[Webtest] Client Authentication in R_1812

Racic Michel (KSPF 821) Racic Michel (KSPF 821)" <michel.racic@credit-suisse.com
Mon, 12 Dec 2011 17:55:38 +0100


Hi Stefan

I have the same issues with R1812 but didn't had enough time to really
investigate into it.
R1811 works fine with it but HTMLUnit was upgraded in R1812...
Something introduced in R1812 must be the cause of it.=20

For my test of this I run the same testcases but using different WebTest
base versions to exclude server related issues.

Will post an update if I find more information.

Best regards

Michel

-----Original Message-----
From: webtest-admin@lists.canoo.com
[mailto:webtest-admin@lists.canoo.com] On Behalf Of Bueche, Stefan
Sent: Monday, December 12, 2011 12:15 PM
To: 'webtest@lists.canoo.com'
Subject: [Webtest] Client Authentication in R_1812


Hello everybody,

we use Webtest for an Java application requiring client authentication
with a client certificate. The whole process ist set up correctly, at
least from my limited understanding of the issue, and it is running with
R_1804. Now we want to upgrade to R_1812, because we have some issues
with JavaScript and would like to see if the new release can handle
them. Unfortunately, R_1812 doesn't seem to send the client certificate
to the server.

Configuration:
- keystore-client.jks containing the client's key
- truststore-client.jks containing the server's certificate and the
chain to the root CA
- keystore-server.jks containing the server's key
- truststore-server.jks containing the client's certificate and the
chain to the root CA

Run with R_1804: Basically runs, but with lots of JavaScript errors.

Run with R_1812:
DEBUG [wire] << "HTTP/1.1 403 A client certificate is required for
accessing this web application but the server's listener is not
configured for mutual authentication (or the client did not provide a
certificate).

I don't think the problem lies on the server side, as the tests run in
principle with R_1804 and the application can be accessed if I point my
browser to it and show the certificate we use for our web tests. Do you
have any hints about how Webtest needs to be configured in order to get
Client Authentication running with R_1812? Your help is very much
appreciated.

Best regards,
Stefan



And, at last, the trace, truncated for readability:
[...]
trigger seeding of SecureRandom
done seeding SecureRandom
[INFO] Started Jetty Server
matching alias: localhost
[...]
11:37:43,914 DEBUG [DefaultClientConnectionOperator] Connecting to
localhost:9443
15582013@qtp-33156000-0 - Acceptor0 SslSocketConnector@0.0.0.0:9443,
setSoTimeout(60000) called
11137488@qtp-33156000-2, READ:  SSL v2, contentType =3D Handshake,
translated length =3D 73
*** ClientHello, TLSv1
RandomCookie:  GMT: 1306843511 bytes =3D { 56, 196, 206, 0, 111, 73, =
134,
118, 8, 160, 247, 69, 106, 117, 103, 76, 5, 14, 88, 150, 126, 24, 1,
127, 89, 72, 180, 1 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1306843511 bytes =3D { 52, 169, 220, 150, 8, 25, =
141,
5, 48, 35, 251, 38, 154, 99, 195, 154, 146, 158, 201, 202, 0, 49, 137,
26, 82, 193, 244, 169 }
Session ID:  {78, 229, 217, 119, 73, 113, 217, 152, 22, 39, 138, 111,
136, 138, 75, 153, 88, 82, 203, 175, 246, 208, 222, 229, 202, 78, 162,
83, 64, 103, 18, 203}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Cipher suite:  SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] =3D [
[
  Version: V3
  Subject: CN=3Dlocalhost, OU=3Dxyz.com, O=3DServers, L=3DLondon, =
ST=3DLondon,
C=3DGB
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus:
108179520582626822638263617848905027511161983397035334859586617940396503
275226297314419112641429673772815414154588185689450086794418126380116469
876447746116876526529296927698475792482523613734425774095991267658995448
239701473099823977872960073463698471939264453180732791079663625225376172
627320425821382416099
  public exponent: 65537
  Validity: [From: Wed Jan 19 13:32:08 CET 2011,
               To: Fri Jan 18 13:32:08 CET 2013]
  Issuer: OU=3Dxyz SubCA6, O=3Dxyz.com
  SerialNumber: [    0173a1]
]
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, SEND TLSv1 ALERT:  warning, description =3D close_notify
chain [1] =3D [
[
  Version: V3
  Subject: OU=3Dxyz SubCA6, O=3Dxyz.com
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus:
210771796149809245528555479268457950825037349626486157383747075643949667
713124876993446687306314509060540021052180905827994761556171059067111058
543914776929834267659052854810045818150974577491389654132261948024448913
342132601543303889693193716384519357864314740203282887959260938861566023
914684172747168856913887016946662183353049100710208021958636709088567122
169667234236108756012750389479934788883307832933202800904170259364865520
487060504515471704898480819113078077767994059839280743857163457694573276
355405814998082530607864058300735740961801652051790316919731271152751085
78539472757566984943643155472507783162351
  public exponent: 65537
  Validity: [From: Mon Oct 27 17:31:04 CET 2008,
               To: Sun Oct 27 17:31:04 CET 2013]
  Issuer: OU=3Dxyz.com Root CA, O=3Dxyz.com
  SerialNumber: [    0b]
]
Finalizer, WRITE: TLSv1 Alert, length =3D 2
chain [2] =3D [
[
  Version: V3
  Subject: OU=3Dxyz.com Root CA, O=3Dxyz.com
  Signature Algorithm: SHA1withRSA, OID =3D 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus:
250447310120546452826179975871351086982210914499461140469655594098383539
646033788939471904166493356717871154863012582406011195494605125072142133
493094637475551301186233218036087786250089294682774263515671386349288861
113705940144459097738075612462299522649961532150968479996573516782556615
355777558927649531052182101801091306558952965828743886662252050575293020
110926693899857439830028524285419260684736653969909667013772990662607457
910870635716894607644598619606849534348477453379831857804069384928322648
333315321267947638866787072902935478904273369157948201372245068168809650
27470649206975301006854620635705104491821
  public exponent: 65537
  Validity: [From: Thu Feb 01 12:28:27 CET 2001,
               To: Tue Feb 02 12:28:27 CET 2016]
  Issuer: OU=3Dxyz.com Root CA, O=3Dxyz.com
  SerialNumber: [    00]
]
***
*** CertificateRequest
Cert Types: RSA, DSS,=20
Cert Authorities:
<OU=3Dxyz SubCA6, O=3Dxyz.com>
<CN=3Dg-hm-testuser-dev, OU=3Dpeople, O=3Dxyz.com>
<OU=3Dxyz.com Root CA, O=3Dxyz.com>
*** ServerHelloDone
11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length =3D 3153
11137488@qtp-33156000-2, READ: TLSv1 Handshake, length =3D 141
*** Certificate chain
***
RSA PreMasterSecret version: TLSv1
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret:  { 3, 1, 168, 147, 30, 214, 196, 68, 30, 168, 72, 187,
203, 126, 95, 236, 0, 99, 112, 166, 185, 35, 182, 232, 232, 129, 193,
134, 42, 196, 183, 31, 71, 47, 170, 109, 34, 80, 242, 154, 164, 52, 88,
236, 178, 67, 79, 14 }
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 A8 93 1E D6 C4 44   1E A8 48 BB CB 7E 5F EC
.......D..H..._.
0010: 00 63 70 A6 B9 23 B6 E8   E8 81 C1 86 2A C4 B7 1F
.cp..#......*...
0020: 47 2F AA 6D 22 50 F2 9A   A4 34 58 EC B2 43 4F 0E
G/.m"P...4X..CO.
CONNECTION KEYGEN:
Client Nonce:
0000: 4E E5 D9 77 38 C4 CE 00   6F 49 86 76 08 A0 F7 45
N..w8...oI.v...E
0010: 6A 75 67 4C 05 0E 58 96   7E 18 01 7F 59 48 B4 01
jugL..X.....YH..
Server Nonce:
0000: 4E E5 D9 77 34 A9 DC 96   08 19 8D 05 30 23 FB 26
N..w4.......0#.&
0010: 9A 63 C3 9A 92 9E C9 CA   00 31 89 1A 52 C1 F4 A9
.c.......1..R...
Master Secret:
0000: D4 E9 CE 2D B9 0D 87 0E   A4 14 F7 EB 3A 88 D2 79
...-........:..y
0010: 1A 2C 38 BB DE A8 C1 E4   DB F6 E4 1E 2C 7B C4 29
.,8.........,..)
0020: 0B A0 8F E4 BF 26 EB 59   77 80 01 B1 57 17 82 0A
.....&.Yw...W...
Client MAC write Secret:
0000: 44 A1 DB 2B 94 6F E4 1F   D5 8E 6E 16 90 2E 54 0E
D..+.o....n...T.
Server MAC write Secret:
0000: 15 FF 37 23 23 85 A8 3A   57 EF 83 67 AC 82 B5 1F
..7##..:W..g....
Client write key:
0000: A5 F4 93 97 7A C1 7E 5A   FC 5D A2 8D 3E 1F DC CB
....z..Z.]..>...
Server write key:
0000: DF 87 5C BB A5 5B 1D F7   EA 57 98 2B DF 39 56 D0
..\..[...W.+.9V.
... no IV for cipher
11137488@qtp-33156000-2, READ: TLSv1 Change Cipher Spec, length =3D 1
11137488@qtp-33156000-2, READ: TLSv1 Handshake, length =3D 32
*** Finished
verify_data:  { 22, 109, 13, 249, 189, 223, 15, 199, 104, 110, 189, 65 }
***
11137488@qtp-33156000-2, WRITE: TLSv1 Change Cipher Spec, length =3D 1
*** Finished
verify_data:  { 210, 22, 171, 134, 233, 234, 125, 59, 47, 47, 106, 168 }
***
11137488@qtp-33156000-2, WRITE: TLSv1 Handshake, length =3D 32
%% Cached server session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
11:37:44,039 DEBUG [RequestAddCookies] CookieSpec selected: mine
11:37:44,039 DEBUG [RequestAuthCache] Auth cache not set in the context
11:37:44,039 DEBUG [DefaultHttpClient] Attempt 1 to execute request
11:37:44,039 DEBUG [DefaultClientConnection] Sending request: GET
/index.html HTTP/1.1
11:37:44,039 DEBUG [wire] >> "GET /index.html HTTP/1.1[\r][\n]"
11:37:44,039 DEBUG [wire] >> "User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows 98)[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Accept-Language: en-us,en;q=3D0.5[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Accept: */*[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Host: localhost:9443[\r][\n]"
11:37:44,039 DEBUG [wire] >> "Connection: Keep-Alive[\r][\n]"
11:37:44,039 DEBUG [wire] >> "[\r][\n]"
11:37:44,039 DEBUG [headers] >> GET /index.html HTTP/1.1
11:37:44,039 DEBUG [headers] >> User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows 98)
11:37:44,039 DEBUG [headers] >> Accept-Language: en-us,en;q=3D0.5
11:37:44,039 DEBUG [headers] >> Accept: */*
11:37:44,039 DEBUG [headers] >> Host: localhost:9443
11:37:44,039 DEBUG [headers] >> Connection: Keep-Alive
11137488@qtp-33156000-2, READ: TLSv1 Application Data, length =3D 196
11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length =3D 357
11137488@qtp-33156000-2, WRITE: TLSv1 Application Data, length =3D 1741
11:37:44,054 DEBUG [wire] << "HTTP/1.1 403 A client certificate is
required for accessing this web application but the server's listener is
not configured for mutual authentication (or the client did not provide
a certificate).[\r][\n]"
11:37:44,054 DEBUG [wire] << "Content-Type: text/html;
charset=3Diso-8859-1[\r][\n]"
11:37:44,070 DEBUG [wire] << "Cache-Control:
must-revalidate,no-cache,no-store[\r][\n]"
11:37:44,070 DEBUG [wire] << "Content-Length: 1725[\r][\n]"
11:37:44,070 DEBUG [wire] << "Server: Jetty(6.1.24)[\r][\n]"
11:37:44,070 DEBUG [wire] << "[\r][\n]"
11:37:44,070 DEBUG [DefaultClientConnection] Receiving response:
HTTP/1.1 403 A client certificate is required for accessing this web
application but the server's listener is not configured for mutual
authentication (or the client did not provide a certificate).
11:37:44,070 DEBUG [headers] << HTTP/1.1 403 A client certificate is
required for accessing this web application but the server's listener is
not configured for mutual authentication (or the client did not provide
a certificate).
[...]
_______________________________________________
WebTest mailing list
WebTest@lists.canoo.com
http://lists.canoo.com/mailman/listinfo/webtest