Uploaded image for project: 'Hot Rod Native client'
  1. Hot Rod Native client
  2. HRCPP-284

Unable to use client authentication with C# client

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 8.1.0.CR1, 8.1.0.Final
    • None
    • .NET, Core
    • None

      When client authentication is requested via require-ssl-client-auth attribute (see example config below), the "null cert chain" error appears on server side.

       <subsystem xmlns="urn:infinispan:server:endpoint:9.0">
           ...
         <encryption security-realm="ApplicationRealm" require-ssl-client-auth="true"/>

      Null cert error:

      09:12:06,643 ERROR [org.infinispan.server.hotrod.CacheDecodeContext] (HotRodServerWorker-4-2) ISPN005003: Exception reported: javax.net.ssl.SSLHandshakeException: null cert chain
4: 	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
4: 	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
4: 	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
4: 	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
4: 	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
4: 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1098)
4: 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:970)
4: 	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:904)
4: 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:387)
4: 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:245)
4: 	at io.netty.channel.ChannelHandlerInvokerUtil.invokeChannelReadNow(ChannelHandlerInvokerUtil.java:83)
4: 	at io.netty.channel.DefaultChannelHandlerInvoker.invokeChannelRead(DefaultChannelHandlerInvoker.java:154)
4: 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:354)
4: 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:145)
4: 	at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
4: 	at org.infinispan.server.core.transport.StatsChannelHandler.channelRead(StatsChannelHandler.java:30)
4: 	at io.netty.channel.ChannelHandlerInvokerUtil.invokeChannelReadNow(ChannelHandlerInvokerUtil.java:83)
4: 	at io.netty.channel.DefaultChannelHandlerInvoker.invokeChannelRead(DefaultChannelHandlerInvoker.java:154)
4: 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:354)
4: 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:145)
4: 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:1078)
4: 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:117)
4: 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:527)
4: 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:484)
4: 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:398)
4: 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:370)
4: 	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:742)
4: 	at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:145)
4: 	at java.lang.Thread.run(Thread.java:745)
4: Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
4: 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
4: 	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
4: 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
4: 	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
4: 	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1865)
4: 	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
4: 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
4: 	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
4: 	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
4: 	at java.security.AccessController.doPrivileged(Native Method)
4: 	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
4: 	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1124)
4: 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1009)
4: 	... 22 more

      Steps to reproduce:
      1) generate a client side keystore and self-signed certificate:
      keytool -keystore client.jks -genkey -alias client
      2) export the certificate:
      keytool -exportcert -alias client -keystore client.jks -storepass secret -rfc -file client-exported.pem
      3) import it into the server side truststore:
      keytool -import -keystore truststore_server.jks -file client-exported.pem -alias client
      4) Configure C# client with the file:
      .conf.Ssl().Enable().ClientCertificateFile(client-exported.pem)
      5) use the truststore on server side
      6) enable require-ssl-client-auth="true" on server side

              vrigamon@redhat.com Vittorio Rigamonti
              mgencur Martin Gencur
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: