's certificate and the chain t=
o the root CA
- keystore-server.jks containing the server's key
- truststore-server.jks containing the client's certificate and the chain t=
o the root CA

Run with R_1804: Basically runs, but with lots of JavaScript errors.

Run with R_1812:
DEBUG [wire] << "HTTP/1.1 403 A client certificate is required for accessin=
g this web application but the server's listener is not configured for mutu=
al authentication (or the client did not provide a certificate).

I don't think the problem lies on the server side, as the tests run in prin=
ciple with R_1804 and the application can be accessed if I point my browser=
 to it and show the certificate we use for our web tests. Do you have any h=
ints about how Webtest needs to be configured in order to get Client Authen=
tication running with R_1812? Your help is very much appreciated.

Best regards,
Stefan



And, at last, the trace, truncated for readability:
[...]
trigger seeding of SecureRandom
done seeding SecureRandom
[INFO] Started Jetty Server
matching alias: localhost
[...]
11:37:43,914 DEBUG [DefaultClientConnectionOperator] Connecting to localhos=
t:9443
15582013@qtp-33156000-0 - Acceptor0 SslSocketConnector@0.0.0.0:9443, setSoT=
imeout(60000) called
11137488@qtp-33156000-2, READ:  SSL v2, contentType =3D Handshake, translat=
ed length =3D 73
*** ClientHello, TLSv1
RandomCookie:  GMT: 1306843511 bytes =3D { 56, 196, 206, 0, 111, 73, 134, 1=
18, 8, 160, 247, 69, 106, 117, 103, 76, 5, 14, 88, 150, 126, 24, 1, 127, 89=
, 72, 180, 1 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA=
_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_A=
ES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CB=
C_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE=
_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC=
4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_=
CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1306843511 bytes =3D { 52, 169, 220, 150, 8, 25, 141, 5=
, 48, 35, 251, 38, 154, 99, 195, 154, 146, 158, 201, 202, 0, 49, 137, 26, 8=
2, 193, 244, 169 }
Session ID:  {78, 229, 217, 119, 73, 113, 217, 152, 22, 39, 138, 111, 136, =
138, 75, 153, 88, 82, 203, 175, 246, 208, 222, 229, 202, 78, 162, 83, 64, 1=
03, 18, 203}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Cipher suite:  SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] =3D [
[
  Version: V3
  Subject: CN=3Dlocalhost, OU=3Dxyz.com, O=3DServers, L=3DLondon, ST=3DLond=
on, C=3DGB
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 1081795205826268226382636178489050275111619833970353348595866179=
403965032752262973144191126414296737728154141545881856894500867944181263801=
164698764477461168765265292969276984757924825236137344257740959912676589954=
482397014730998239778729600734636984719392644531807327910796636252253761726=
27320425821382416099
  public exponent: 65537
  Validity: [From: Wed Jan 19 13:32:08 CET 2011,
               To: Fri Jan 18 13:32:08 CET 2013]
  Issuer: OU=3Dxyz SubCA6, O=3Dxyz.com
  SerialNumber: [    0173a1]
]
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, SEND TLSv1 ALERT:  warning, description =3D close_notify
chain [1] =3D [
[
  Version: V3
  Subject: OU=3Dxyz SubCA6, O=3Dxyz.com
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2107717961498092455285554792684579508250373496264861573837470756=
439496677131248769934466873063145090605400210521809058279947615561710590671=
110585439147769298342676590528548100458181509745774913896541322619480244489=
133421326015433038896931937163845193578643147402032828879592609388615660239=
146841727471688569138870169466621833530491007102080219586367090885671221696=
672342361087560127503894799347888833078329332028009041702593648655204870605=
045154717048984808191130780777679940598392807438571634576945732763554058149=
980825306078640583007357409618016520517903169197312711527510857853947275756=
6984943643155472507783162351
  public exponent: 65537
  Validity: [From: Mon Oct 27 17:31:04 CET 2008,
               To: Sun Oct 27 17:31:04 CET 2013]
  Issuer: OU=3Dxyz.com Root CA, O=3Dxyz.com
  SerialNumber: [    0b]
]
Finalizer, WRITE: TLSv1 Alert, length =3D 2
chain [2] =3D [
[
  Version: V3
  Subject: OU=3Dxyz.com Root CA, O=3Dxyz.com
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2504473101205464528261799758713510869822109144994611404696555940=
983835396460337889394719041664933567178711548630125824060111954946051250721=
421334930946374755513011862332180360877862500892946827742635156713863492888=
611137059401444590977380756124622995226499615321509684799965735167825566153=
557775589276495310521821018010913065589529658287438866622520505752930201109=
266938998574398300285242854192606847366539699096670137729906626074579108706=
357168946076445986196068495343484774533798318578040693849283226483333153212=
679476388667870729029354789042733691579482013722450681688096502747064920697=
5301006854620635705104491821
  public exponent: 65537
  Validity: [From: Thu Feb 01 12:28:27 CET 2001,
               To: Tue Feb 02 12:28:27 CET 2016]
  Issuer: OU=3Dxyz.com Root CA, O=3Dxyz.com
  SerialNumber: [    00]
]
***
*** CertificateRequest
Cert Types: RSA, DSS,=20
Cert Authorities:
<OU=3Dxyz SubCA6, O=3Dxyz.com>
<CN=3Dg-hm-testuser-dev, OU=3Dpeople, O=3Dxyz.com>
<OU=3Dxyz.com Root CA, O=3Dxyz.com>
*** ServerHelloDone
11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length =3D 3153
11137488@qtp-33156000-2, READ: TLSv1 Handshake, length =3D 141
*** Certificate chain
***
RSA PreMasterSecret version: TLSv1
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret:  { 3, 1, 168, 147, 30, 214, 196, 68, 30, 168, 72, 187, 203, =
126, 95, 236, 0, 99, 112, 166, 185, 35, 182, 232, 232, 129, 193, 134, 42, 1=
96, 183, 31, 71, 47, 170, 109, 34, 80, 242, 154, 164, 52, 88, 236, 178, 67,=
 79, 14 }
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 A8 93 1E D6 C4 44   1E A8 48 BB CB 7E 5F EC  .......D..H..._.
0010: 00 63 70 A6 B9 23 B6 E8   E8 81 C1 86 2A C4 B7 1F  .cp..#......*...
0020: 47 2F AA 6D 22 50 F2 9A   A4 34 58 EC B2 43 4F 0E  G/.m"P...4X..CO.
CONNECTION KEYGEN:
Client Nonce:
0000: 4E E5 D9 77 38 C4 CE 00   6F 49 86 76 08 A0 F7 45  N..w8...oI.v...E
0010: 6A 75 67 4C 05 0E 58 96   7E 18 01 7F 59 48 B4 01  jugL..X.....YH..
Server Nonce:
0000: 4E E5 D9 77 34 A9 DC 96   08 19 8D 05 30 23 FB 26  N..w4.......0#.&
0010: 9A 63 C3 9A 92 9E C9 CA   00 31 89 1A 52 C1 F4 A9  .c.......1..R...
Master Secret:
0000: D4 E9 CE 2D B9 0D 87 0E   A4 14 F7 EB 3A 88 D2 79  ...-........:..y
0010: 1A 2C 38 BB DE A8 C1 E4   DB F6 E4 1E 2C 7B C4 29  .,8.........,..)
0020: 0B A0 8F E4 BF 26 EB 59   77 80 01 B1 57 17 82 0A  .....&.Yw...W...
Client MAC write Secret:
0000: 44 A1 DB 2B 94 6F E4 1F   D5 8E 6E 16 90 2E 54 0E  D..+.o....n...T.
Server MAC write Secret:
0000: 15 FF 37 23 23 85 A8 3A   57 EF 83 67 AC 82 B5 1F  ..7##..:W..g....
Client write key:
0000: A5 F4 93 97 7A C1 7E 5A   FC 5D A2 8D 3E 1F DC CB  ....z..Z.]..>...
Server write key:
0000: DF 87 5C BB A5 5B 1D F7   EA 57 98 2B DF 39 56 D0  ..\..[...W.+.9V.
... no IV for cipher
11137488@qtp-33156000-2, READ: TLSv1 Change Cipher Spec, length =3D 1
11137488@qtp-33156000-2, READ: TLSv1 Handshake, length =3D 32
*** Finished
verify_data:  { 22, 109, 13, 249, 189, 223, 15, 199, 104, 110, 189, 65 }
***
11137488@qtp-33156000-2, WRITE: TLSv1 Change Cipher Spec, length =3D 1
*** Finished
verify_data:  { 210, 22, 171, 134, 233, 234, 125, 59, 47, 47, 106, 168 }
***
11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length =3D 32
%% Cached server session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
11:37:44,039 DEBUG [RequestAddCookies] CookieSpec selected: mine
11:37:44,039 DEBUG [RequestAuthCache] Auth cache not set in the context
11:37:44,039 DEBUG [DefaultHttpClient] Attempt 1 to execute request
11:37:44,039 DEBUG [DefaultClientConnection] Sending request: GET /index.ht=
ml HTTP/1.1
11:37:44,039 DEBUG [wire] >> "GET /index.html HTTP/1.1[\r][\n]"
11:37:44,039 DEBUG [wire] >> "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0=
; Windows 98)[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Accept-Language: en-us,en;q=3D0.5[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Accept: */*[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Host: localhost:9443[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Connection: Keep-Alive[\r][\n]"
11:37:44,039 DEBUG [wire] >> "[\r][\n]"
11:37:44,039 DEBUG [headers] >> GET /index.html HTTP/1.1
11:37:44,039 DEBUG [headers] >> User-Agent: Mozilla/4.0 (compatible; MSIE 6=
.0; Windows 98)
11:37:44,039 DEBUG [headers] >> Accept-Language: en-us,en;q=3D0.5
11:37:44,039 DEBUG [headers] >> Accept: */*
11:37:44,039 DEBUG [headers] >> Host: localhost:9443
11:37:44,039 DEBUG [headers] >> Connection: Keep-Alive
11137488@qtp-33156000-2, READ: TLSv1 Application Data, length =3D 196
11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length =3D 357
11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length =3D 1741
11:37:44,054 DEBUG [wire] << "HTTP/1.1 403 A client certificate is required=
 for accessing this web application but the server's listener is not config=
ured for mutual authentication (or the client did not provide a certificate=
).[\r][\n]"
11:37:44,054 DEBUG [wire] << "Content-Type: text/html; charset=3Diso-8859-1=
[\r][\n]"
11:37:44,070 DEBUG [wire] << "Cache-Control: must-revalidate,no-cache,no-st=
ore[\r][\n]"
11:37:44,070 DEBUG [wire] << "Content-Length: 1725[\r][\n]"
11:37:44,070 DEBUG [wire] << "Server: Jetty(6.1.24)[\r][\n]"
11:37:44,070 DEBUG [wire] << "[\r][\n]"
11:37:44,070 DEBUG [DefaultClientConnection] Receiving response: HTTP/1.1 4=
03 A client certificate is required for accessing this web application but =
the server's listener is not configured for mutual authentication (or the c=
lient did not provide a certificate).
11:37:44,070 DEBUG [headers] << HTTP/1.1 403 A client certificate is requir=
ed for accessing this web application but the server's listener is not conf=
igured for mutual authentication (or the client did not provide a certifica=
te).
[...]