An attempt to implement client key authentication (with ca self-subscription).
The code looks like this:
KeyStore keyStore = KeyStore.getInstance("PKCS12"); keyStore.load(new FileInputStream("client.p12"), "changeit".toCharArray()) SSLContext sslcontext = SSLContexts.custom() .loadTrustMaterial(null, new TrustSelfSignedStrategy()) //DONT DO THAT, IT JUST TO SIMPLIFY THIS EXAMPLE. USE REAL TrustStore WITH REAL SERVER CERTIFICATE IMPORTED. DONT TRUST SELF SIGNED .loadKeyMaterial(keyStore, "changeit".toCharArray()) .build(); socketFactory = new SSLConnectionSocketFactory( sslcontext, new String[] {"TLSv1.2", "TLSv1.1"}, null, new NoopHostnameVerifier() ); HttpClient httpclient = HttpClients.custom() .setSSLSocketFactory(socketFactory) .build();
With -Djavax.net.debug=all I see that it selects my certificate correctly, I see the signatures, I see the certificate request, and there ECDHClientKeyExchange, etc. everything looks fine.
But anyway, I get the following response from Nginx (with status 400):
<head><title>400 The SSL certificate error</title></head>
Note that for an invalid certificate / key, nginx usually disconnects the session without providing any details in the text response.
This client.p12 works from the command line, for example:
$ curl -ivk --cert client.p12:changeit https://192.168.1.1 * Rebuilt URL to: https://192.168.1.1/ * Trying 192.168.1.1... * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0) * WARNING: SSL: Certificate type not set, assuming PKCS#12 format. * Client certificate: client-es.certs.my * TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * Server certificate: server.certs.my * Server certificate: ca.my > GET / HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 200 OK
So this key is definitely valid. But why does this not work for Java? Is there something I missed in java ssl config?