JBoss7客户端证书认证：SSL会话中的Ciper套件为SSL_NULL_WITH_NULL_NULL

Question

I am trying to set up client certificate authentication with JBoss (so far tested with 7.1.0 Final and 7.1.1 Final , Java 6 and Java7 ).

1) I've generated certificate based on this

2) I've copied keystore.server and server.truststore into /standalone/configuration folder.

3) In standalone.xml I've created security domain

<security-domain name="RequireCertificateDomain">
    <authentication>
        <login-module code="CertificateRoles" flag="required">
              <module-option name="securityDomain" value="RequireCertificateDomain"/>
              <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
              <module-option name="usersProperties" value="${jboss.server.config.dir}/my-users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/my-roles.properties"/>
        </login-module>
    </authentication>
    <jsse keystore-password="changeit" keystore-url="file:C:/jboss/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="changeit" truststore-url="file:C:/jboss/jboss-as-7.1.1.Final/standalone/configuration/server.truststore"/>
</security-domain>

and HTTPS connector:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl password="changeit" certificate-key-file="${jboss.server.config.dir}/server.keystore" verify-client="want" ca-certificate-file="${jboss.server.config.dir}/server.truststore"/>
</connector>

4) I've imported certificate to /lib/security/cacerts (later I've been trying access my secured WS by Spring RestTemplate - also no luck)

5) I've imported certificate into Internet Options -> Content -> Certificates -> Trusted Root CA (I can see that cert is trusted)

6) I've created simple JavaEE Rest WS, web.xml:

<security-constraint>
    <display-name>Area secured</display-name>
    <web-resource-collection>
        <web-resource-name>protected_resources</web-resource-name>
        <url-pattern>/api/account/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>User with any role</description>
        <role-name>*</role-name>
    </auth-constraint>
            <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>


<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

jboss-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>RequireCertificateDomain</security-domain>  
</jboss-web>

7) When trying to access via browser (Chrome/Firefox/IE) I get HTTP Status 401 - No client certificate chain in this request . In server.log I can see the followings:

Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL

I've search the Internet and found out that it may be a bug but was supposed to be fixed in 7.1.0 Final release. Unfortunately I keep getting this error both on 7.1.0 and 7.1.1 versions.

Am I missing something?

Answer 1

I am running into the same issue. I take it that the browser is not even prompting you to choose the cert? Have you tried using curl to send the credentials and turned up javax.net.debug=ssl,handshake ? You can then see the client and server responses in your jboss logs. Here is the curl command.

curl --cert ./cert.pem --key ./key.pem https://jbosshost:port -k -v

You will need to use openssl to convert your p12 to cert and key .pems