J2me https negotiation - Client Certificate

Similar Messages

• Oracle HTTP Server, client certificate chain

  I use Oracle (Apache) HTTP Server, installed from Oracle SOA Suit distrib.
  There're 2 types of ssl client cert chains that I use: client-issue-root, client-root.
  My ssl works fine, unless I should config mod_ossl to accept only user certificates signed by certificate issuer (not root).
  I add SSLRequire directive:
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == file("/path/to/issue.cer"))
  but this doesn't work (condition expression always turn in false), and
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == "")
  condition always turn in true.
  So, SSL_CLIENT_CERT_CHAIN_0 is ALWAYS EMPTY.
  I've tried to use different versions of ApacheModuleOSSL.dll (build in 09/19/2006 version 10.1.3.1, 06/12/2007 version 10.1.3.3), result is the same.
  I've found something about mod_ssl (not mod_ossl) in "Technologies for Information Environment Security: TIES project report" (http://edina.ac.uk/projects/ties/ties_23-9.pdf):
  "NOTE: This is the second, and more significant, problem we encountered in this area of mod_ssl: the first caused all the
  SSL_CLIENT_CERT_CHAIN_n environmental variables to be empty. We traced this bug back to a literal +17 offset into a
  character string that should have been +18, but by the time we had done so, a fixed version was available."
  Is there the same problem in mod_ossl?
  Does anybody have any ideas?

  Once again)
  http://www.mail-archive.com/[email protected]/msg11705.html
  I've got a question for Oracle developers: is this the same problem in OHS and OHS2 mod_ossl?
  And if yes, when we can wait the patch?
  Thanks!

• HTTPS request signed by client certificate from PL/SQL procedure

  Hi All, please help.
  The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
  The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
  Is here the possibility to send signed HTTPS request from PL/SQL?
  If not, how to do it using Java and encapsulate for PL/SQL?
  Please answer ASAP!!!

  It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
  To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
  Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
  utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
  When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager.

• HTTP Error 403.16 - Forbidden, Your client certificate is either not trusted or is invalid.

  Dear Experts,
  I have tried mutual authentication with sample website as per below link:
  http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
  1. Created a Root certificate, client and server certificate based on this root certificate by using Makecert command as per below link:
  2. Import these certificates in Trusted Root Certification authority of both the stores (Local and Current user)
  3. Created a sample website with HTML page
  4.Hosted this website in IIS with HTTPS binding and selected the above server certifcate
  5. Enabled "Require SSL" and selected "Require" under SSL settings of website
  6. Exported the client certificate in base64 format --> Edited in notepad --> made the key into single line
  7. Placed the above key under Configuration editor --> system.webServer/security/authentication/iisClientCertificateMappingAuthentication --> one to one mapping with user credentials.
  8. I tried to access the website
  But, I ended with below error :(
  HTTP Error 403.16 - Forbidden
  Your client certificate is either not trusted or is invalid.
  Detailed Error Information:
  Module    IIS Web Core
  Notification    BeginRequest
  Handler    ExtensionlessUrlHandler-Integrated-4.0
  Error Code    0x800b0109
  Requested URL    https://localhost:443/
  Physical Path    E:\SampleRoot
  Logon Method    Not yet determined
  Logon User    Not yet determined
  Could you please let me know what I missed here.
  Note:
  I am using windows8, IIS8.0.
  Thanks in advance.
  Regards,
  M. Prasad Reddy.

  Hi Prasad,
    As per this case, I have been shared the corresponding details below
    1.First of all,make sure that you import the certificate whether it belongs to Trusted RootCertification or not .
      If that is the case ,Goto Microsoft Management Console (MMC), open the Certificates snap-in. 
      For instance, the certificate store that WCF is configured to retrieve X.509 certificates from, select the Trusted RootCertification Authoritiesfolder. Under the Trusted Root Certification Authorities folder, right-click the Certificatesfolder,
  point to All Tasks, and then click Import.
    2.you configured the server certificate as well, But check the client certificate whether have root certificate or not by following command?
  makecert -pe -n "CN=SSLClientAuthClient"
           -eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in WebSSLTestRoot
           -ss my -sr currentuser -len 2048
    3. Also check the Service Certificate whether its configured on the WCF Service side
    4.Make sure that you followed all the steps are done correctly from your given referred link below
  http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
    5.Besides, please try to set the require SSL as ignore to see if you can access the website.
  If the above details cannot able to resolve this issue, please post your config file here.

• How to install and use a client certificate for use with https sites on Android?

  I need to be able to install a .p12 client side certificate to be sent to the admin section of my company's site to authenticate me as an employee. In FireFox for PC there is the ability to install this client certificate. In the mobile I cannot figure out how to get this to work.
  I just bought an Asus Transformer Android Tablet running Honeycomb. I have tried the following method below:
  http://support.mozilla.com/en-US/questions/786035
  I get to the screen where I am able to present and choose a certificate but I still get the (Error code: ssl_error_handshake_failure_alert).
  Now that Android is really picking up steam, there needs to be a way to install client side certificates to present to sites requesting them.
  Is there another way to hack the system to allow or install a client side certificate in .p12 format?

  Sorry, there's not a good way to install client certificates in Firefox 4 for Android. A bug has been filed, and any work that we do on adding this feature will be tracked here:
  https://bugzilla.mozilla.org/show_bug.cgi?id=478938

• HTTPS connection with client certificate not working in spartan

  Spartan does not show certificate for the user to select
  when I click the https link.
  The certificates (taken from a smartcard) are indeed present in the user CertStore.
  It works with IE 11 and Chrome.
  Has somebody any suggestions ?
  Thanks.

  in fact you are more using a reverse-proxy than a proxy since it is on the server part..
  You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
  hope it helps !

• HTTPS Without client authentication shows error of Certificate

  Hi Experts,
  I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
  I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
  However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
  Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
  Is below understanding right ?
  -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
  Thanks..
  regards,
  Omkar.

  Hello Omkar,
  What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
  1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
  2) At the time of Key Generation definitely it shall ask for a password. You remember that.
  3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
  Here follows the major part
  4) Open NWA and go to Configuration Management->Authentication
  5) Go to Properties Taband click Modify
  6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
  7) Now go to the Components Tab.
  8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
  ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
         Flag : Sufficient
  ==> Name: BasicPasswordLoginModule
         Flag: Optional
  9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
  ==>Name: Rule1.getUserFrom
         value : wholeCert
  10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
  and edit it.
  11) Under the Authentication stack select the template client_cert against the used template label. and save it
  12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
  13) Now in NWA navigate to Operation management->Identity Management
  14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
  15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
  16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
  17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
  18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
  19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
  20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
  Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
  Good Luck!!
  Best Regards,
  Sundar

• Proxy https connection with client certificate credentials

  Hello, we are building a application like netvibes/iGoogle which allows users to have portlets with rss feeds in them. The portlets are all loaded using ajax and therefore, the RSS feeds must exist on the same domain as the portal. If they don't, you run into problems with cross-domain security issues with ajax. Usually to get around this you just proxy the connection on the server which is very simple with rss feeds that are exposed via http. We however have many feeds that are exposed via https. These feeds likely require a client certificate to authenticate them. Therefore, just doing a basic proxy (take the distant url and open a new connection on the server) won't work because it will build the new connection with the servers credentials and not the users.
  Is there a way to build the connection on the server using the users credentials?? How can we proxy this connection over https?
  If anyone has ideas, please let me know.
  Thanks!

  in fact you are more using a reverse-proxy than a proxy since it is on the server part..
  You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
  hope it helps !

• No pop-up for client certificate in spite of icm/HTTPS/verify_client = 1

  Dear experts,
  on my WebAS 6.40 I have set icm/HTTPS/verify_client = 1 so that it requests a client certificate every time a new SSL connection is established.
  However, only on one client machine with IE 6 I really get a pop-up asking for a client certificate. On all other machines there's no such pop-up. Although on ALL clients I have set the IE setting "Don't prompt for client certificate selection when no certificates or only one certificate exists" to "disable". The setting seems to be correct, because when I want to go the SAP Service Marketplace with these clients, this pop-up comes up with an empty list of suitable certificates.
  Can anybode explain this to me? Why does the one browser open the pop-up and the others don't althought this one setting is identical? Why do the IE's that get the pop-up for the SAP Service Marketplace don't get the popup for my WebAS 6.40?
  Thanks and kind regards
  Christian

  You will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
  Hope that helps.
  J. Haynes

• Lowest cost SSL accelerator for HTTPS client certificate auth testing

  Hi,
  I need to test some some https connections that use client certificate authentication and need a low cost ebay-purchasable cisco ssl box (I think).
  My understanding is that some Cisco products can terminate https connections (once client cert auth is successful) and then pass on the http connection with a cookie value set with the Subject DN information from the client certificate - correct me if I'm wrong :).
  So any suitable kit for this?
  Thanks,
  Marc.

