Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-18616

Since JDK 1.8_272, CXF in Fuse won't accept RSA client certificates from SoapUI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • fuse-7.10-GA
    • CXF
    • None
    • False
    • False
    • % %
    • Todo
    • Hide

      A. Install SoapUI

      Download the latest open-source version and run the installer. Note that this version bundles JDK 16.

      B. Generate RSA certificate
      keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -keystore keystore.jks
      C. Deploy the test application

      C1. Unpack the attached camel-cxf-contract-first.zip. This is a modified version of the camel-cxf SOAP quick-start sample.

      C2. Modify camel-route.xml to indicate the location of keystore.jks

      C3. On Fuse 7.10, install camel-cxf feature

      C4. Build the application, and deploy (e.g., by copying to the Fuse deploy/ directory)

      D. Test with a Java client (included in the sample application). Use the SoapUI embedded JRE, so we can rule out differences in Java as the cause of the problem.
      JAVA_HOME=/path/to/SoapUI-5.7.0/jre/ mvn -Pqtest compile test -DargLine="-Djavax.net.ssl.keyStore=/path/to/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/path/to/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl"
      A successful test amounts to receiving a SOAP envelope, and not an exception.

      E. Test with SoapUI

      E1. Create a new SOAP project. You probably won't be able even to add a WSDL request at this stage, just a bare project

      E2. Add keystore.jks as both the keystore and trust store – instructions are here: https://www.soapui.org/docs/soapui-projects/ws-security/

      E3. Try to add a WSDL to the project. Use the URI: https://localhost:1234/contract_first_order?wsdl

      E4. This will fail. Look in the Fuse server log, and see the "Empty certificate chain" exception.

       

      Show
      A. Install SoapUI Download the latest open-source version and run the installer. Note that this version bundles JDK 16. B. Generate RSA certificate keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -keystore keystore.jks C. Deploy the test application C1. Unpack the attached camel-cxf-contract-first.zip. This is a modified version of the camel-cxf SOAP quick-start sample. C2. Modify camel-route.xml to indicate the location of keystore.jks C3. On Fuse 7.10, install camel-cxf feature C4. Build the application, and deploy (e.g., by copying to the Fuse deploy/ directory) D. Test with a Java client (included in the sample application). Use the SoapUI embedded JRE, so we can rule out differences in Java as the cause of the problem. JAVA_HOME=/path/to/SoapUI-5.7.0/jre/ mvn -Pqtest compile test -DargLine="-Djavax.net.ssl.keyStore=/path/to/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/path/to/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl" A successful test amounts to receiving a SOAP envelope, and not an exception. E. Test with SoapUI E1. Create a new SOAP project. You probably won't be able even to add a WSDL request at this stage, just a bare project E2. Add keystore.jks as both the keystore and trust store – instructions are here: https://www.soapui.org/docs/soapui-projects/ws-security/ E3. Try to add a WSDL to the project. Use the URI: https://localhost:1234/contract_first_order?wsdl E4. This will fail. Look in the Fuse server log, and see the "Empty certificate chain" exception.  

      Since JDK 1.8_272, the JVM has by default issued a client certificate request during the SSL handshake, that puts ECDSA at the head of the list of accepted signing mechanisms. This is a change from earlier versions, which put RSA in that position.

      During the handshake, the client is expected to send whichever certificate it has, according to server preference. Because Java is prepared to accept an RSA certificate and indicates as much in the handshake, a client should send an RSA certificate if it has one, and if it doesn't have an ECDSA certificate. It should send an ECDSA certificate if it has one, but the server is willing to accept RSA.

      RSA is, of course, still almost universally used, even though most security authorities prefer ECDSA.

      Unfortunately, some clients seem to ignore the list of preferences from the server, and only interpret the first entry on the list, which is ECDSA. If these clients don't have an ECDSA certificate, but have only an RSA certificate, they send nothing. The server shows an exception with message "Empty Server Certificate Chain" (the term "server" here is a bit misleading).

      One client that fails in this way is SoapUI – at least with its default certificate management settings. If it is provided with an RSA certificate in a Java keystore, it won't send that certificate to CXF. Instead, it will send an empty certificate chain.

      This means that an some webservices clients, including SoapUI, will fail to provide their RSA client certificates, even though the CXF JVM is willing to accept them.

        1. Screen Shot 2022-02-28 at 6.11.14 PM.png
          242 kB
          Freeman(Yue) Fang

              yfang@redhat.com Freeman(Yue) Fang
              rhn-support-kboone Kevin Boone
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: