I'm currently testing connectivity between two separate systems. When I attempt to make a web service call through our software, I've noticed that a 401 error repeatedly shows up in the logs:
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '401: Unauthorized' when communicating with https://testsystem.endpoint/webservice
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1530)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
From what I have read on SO, a 401 tells you that you haven't successfully logged in or authenticated to whatever server you are trying to connect to. I've notified those who control the target endpoint of this, and I've been told that I shouldn't need to login and that "everything is authenticated by the certificates." As I understand it, SSL/TLS certificates can certainly act as a way to authenticate in the sense that if you claim to be X in your certificate and your certificate has been signed by a trusted CA, then you are most likely X. However, I believe this is distinct from entering valid or invalid login credentials (which I believe is closer to the cause of the 401 error).
I tried curl'ing the endpoint using my public keypair as well as the root certificate for the certificate the target endpoint. I can see there appear to be two separate SSL handshakes, which I believe to be SSL renegotiation. I can clearly see a 401 error occurring again:
$ curl -vv --cert cert.pem --cacert root.pem https://testsystem.endpoint/webservice
* About to connect() to testsystem.endpoint/webserivce port 443 (#0)
* Trying TEST.IP.ADDRESS.FAKE... connected
* Connected to testsystem.endpoint/webserivce (TEST.IP.ADDRESS.FAKE) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: root.pem
CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: /OU=Domain Control Validated/CN=TEST.CN.FAKE
* start date: 2015-07-07 22:44:38 GMT
* expire date: 2016-07-19 16:55:05 GMT
* subjectAltName: testsystem.endpoint/webserivce matched
* issuer: /C=US/ST=fake/L=fake/O=Company.com, Inc./OU=http://certs.company.com/repository//CN=Company Secure Certificate Authority
* SSL certificate verify ok.
> GET /webservice HTTP/1.1
> User-Agent: curl/7.16.2 (x86_64-unknown-linux-gnu) libcurl/7.16.2 OpenSSL/0.9.8b zlib/1.2.3
> Host: testsystem.endpoint/webserivce
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Sat, 05 Sep 2015 00:16:21 GMT
I don't believe my problem is necessarily related to SSL/TLS-handshaking: I have built up the full certificate chain for the other end (which is trusted on my end), and I can see that the first SSL/TLS handshake seems to work. I suppose my question is: Why is the other end 401'ing me when I'm using what I believe is a valid keypair?