  Hi Oliver,
  Have a look at this http://forum.java.sun.com/thread.jsp?forum=2&thread=258908
  You may find the answer to your question there.
  Majid.

• SSL (https) set up in ABAP - pop-up Request Client Certificate

  Hi,
  We just configured SSL in ABAP. Accessing the website that the certificate is assigned to results in a pop-up appearing in IE7 that states:
  The website you want to view requests identification. Please choose a certificate, with a blank screen.
  Can the server be set so that it does not prompt for the client certificate?
  Thanks, Neeta

  You will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
  Hope that helps.
  J. Haynes

• Asking specific client certificate (not certificates trusted by authority)

  As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
  I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
  For example:
  Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
  But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
  And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

  I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
  It might not be elegantBut it is!
  See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
  Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
  This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
  if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
  So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

• Problem sending data with HTTPS  using client authentication.

  Hi,
  I�m tryingto send a message to a secure server using for this client certificate, apparently if I make a GET of "/" (server root) , everything works fine (authentication, and data received), from the moment that I try to ways send data to the "/pvtn " directory i obtain the following error.
  This is a sample of the code i�m using:
  import com.sun.net.ssl.KeyManagerFactory;
  import java.io.BufferedReader;
  import java.io.InputStreamReader;
  import java.io.OutputStreamWriter;
  import java.io.Writer;
  import java.net.Socket;
  import java.security.*;
  import java.security.GeneralSecurityException;
  import java.security.Principal;
  import java.security.PublicKey;
  import java.util.Collection;
  import java.util.Date;
  import javax.net.ssl.SSLSocket;
  import javax.net.ssl.SSLSocketFactory;
  import javax.security.cert.*;
  import javax.security.cert.X509Certificate;
  public class Test
  public static final String TARGET_HTTPS_SERVER = "mymachine.mydomain.pt";
  public static final int TARGET_HTTPS_PORT = 443;
  public static void main(String[] args) throws Exception
  System.setProperty("javax.net.ssl.trustStore","/certificados/truststore.txt");
  System.setProperty("javax.net.ssl.trustStorePassword","trustpwd");
  System.setProperty("javax.net.ssl.keyStore","/certificados/truststore.txt");
  System.setProperty("javax.net.ssl.keyStorePassword","trustpwd");
  java.security.Security.removeProvider("SunJSSE");
  java.security.Security.insertProviderAt(new com.sun.net.ssl.internal.ssl.Provider(),2);
  KeyManagerFactory kmf= KeyManagerFactory.getInstance("SunX509", "SunJSSE") ;
  //Socket
  SSLSocket jsslSoc = (SSLSocket) SSLSocketFactory.getDefault().createSocket(TARGET_HTTPS_SERVER, TARGET_HTTPS_PORT);
  String [] ciphers = jsslSoc.getSupportedCipherSuites() ;
  //// Select the ciphers you want and put them.
  //// Here we will put all availabel ciphers
  jsslSoc.setEnabledCipherSuites(ciphers);
  //// We are creating socket in client mode
  jsslSoc.setUseClientMode(true);
  //// Do SSL handshake
  jsslSoc.startHandshake();
  // Print negotiated cipher
  System.out.println("Negotiated Cipher Suite: " + jsslSoc.getSession().getCipherSuite());
  System.out.println("");
  X509Certificate[] peerCerts = ((javax.net.ssl.SSLSocket)jsslSoc).getSession().getPeerCertificateChain();
  if (peerCerts != null)
  System.out.println("Printing server information:");
  for(int i =0; i < peerCerts.length; i++)
  System.out.println("Peer Certificate ["+i+"] Information:");
  System.out.println("- Subject: " + peerCerts.getSubjectDN().getName());
  System.out.println("- Issuer: " + peerCerts[i].getIssuerDN().getName());
  System.out.println("- Version: " + peerCerts[i].getVersion());
  System.out.println("- Start Time: " + peerCerts[i].getNotBefore().toString());
  System.out.println("- End Time: " + peerCerts[i].getNotAfter().toString());
  System.out.println("- Signature Algorithm: " + peerCerts[i].getSigAlgName());
  System.out.println("- Serial Number: " + peerCerts[i].getSerialNumber());
  else
  System.out.println("Failed to get peer certificates");
  try
  Writer out = new OutputStreamWriter(jsslSoc.getOutputStream(), "ISO-8859-1");
  //THIS WAY WORKS FINE
  out.write("GET / HTTP/1.1\r\n");
  // HERE COMES THE TROUBLES
  //out.write("GET /pvtn?someparameter=paramvalue HTTP/1.1\r\n");
  out.write("Host: " + TARGET_HTTPS_SERVER + ":" + TARGET_HTTPS_PORT + "\r\n");
  out.write("Proxy-Connection: Keep-Alive\r\n");
  out.write("User-Agent: SSL-TEST \r\n");
  out.write("\r\n");
  out.flush();
  BufferedReader in = new BufferedReader(new InputStreamReader(jsslSoc.getInputStream(), "ISO-8859-1"));
  String line = null;
  while ((line = in.readLine()) != null)
  System.out.println(line);
  finally
  jsslSoc.close();
  the ssl log until sending the GET is
  main, WRITE: SSL v3.1 Handshake, length = 36
  main, READ: SSL v3.1 Change Cipher Spec, length = 1
  main, READ: SSL v3.1 Handshake, length = 36
  Plaintext after DECRYPTION: len = 36
  0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
  0010: D1 77 3F 6E 3C DB F0 A0 B7 9C CF 49 B6 6D C8 17 .w?n<......I.m..
  0020: 7E 03 52 14 ..R.
  *** Finished, v3.1
  verify_data: { 113, 171, 64, 204, 108, 51, 146, 5, 233, 105, 75, 143 }
  %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
  [read] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
  Negotiated Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
  When i send the GET
  Plaintext before ENCRYPTION: len = 247
  0000: 47 45 54 20 2F 70 76 74 6E 3F 41 30 33 30 3D 4D GET /pvtn?A030=M
  main, WRITE: SSL v3.1 Application Data, length = 247
  main, READ: SSL v3.1 Handshake, length = 24
  Plaintext after DECRYPTION: len = 24
  *** HelloRequest (empty)
  %% Client cached [Session-1, SSL_RSA_WITH_RC4_128_SHA]
  %% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_SHA] from port 3535
  *** ClientHello, v3.1
  RandomCookie: GMT: 1131988975 bytes = { 45, 113, 241, 212, 81, 255, 244, 169, 74, 41, 160, 227, 197, 210, 155, 211, 47, 237, 18, 179, 238, 47, 28, 86, 30, 253, 157, 253 }
  Session ID: {208, 18, 243, 174, 216, 156, 80, 201, 121, 136, 63, 162, 31, 196, 186, 95, 193, 143, 238, 172, 173, 79, 64, 219, 17, 149, 14, 138, 53, 95, 18, 96}
  Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17, 0, 2, 0, 1, 0, 24, 0, 26, 0, 27, 0, 23, 0, 25 }
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 105
  Plaintext before ENCRYPTION: len = 125
  main, WRITE: SSL v3.1 Handshake, length = 125
  main, READ: SSL v3.1 Handshake, length = 94
  Plaintext after DECRYPTION: len = 94
  *** ServerHello, v3.1
  RandomCookie: GMT: 1131991620 bytes = { 205, 194, 212, 113, 37, 213, 41, 13, 60, 142, 135, 68, 17, 78, 227, 251, 176, 211, 133, 203, 153, 173, 153, 195, 93, 7, 87, 123 }
  Session ID: {108, 85, 45, 208, 104, 124, 209, 24, 247, 113, 156, 134, 28, 154, 75, 198, 64, 181, 167, 9, 149, 223, 162, 21, 225, 32, 168, 31, 190, 48, 241, 195}
  Cipher Suite: { 0, 5 }
  Compression Method: 0
  %% Created: [Session-2, SSL_RSA_WITH_RC4_128_SHA]
  ** SSL_RSA_WITH_RC4_128_SHA
  [read] MD5 and SHA1 hashes: len = 74
  main, READ: SSL v3.1 Handshake, length = 3154
  Plaintext after DECRYPTION: len = 3154
  *** Certificate chain
  stop on trusted cert: [
  Version: V1
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: [MD5withRSA]
  Signature:
  [read] MD5 and SHA1 hashes: len = 3134
  main, READ: SSL v3.1 Handshake, length = 479
  Plaintext after DECRYPTION: len = 479
  *** CertificateRequest
  Cert Types: RSA, DSS,
  Cert Authorities:
  [read] MD5 and SHA1 hashes: len = 455
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 19, 223, 230, 65, 59, 210, 10, 69, 239, 178, 185, 5, 52, 57, 44, 160, 163, 239, 85, 64, 173, 16, 132, 234, 33, 228, 0, 8, 134, 52, 20, 190, 196, 15, 205, 35, 169, 39, 14, 160, 143, 74, 210, 74, 43, 181 }
  [write] MD5 and SHA1 hashes: len = 141
  Plaintext before ENCRYPTION: len = 161
  main, WRITE: SSL v3.1 Handshake, length = 161
  SESSION KEYGEN:
  PreMaster Secret:
  .CONNECTION KEYGEN:
  Client Nonce:
  Server Nonce:
  Master Secret:
  Client MAC write Secret:
  Server MAC write Secret:
  Client write key:
  Server write key:
  0000: FE 94 DF 4C 1A 9F FA CE 0C E9 A6 DB 31 53 E5 FD ...L........1S..
  ... no IV for cipher
  Plaintext before ENCRYPTION: len = 21
  0000: 01 0D 16 E6 49 18 36 AF E1 52 9C 2F 72 EE CA DF ....I.6..R./r...
  0010: 41 71 68 30 06 Aqh0.
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 21
  *** Finished, v3.1
  verify_data: { 243, 49, 247, 150, 113, 86, 182, 125, 244, 163, 245, 243 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
  Plaintext before ENCRYPTION: len = 36
  0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
  0010: 1A 7C 8F D9 51 CB 6F 47 2A 7C 90 81 20 EE 97 64 ....Q.oG*... ..d
  0020: FF 47 35 CA .G5.
  main, WRITE: SSL v3.1 Handshake, length = 36
  main, SEND SSL v3.1 ALERT: warning, description = close_notify
  Plaintext before ENCRYPTION: len = 22
  0000: 01 00 F0 F4 AC 3C B2 DE 95 98 0E B4 ED B1 24 3B .....<........$;
  0010: 54 6C 8B DC F3 1F Tl....
  main, WRITE: SSL v3.1 Alert, length = 22
  java.net.SocketException: Connection aborted by peer: socket write error
       void java.net.SocketOutputStream.socketWrite(java.io.FileDescriptor, byte[], int, int)
            native code
       void java.net.SocketOutputStream.write(byte[], int, int)
            SocketOutputStream.java:96
       void com.sun.net.ssl.internal.ssl.OutputRecord.a(java.io.OutputStream)
       void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.OutputRecord)
       void com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush()
       void com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(com.sun.net.ssl.internal.ssl.HandshakeMessage$Finished)
       void com.sun.net.ssl.internal.ssl.ClientHandshaker.c()
       void com.sun.net.ssl.internal.ssl.ClientHandshaker.a(com.sun.net.ssl.internal.ssl.SunJSSE_o)
       void com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(byte, int)
       void com.sun.net.ssl.internal.ssl.Handshaker.process_record(com.sun.net.ssl.internal.ssl.InputRecord)
       void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord, boolean)
       void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord)
       int com.sun.net.ssl.internal.ssl.AppInputStream.read(byte[], int, int)
       int java.io.InputStream.read(byte[])
            InputStream.java:91
       int java.io.InputStreamReader.fill(char[], int, int)
            InputStreamReader.java:173
       int java.io.InputStreamReader.read(char[], int, int)
            InputStreamReader.java:249
       void java.io.BufferedReader.fill()
            BufferedReader.java:139
       java.lang.String java.io.BufferedReader.readLine(boolean)
            BufferedReader.java:299
       java.lang.String java.io.BufferedReader.readLine()
            BufferedReader.java:362
       void Teste3.main(java.lang.String[])
            Teste3.java:109
  Exception in thread main
  Debugger disconnected from local process.
  Process exited with exit code 1.
  One more thing if if make the same thing via browser (https://mymachine.mydomain.pt/pvtn?someparameter=somevalue) and works fine too (obviously i pre installed the client certificate in the browser and choose the certificate when the pop up show up)
  It seems like the handshaking fails when i send data to /pvtn...
  Regards,
  Paulo.

  I amhaving the another problem very similar, I am struggling with client authentication with IIS 5.0, and receiving the 'Remote Host closed the connection' error.
  Is there any help me in this. I truly apprecaite it
  Thanks

• BizTalk 2010 Send FTPS - when is my client certificate needed?

  Based on this
  post, it's very unclear if a certificate is needed or not (in the Client Certificate Hash).  The most important quote I got out of that post is this:
  "I reached out to MS BizTalk support and they asked me not to use the certificate and just use FTP over SSL without certificate. We also changed the ftp firewall mode to passive and allocate storage to no."
  If FileZillaClient can connect and send a file to a customer/vendor without a local certificate, then why would BizTalk need one in an FTP SendPort?
  And secondly, if it is not needed, in what circumstances would you use it on an FTP SendPort.
  It's my understanding that the certificate is some certificate related to the BizTalk host account's personal store on the BizTalk machine, and not the thumbprint of the customer/vendor we are communicating with.
  For BT2013 this is
  MSDN's mysterious definition:
  > Specify the SHA1 hash of the client certificate that must be used in
  > the Secure Sockets Layer (SSL) negotiation.
  >
  > Based on this hash, the client certificate is picked up from the
  > personal store of the user account under which the BizTalk host
  > instance is running.
  This statement gives no guidance as to when it is needed or desired.
  This is the
  other good blog on the subject, but also implied cert is needed, in contradiction to Microsoft support in early link.
  Thanks,
  Neal Walters
  http://MyLifeIsMyMessage.net

  Hi,
  #How to use the new “FTPS adapter” with BizTalk 2010
  http://blogical.se/blogs/mikael/archive/2010/09/26/how-to-use-the-new-ftps-adapter-with-biztalk-2010.aspx
  And it should work with self-signed cert.Please refer to the demo:
  http://blogs.msdn.com/b/biztalknotes/archive/2014/10/10/using-ftps-adapter-in-biztalk-ftp-ssl.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to load a client certificate into a servlet to access a Web Service

  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet running under
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the client and the
  server hosting the Web Service. Thus, my client has to send a certificate to the
  server.
  My problem is: how to get the certificate into the request? I know that, for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
  use this class.
  Is there any other method to make sure that SSL requests use my client certificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia

  Hi all,
  I have solved this problem basically by using weblogic's SSLSocketFactory instead
  of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
  which uses this Factory. I then created a custom Config class which I pass to
  the constructor of Service. The Config class looks like this:
  public class MyConfig extends SimpleProvider {
  * Constructor - deploy client-side basic transports.
  public MyConfig() {
  deployTransport("java", new SimpleTargetedChain(new JavaSender()));
  deployTransport("local", new SimpleTargetedChain(new LocalSender()));
  deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
  The relevant code within MyHttpSender looks something like this:
  SSLClientInfo sslinfo = new SSLClientInfo();
  File ClientKeyFile = new File("C:/certificates/testkey.pem");
  File ClientCertsFile = new File("C:/certificates/testcert.pem");
  InputStream[] ins = new InputStream[2];
  ins[0] = new FileInputStream(ClientCertsFile);
  ins[1] = new FileInputStream(ClientKeyFile);
  String pwd = "mykeypass";
  sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
  javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
  sock = sockf.createSocket(host, port) ;
  By the way, this change also solved the other problem I posted about (not being
  able to tunnel through the https proxy).
  Cheeers,
  Zoltan Schreter
  Nokia
  "Tony" <TonyV> wrote:
  Which API's are you currently using for the SSL communication in the
  client
  side?
  Tony
  "Zoltan Schreter" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet runningunder
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the clientand the
  server hosting the Web Service. Thus, my client has to send a certificateto the
  server.
  My problem is: how to get the certificate into the request? I knowthat,
  for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
  can't
  use this class.
  Is there any other method to make sure that SSL requests use my clientcertificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia