0

I realised I'm still having troubles. By implementing the solution provided here by ycr, the SSL Verification is completely skipped: I don't get any exception through wso mi code execution, but server endpoint responds with Forbidden <403>. I spent the day writing a java client to test certifications chain and to better understand how java manage SSL. Please see the code below. It is clear to me, thanks to the explanations kindly received from ycr, that I do have problems in how the certificates were issued, but I can't help that. Java client handshake can be successfully achieved by setting:

HostnameVerifier allHostsValid = new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) { return true; }
};
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

before establishing the connection. Through this trick, CN match between domain and certificate chain is skipped, but SSL authentication is achieved using the certificates provided to the SSL Context, thus getting Response <200> from the endpoint. How can setup wso mi (i.e. either modifying deployment.toml or some other tricks) to get a similar result? Thanks in advance for help (below is the entire code sample working fine)

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.FileInputStream;
import java.net.URL;
import java.security.KeyStore;
import java.util.logging.Logger;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.X509TrustManager;


public class HelloWorld {

    private static final Logger logger = Logger.getLogger(HelloWorld.class.getName());
    
    public static SSLContext mySSLContext() {
        
    try {
        final String CERTIFICATE_FILE = "c:/SSLCerts/staging.jks";
        final String CA_FILE = "c:/SSLCerts/serverside_staging.jks";
        final String CERTIFICATE_PASS = "***************";

        KeyStore clientKeyStore = KeyStore.getInstance("JKS");
        clientKeyStore.load(
          new FileInputStream(CERTIFICATE_FILE),
          CERTIFICATE_PASS.toCharArray()
        );

        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); // SunX509
        kmf.init(clientKeyStore, CERTIFICATE_PASS.toCharArray());
        KeyManager[] keyManagers = kmf.getKeyManagers();

        // Now, let's configure the client to trust the server
        KeyStore serverKeyStore = KeyStore.getInstance("JKS");
        serverKeyStore.load(
          new FileInputStream(CA_FILE),
          CERTIFICATE_PASS.toCharArray()
        );

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); // SunX509
        tmf.init(serverKeyStore);
        /***
        TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
                    public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
                    public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
                }
            };      
        ***/
        SSLContext sslContext = SSLContext.getInstance("SSL");
        TrustManager[] trustManagers = tmf.getTrustManagers();
        sslContext.init(keyManagers, trustManagers, null);
                
        return sslContext;
    } catch (Exception e) {
        e.printStackTrace();
        return null;
    }
    }
        
    public static void main(String[] args) {
    final String targetURL = "https://37.186.199.242:6443/web-app";
    URL url;
    HttpsURLConnection connection = null;
    BufferedReader bufferedReader = null;
    InputStream is = null;

    try {
    //Create connection
    url = new URL(targetURL);
    
    SSLContext sc = mySSLContext();
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) { return true; }
    };
    
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        
    connection = (HttpsURLConnection) url.openConnection();
    connection.setRequestMethod("POST");
    connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
    connection.setRequestProperty("Content-Language", "en-US");
    
    int responseCode = connection.getResponseCode();
    String responseMessage = connection.getResponseMessage();
    logger.info("response from " + targetURL + ":" + responseMessage + ":<" + responseCode + ">");
    
    } catch (Exception e) {
            
            logger.info("response from " + targetURL + " thrown exception:" + e.toString());

        }


    }
}
Cristiano
  • 51
  • 5
  • Finally I solved. The reason for which authentication was not completed is due to the fact that target URL https://37.186.199.242:6443/web-app, when checked by ClientConnFactory class in wso mi, is returned by IOSession.getRemoteAddress().getHostName, as follows: **"37-186-199-241.ip270.fastwebnet"** . Finally I could adjust and get through authentication by adding the name: 37-186-199-242.ip270.fastwebnet.it in the statements in the senderprofiles.xml. – Cristiano May 18 '23 at 11:44

0 Answers0