How to create a SSL client to support https

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to create a SSL client to support https

Kelvin Lin
Hi all,
 
I have followed the installation guide to compile source codes including "ENABLE_SSL=1" successfully. It could support http protocol well but failed to support https.
 
I have checked axis-c-user mail list and found some similar articles to handle this problem, like:
 
************************************************
you can give the certificates as a parameter in axis2.xml

|<parameter name="SERVER_CERT">/path/to/ca/certificate</parameter>||
|||

or as properties set in the code.

eg:
    ssl_ca_file = axis2_property_create(env);
    AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env,
            axis2_strdup("/home/user/cacert.pem", env));
    AXIS2_OPTIONS_SET_PROPERTY(options, env, "SERVER_CERT", ssl_ca_file);

Note that you have to create a property and set it using the
AXIS2_OPTIONS_SET_PROPERTY function call.
 
**************************************************************
When using AXIS2_OPTIONS_SET_PROPERTY()
first you need to create an axis2_property_t instance and then set it.

eg.

axis2_property_t *ssl_server_cert_prop =
axis2_property_create_with_args(env, 0, AXIS2_TRUE, 0,
AXIS2_STRDUP(cert_filename, env));

AXIS2_OPTIONS_SET_PROPERTY(options, env, "SERVER_CERT",
ssl_server_cert_prop);
********************************************************************************
 
But it failed in my environment, because I can't find some apis and variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY.
 
I used official version axis2c-src-1.0.0 and changed axis2.xml like:
 
    <transportSender name="https" class="axis2_http_sender">
        <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
    </transportSender>
    <parameter name="SERVER_CERT">/path/to/ca/certificate</parameter>
    <!--<parameter name="KEY_FILE">/path/to/client/certificate/chain/file</parameter>
    <parameter name="SSL_PASSPHRASE">passphrase</parameter>
    -->
 
At the same time, I called following apis in my program:
 
    axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
 axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTPS);
 
But the server I built by myself didn't have any response and get error code 82, Input stream is NULL in msg_ctx.
 
What apis should I call to support https and how to config axis2.xml to specify pem file both under needing authentication and no needing authentication? I am freshman to Axis2/C, so pls. tell me detailedly:)
 
Thanks a lot.
 
Kelvin.Lin


Don't be flakey. Get Yahoo! Mail for Mobile and
always stay connected to friends.
Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Dumindu Pallewela
Hi Kelvin,

Find my comments inline.

Kelvin Lin wrote:
> Hi all,
>  
> But it failed in my environment, because I can't find some apis and
> variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY.

Those instructions were intended for v0.96. Since v1.0 the util
declarations were renamed with a axutil_ prefix and the macros were
dropped. Hence these should be axutil_property_t and
axis2_options_set_property respectively.

> I used official version axis2c-src-1.0.0 and changed axis2.xml like:
>  
>     <transportSender name="https" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>     </transportSender>
>     <parameter name="SERVER_CERT">/path/to/ca/certificate</parameter>
>     <!--<parameter
> name="KEY_FILE">/path/to/client/certificate/chain/file</parameter>
>     <parameter name="SSL_PASSPHRASE">passphrase</parameter>
>     -->

This is all you need in order to get ssl working, usually. :)

> At the same time, I called following apis in my program:
>  
>     axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
>  axis2_options_set_transport_in_protocol(options, env,
> AXIS2_TRANSPORT_ENUM_HTTPS);

Axis2 engine should set the appropriate protocols according to the epr
that you use. For example for a https endpoint, axis2 engine would look
at the https://.... uri and understand that the protocol that should be
used is https. In particular, setting transport_in protocol is not
useful if you are not using different ports to send and receive messages
(dual client).

> But the server I built by myself didn't have any response and get error
> code 82, Input stream is NULL in msg_ctx.

That is because our simple_axis_server is not capable of handling ssl.
Please refer to the axis2 manual [1] for more information on deploying
axis2 in apache2 server. Make sure to have mod_ssl installed.

> What apis should I call to support https and how to config axis2.xml to
> specify pem file both under needing authentication and no needing
> authentication?

There are three properties that are related to ssl transport,
SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more
information on each.

This is how you set the SERVER_CERT for expample:

axutil_property_t ssl_ca_file = axutil_property_create(env);
axutil_property_set_value(ssl_ca_file, env,
        axutil_strdup(env, "/home/dumindu/dummyCA/demoCA/cacert.pem"));
axis2_options_set_property(options, env, "SERVER_CERT", ssl_ca_file);

You can set the other three properties accordingly, too. These
properties however, are *not needed* to be set in the code, if you can
set them in axis2.xml.

Tutorial [2] was written a while back, so there can be a few errors.
Please let me know if you find any :)

Regards,
Dumindu.

[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#mod_axis2
[2] http://people.apache.org/~dumindu/HowToConfigureSSL.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Kelvin Lin
Hi Dumindu,
 
Thank you very much. You pull me out from the mess and give me the confidence to finish the work.
 
But because I will be not available in the following three days, I have to try your method in next Monday(China Time). And if there are any problems, I will tell you.
 
I skim your reply and I have a question about this paragraph:
 
"That is because our simple_axis_server is not capable of handling ssl.
Please refer to the axis2 manual [1] for more information on deploying
axis2 in apache2 server. Make sure to have mod_ssl installed."
 
I used IBM Websphere as http server. Does it matter to the solution.
 
Thanks a lot again.
 
Kelvin.Lin


Dumindu Pallewela <[hidden email]> wrote:
Hi Kelvin,

Find my comments inline.

Kelvin Lin wrote:
> Hi all,
>
> But it failed in my environment, because I can't find some apis and
> variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY.

Those instructions were intended for v0.96. Since v1.0 the util
declarations were renamed with a axutil_ prefix and the macros were
dropped. Hence these should be axutil_property_t and
axis2_options_set_property respectively.

> I used official version axis2c-src-1.0.0 and changed axis2.xml like:
>
>
> HTTP/1.1
>

> /path/to/ca/certificate
>

This is all you need in order to get ssl working, usually. :)

> At the same time, I called following apis in my program:
>
> axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
> axis2_options_set_transport_in_protocol(options, env,
> AXIS2_TRANSPORT_ENUM_HTTPS);

Axis2 engine should set the appropriate protocols according to the epr
that you use. For example for a https endpoint, axis2 engine would look
at the https://.... uri and understand that the protocol that should be
used is https. In particular, setting transport_in protocol is not
useful if you are not using different ports to send and receive messages
(dual client).

> But the server I built by myself didn't have any response and get error
> code 82, Input stream is NULL in msg_ctx.

That is because our simple_axis_server is not capable of handling ssl.
Please refer to the axis2 manual [1] for more information on deploying
axis2 in apache2 server. Make sure to have mod_ssl installed.

> What apis should I call to support https and how to config axis2.xml to
> specify pem file both under needing authentication and no needing
> authentication?

There are three properties that are related to ssl transport,
SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more
information on each.

This is how you set the SERVER_CERT for expample:

axutil_property_t ssl_ca_file = axutil_property_create(env);
axutil_property_set_value(ssl_ca_file, env,
axutil_strdup(env, "/home/dumindu/dummyCA/demoCA/cacert.pem"));
axis2_options_set_property(options, env, "SERVER_CERT", ssl_ca_file);

You can set the other three properties accordingly, too. These
properties however, are *not needed* to be set in the code, if you can
set them in axis2.xml.

Tutorial [2] was written a while back, so there can be a few errors.
Please let me know if you find any :)

Regards,
Dumindu.

[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#mod_axis2
[2] http://people.apache.org/~dumindu/HowToConfigureSSL.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when.
Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Dumindu Pallewela
Kelvin Lin wrote:

> I used IBM Websphere as http server. Does it matter to the solution.

Well that's fine. I thought that you were using the simple axis server.
Then it should be a client misconfiguration. :)

Regards,
Dumindu.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Kelvin Lin
In reply to this post by Dumindu Pallewela
Hi Dumindu,
 
Sorry for reply later.
 
I followed your suggesttion, but it still failed.
 
1st, I commented the following statement.
 
 //axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
 //axis2_options_set_transport_in_protocol(options, env, AXIS2_TRANSPORT_ENUM_HTTP);

so let Axis2/C choose correct protocol automatelly.
 
2nd, I wrote axis2.xml like:
 
    <transportSender name="https" class="axis2_http_sender">
        <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
    </transportSender>
    <!--<parameter name="SERVER_CERT">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
    <parameter name="KEY_FILE">/path/to/client/certificate/chain/file</parameter>
    <parameter name="SSL_PASSPHRASE">passphrase</parameter>
    -->
 
3rd, I set the just one parameter of "server_cert" in the codes:
 
 axutil_property_t *ssl_ca_file = axutil_property_create(env);
 axutil_property_set_value(ssl_ca_file, env,
  axutil_strdup(env, "E:\\Project\\VS8\\Axis2_prototype\\debug\\TrustList.pem"));
 axis2_options_set_property(options, env, "SERVER_CERT", ssl_ca_file);
 
How I judge it failed?
 
Because I followed the one tutorial to build a web service server by myself, http://publib.boulder.ibm.com/infocenter/wsadhelp/v5r1m2/index.jsp?topic=/com.ibm.etools.webservice.was.creation.ui.doc/samples/sstockq.html, using WebShpere v5.1, and sent a simple soap message to the server via https protocol. But there is nothing erroe messages displayed in the server concole. (If the server receives some soap message (correct or wrong), it will display some error messages in the concole. Pls. refer to my new reply of my another proplem email, named "How to get ordered namespace sequence, about the function "axutil_hash_find_entry"")
 
I used gsoap to create a message which was sent to web service server via https protocol, and whatever message is correct or not, the concole will display something.
 
Then I commented the explicitly setting property in the program and set them in the axis2.xml like:
 
    <transportSender name="https" class="axis2_http_sender">
        <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
    </transportSender>
    <parameter name="SERVER_CERT">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
    <parameter name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
    <parameter name="SSL_PASSPHRASE">passphrase</parameter>
 
But it still no any effects.
 
How should I do?
 
By the way, in this web page: http://people.apache.org/~dumindu/HowToConfigureSSL.html, I have two suggests,
 
1st, you still use axis2/c v0.96 api, like:
 
ssl_ca_file = axis2_property_create(env);  AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env,    axis2_strdup("/home/dumindu/dummyCA/demoCA/cacert.pem", env));  AXIS2_OPTIONS_SET_PROPERTY(options, env, "SERVER_CERT", ssl_ca_file);
 
2nd, You can find the complete sample code here. There is no link when clicking "here".
 

Dumindu Pallewela <[hidden email]> wrote:
Hi Kelvin,

Find my comments inline.

Kelvin Lin wrote:
> Hi all,
>
> But it failed in my environment, because I can't find some apis and
> variable name at all, like axis2_property_t and AXIS2_OPTIONS_SET_PROPERTY.

Those instructions were intended for v0.96. Since v1.0 the util
declarations were renamed with a axutil_ prefix and the macros were
dropped. Hence these should be axutil_property_t and
axis2_options_set_property respectively.

> I used official version axis2c-src-1.0.0 and changed axis2.xml like:
>
>
> HTTP/1.1
>

> /path/to/ca/certificate
>

This is all you need in order to get ssl working, usually. :)

> At the same time, I called following apis in my program:
>
> axis2_options_set_soap_version(options, env, AXIOM_SOAP12);
> axis2_options_set_transport_in_protocol(options, env,
> AXIS2_TRANSPORT_ENUM_HTTPS);

Axis2 engine should set the appropriate protocols according to the epr
that you use. For example for a https endpoint, axis2 engine would look
at the https://.... uri and understand that the protocol that should be
used is https. In particular, setting transport_in protocol is not
useful if you are not using different ports to send and receive messages
(dual client).

> But the server I built by myself didn't have any response and get error
> code 82, Input stream is NULL in msg_ctx.

That is because our simple_axis_server is not capable of handling ssl.
Please refer to the axis2 manual [1] for more information on deploying
axis2 in apache2 server. Make sure to have mod_ssl installed.

> What apis should I call to support https and how to config axis2.xml to
> specify pem file both under needing authentication and no needing
> authentication?

There are three properties that are related to ssl transport,
SERVER_CERT, KEY_FILE and SSL_PASSPHRASE. Please refer to [2] for more
information on each.

This is how you set the SERVER_CERT for expample:

axutil_property_t ssl_ca_file = axutil_property_create(env);
axutil_property_set_value(ssl_ca_file, env,
axutil_strdup(env, "/home/dumindu/dummyCA/demoCA/cacert.pem"));
axis2_options_set_property(options, env, "SERVER_CERT", ssl_ca_file);

You can set the other three properties accordingly, too. These
properties however, are *not needed* to be set in the code, if you can
set them in axis2.xml.

Tutorial [2] was written a while back, so there can be a few errors.
Please let me know if you find any :)

Regards,
Dumindu.

[1] http://ws.apache.org/axis2/c/docs/axis2c_manual.html#mod_axis2
[2] http://people.apache.org/~dumindu/HowToConfigureSSL.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.


Park yourself in front of a world of choices in alternative vehicles.
Visit the Yahoo! Auto Green Center.
Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Dumindu Pallewela
Hi Kelvin,

Please find my comments inline.

Kelvin Lin wrote:

> Then I commented the explicitly setting property in the program and set
> them in the axis2.xml like:
>  
>     <transportSender name="https" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>     </transportSender>
>     <parameter
> name="SERVER_CERT">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
>     <parameter
> name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
>     <parameter name="SSL_PASSPHRASE">passphrase</parameter>
>  
> But it still no any effects.
>  
> How should I do?

I have not used the ssl client in windows lately. But it is *possible*
that you need to use unix like path separators. eg:

<parameter
name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>

I doubt what you have done here... setting the same pem file for both
the CA Certificate/Server Certificate and the Client certificate-key
pair is not correct. If you don't need client authentication, only set
the "SERVER_CERT" parameter.

Could you please explain me the content of the TrustList.pem?

Please let me know the specifics of the ssl authentication that you need
(with client auth / without client auth?) so that I can give the exact
config options necessary.

> By the way, in this web page:
> http://people.apache.org/~dumindu/HowToConfigureSSL.html, I have two
> suggests,
>  
> 1st, you still use axis2/c v0.96 api, like:
>  
>
> ssl_ca_file = axis2_property_create(env);  AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env,    axis2_strdup("/home/dumindu/dummyCA/demoCA/cacert.pem", env));  AXIS2_OPTIONS_SET_PROPERTY(options, env, "SERVER_CERT", ssl_ca_file);
>

Thanks, these should be changed as I've explained in my previous email.   :)

> 2nd, You can find the complete sample code here
> <http://ww2.wso2.org/%7Edumindu/clientauth.c>. There is no link when
> clicking "here".
>  

oops my bad, will add it there soon.

Thanks,
Dumindu.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Kelvin Lin
Hi Dumindu,

Sorry for reply later.

I have tried both two methods, including configuring pem file in the axis2.xml and specifying it in the codes. But failed both.

I am not familiar with https protocol and do not know how to pass the certification by codes.

In short, I configure axis2.xml as:

    <transportSender name="https" class="axis2_http_sender">
        <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
    </transportSender>
    <!--<parameter name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>-->
    <!--<parameter name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
    <parameter name="SSL_PASSPHRASE">passphrase</parameter>-->

Then specify pem file in the code as:

    axutil_property_t *ssl_ca_file = axutil_property_create(env);
    axutil_property_set_value(ssl_ca_file, env,
    axutil_strdup(env, "E:/Project/VS8/Axis2_prototype/debug/TrustList.pem"));
    axis2_options_set_property(options, env, "SERVER_CERT", ssl_ca_file);

And I create TrustList.pem file following the manual of Axis2/C:

For testing purposes, you can use the server's certificate instead of the CA certificate. You can obtain this by running the command openssl s_client -connect <servername>:<port> and copying the portion of the output bounded by and including:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Get the content of this file is:

-----BEGIN CERTIFICATE-----
MIIB7TCCAVagAwIBAgIEPygs+DANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJV
UzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIw
HhcNMDMwNzMwMjAzOTIwWhcNMjExMDEzMjAzOTIwWjA7MQswCQYDVQQGEwJVUzEM
MAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIQhMysAHrupK8YLnu54xipwbYfJw1ac
xMSNQPphN2ZQEznGNp1E8tONwN4RJ4nCW/5mQRFkErOUJW3ZQKP/gwK37HwKz1+V
OVOlQ9fitArsnEZTeqzdmBLa+vx7B7bZ8bIRPzI0CeWgQiYZZjSCsZz8JcQZxLM6
ob9mKE28VeZvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAEPCRwEUBxz6+9A5/AoPB
LiYInrowLfY+w3xJyDCie+GneLnirL+1HXRBbNOJYQTCpzN00Cgq2M/LU6tUeeZQ
3gwidiqFUculi2Z+8wd60q8vy6qdJ1kvg9atwMdQV2LFf7TPNccmULD9/LV9h3AV
oBbsFukZAroF0ZvO+/4vrIk=
-----END CERTIFICATE-----

I think I no need Client certificate-key, so I comment it.

By the way, I input the address in the firefox directly, and get
get a certification page.(attached in the attachment).

My colleague once tried to send soap message created by gsoap,
although the message itself is wrong. But he still get some error
message back and in the console of the server, there are some error
messages like I mentioned before.

The key point is whatever I use any method and specify any file both
in the axis2.xml or in the codes, there is no any response, even error
messages.

The attachment is the web page I visit the address directly via firefox.

Thanks a lot.

Kelvin.Lin


Dumindu Pallewela <[hidden email]> wrote:
Hi Kelvin,

Please find my comments inline.

Kelvin Lin wrote:

> Then I commented the explicitly setting property in the program and set
> them in the axis2.xml like:
>
>
> HTTP/1.1
>

>
> name="SERVER_CERT">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem

>
> name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem

> passphrase
>
> But it still no any effects.
>
> How should I do?

I have not used the ssl client in windows lately. But it is *possible*
that you need to use unix like path separators. eg:


name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem


I doubt what you have done here... setting the same pem file for both
the CA Certificate/Server Certificate and the Client certificate-key
pair is not correct. If you don't need client authentication, only set
the "SERVER_CERT" parameter.

Could you please explain me the content of the TrustList.pem?

Please let me know the specifics of the ssl authentication that you need
(with client auth / without client auth?) so that I can give the exact
config options necessary.

> By the way, in this web page:
> http://people.apache.org/~dumindu/HowToConfigureSSL.html, I have two
> suggests,
>
> 1st, you still use axis2/c v0.96 api, like:
>
>
> ssl_ca_file = axis2_property_create(env); AXIS2_PROPERTY_SET_VALUE(ssl_ca_file, env, axis2_strdup("/home/dumindu/dummyCA/demoCA/cacert.pem", env)); AXIS2_OPTIONS_SET_PROPERTY(options, env, "SERVER_CERT", ssl_ca_file);
>

Thanks, these should be changed as I've explained in my previous email. :)

> 2nd, You can find the complete sample code here
> . There is no link when
> clicking "here".
>

oops my bad, will add it there soon.

Thanks,
Dumindu.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Authority.JPG (180K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Dumindu Pallewela
Hi Kelvin,

If you didn't know this already:
You do *not* have to set ssl parameters *both* in axis2.xml and in your
client code. We have given the user the option to choose which he prefers.

Please further comments inline.

Regards,
Dumindu.

> In short, I configure axis2.xml as:
>
>     <transportSender name="https" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>     </transportSender>
>     <!--<parameter
> name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>-->
>     <!--<parameter
> name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
>     <parameter name="SSL_PASSPHRASE">passphrase</parameter>-->

<!-- --> tag in XML makes whatever it encloses a comment. Thus, in the
above, SERVER_CERT parameter is not set. Only the client key's pass
phrase, which you don't need, is set from the above configuration.

Since you have mentioned that you don't need client authentication,
please remove the last two lines, so that you don't have unnecessary stuff:

<transportSender name="https" class="axis2_http_sender">
     <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
</transportSender>
<parameter
name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>

Then run your axis client making sure that the AXIS2C_HOME is set to the
directory where the now edited axis2.xml resides.

Also your epr should start with https://

If this doesn't work, there is no point in trying setting these
parameters in client code.

>
> And I create TrustList.pem file following the manual of Axis2/C:
>
> For testing purposes, you can use the server's certificate instead of
> the CA certificate. You can obtain this by running the command |openssl
> s_client -connect <servername>:<port>| and copying the portion of the
> output bounded by and including:
>
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
>
> Get the content of this file is:
>
> -----BEGIN
>  CERTIFICATE-----
> MIIB7TCCAVagAwIBAgIEPygs+DANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJV
> UzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIw
> HhcNMDMwNzMwMjAzOTIwWhcNMjExMDEzMjAzOTIwWjA7MQswCQYDVQQGEwJVUzEM
> MAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIwgZ8w
> DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIQhMysAHrupK8YLnu54xipwbYfJw1ac
> xMSNQPphN2ZQEznGNp1E8tONwN4RJ4nCW/5mQRFkErOUJW3ZQKP/gwK37HwKz1+V
> OVOlQ9fitArsnEZTeqzdmBLa+vx7B7bZ8bIRPzI0CeWgQiYZZjSCsZz8JcQZxLM6
> ob9mKE28VeZvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAEPCRwEUBxz6+9A5/AoPB
> LiYInrowLfY+w3xJyDCie+GneLnirL+1HXRBbNOJYQTCpzN00Cgq2M/LU6tUeeZQ
> 3gwidiqFUculi2Z+8wd60q8vy6qdJ1kvg9atwMdQV2LFf7TPNccmULD9/LV9h3AV
> oBbsFukZAroF0ZvO+/4vrIk=
> -----END CERTIFICATE-----
>

This is fine.

> My colleague once tried to
>  send soap message created by gsoap,
> although the message itself is wrong. But he still get some error
> message back and in the console of the server, there are some error
> messages like I mentioned before.

can you send those error messages? even if that is not axis2 we may be
able to get an idea about what's going wrong.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Kelvin Lin
Hi Dumindu,
 
Thanks for your reply.
 
I am so sorry to bother you all the time. But I still failed to use https provided by Axis2/C.
 
According to my colleague's experience who used gsoap before, he didn't specify any pem file (using the same https server built by myself), but it's ok to get right response.
 
Then I asked him to change some namespace's sequence included in envelope, the program got error response as well as displayed error message in the server console.
 
The command line are:
 
F:\Project\Axis2C>quote_good.exe ibm
SSL verify error or warning with certificate at depth 0: self signed certificate
certificate issuer /C=US/O=IBM/OU=SWG/CN=jserver
certificate subject /C=US/O=IBM/OU=SWG/CN=jserver
Company - ibm    Quote - 109.099998
 
F:\Project\Axis2C>quote_bad.exe ibm
SSL verify error or warning with certificate at depth 0: self signed certificate
certificate issuer /C=US/O=IBM/OU=SWG/CN=jserver
certificate subject /C=US/O=IBM/OU=SWG/CN=jserver
Error 12 fault: "http://websphere.ibm.com/webservices/":Client.NoSOAPAction [no
subcode]
"WSWS3147E: Error: no SOAPAction header!"
Detail: [no detail]
Running quote_good.exe is without any message in the server console, while running  quote_bad.exe is with some error message in the server console, attached it as attached file.
 
In our environment, using Axis2/C, I have tried all sorts of comment about the following parameters, but all are failed and there is no any response back as well as no any error message displayed in the server console. So I don't think the client implemented by Axis2/C does connect to the server at all.
 
<parameter name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>
<!--<parameter name="KEY_FILE">E:\Project\VS8\Axis2_prototype\debug\TrustList.pem</parameter>
<parameter name="SSL_PASSPHRASE">passphrase</parameter>-->
 
The final version is in the attachment.
 
The following url could be referred.
 
 
 
Thanks a lot.
 
Kelvin.Lin

Dumindu Pallewela <[hidden email]> wrote:
Hi Kelvin,

If you didn't know this already:
You do *not* have to set ssl parameters *both* in axis2.xml and in your
client code. We have given the user the option to choose which he prefers.

Please further comments inline.

Regards,
Dumindu.

> In short, I configure axis2.xml as:
>
>
> HTTP/1.1
>

>
>

tag in XML makes whatever it encloses a comment. Thus, in the
above, SERVER_CERT parameter is not set. Only the client key's pass
phrase, which you don't need, is set from the above configuration.

Since you have mentioned that you don't need client authentication,
please remove the last two lines, so that you don't have unnecessary stuff:


HTTP/1.1

name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem

Then run your axis client making sure that the AXIS2C_HOME is set to the
directory where the now edited axis2.xml resides.

Also your epr should start with https://

If this doesn't work, there is no point in trying setting these
parameters in client code.

>
> And I create TrustList.pem file following the manual of Axis2/C:
>
> For testing purposes, you can use the server's certificate instead of
> the CA certificate. You can obtain this by running the command |openssl
> s_client -connect :| and copying the portion of the
> output bounded by and including:
>
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
>
> Get the content of this file is:
>
> -----BEGIN
> CERTIFICATE-----
> MIIB7TCCAVagAwIBAgIEPygs+DANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJV
> UzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIw
> HhcNMDMwNzMwMjAzOTIwWhcNMjExMDEzMjAzOTIwWjA7MQswCQYDVQQGEwJVUzEM
> MAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIwgZ8w
> DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIQhMysAHrupK8YLnu54xipwbYfJw1ac
> xMSNQPphN2ZQEznGNp1E8tONwN4RJ4nCW/5mQRFkErOUJW3ZQKP/gwK37HwKz1+V
> OVOlQ9fitArsnEZTeqzdmBLa+vx7B7bZ8bIRPzI0CeWgQiYZZjSCsZz8JcQZxLM6
> ob9mKE28VeZvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAEPCRwEUBxz6+9A5/AoPB
> LiYInrowLfY+w3xJyDCie+GneLnirL+1HXRBbNOJYQTCpzN00Cgq2M/LU6tUeeZQ
> 3gwidiqFUculi2Z+8wd60q8vy6qdJ1kvg9atwMdQV2LFf7TPNccmULD9/LV9h3AV
> oBbsFukZAroF0ZvO+/4vrIk=
> -----END CERTIFICATE-----
>

This is fine.

> My colleague once tried to
> send soap message created by gsoap,
> although the message itself is wrong. But he still get some error
> message back and in the console of the server, there are some error
> messages like I mentioned before.

can you send those error messages? even if that is not axis2 we may be
able to get an idea about what's going wrong.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.


No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

main.zip (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to create a SSL client to support https

Ashok P
In reply to this post by Dumindu Pallewela
Hi Dumindu/Kelvin,

As per your suggestions if client won't need any authentication, only SERVER_CERT is required. I am not sure why SERVER_CERT also required. Here server certificate may expire and so on.

Is it easy to make changes in src\core\transport\http\sender\ssl\ssl_utils.c for SSL_VERIFY_NONE?? I don't want any type of validation for client.

Thanks in Advance.

Thanks,
Ashok

Dumindu Pallewela wrote
Hi Kelvin,

If you didn't know this already:
You do *not* have to set ssl parameters *both* in axis2.xml and in your
client code. We have given the user the option to choose which he prefers.

Please further comments inline.

Regards,
Dumindu.

> In short, I configure axis2.xml as:
>
>     <transportSender name="https" class="axis2_http_sender">
>         <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
>     </transportSender>
>    
>    

 tag in XML makes whatever it encloses a comment. Thus, in the
above, SERVER_CERT parameter is not set. Only the client key's pass
phrase, which you don't need, is set from the above configuration.

Since you have mentioned that you don't need client authentication,
please remove the last two lines, so that you don't have unnecessary stuff:

<transportSender name="https" class="axis2_http_sender">
     <parameter name="PROTOCOL" locked="false">HTTP/1.1</parameter>
</transportSender>
<parameter
name="SERVER_CERT">E:/Project/VS8/Axis2_prototype/debug/TrustList.pem</parameter>

Then run your axis client making sure that the AXIS2C_HOME is set to the
directory where the now edited axis2.xml resides.

Also your epr should start with https://

If this doesn't work, there is no point in trying setting these
parameters in client code.
>
> And I create TrustList.pem file following the manual of Axis2/C:
>
> For testing purposes, you can use the server's certificate instead of
> the CA certificate. You can obtain this by running the command |openssl
> s_client -connect <servername>:<port>| and copying the portion of the
> output bounded by and including:
>
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
>
> Get the content of this file is:
>
> -----BEGIN
>  CERTIFICATE-----
> MIIB7TCCAVagAwIBAgIEPygs+DANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJV
> UzEMMAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIw
> HhcNMDMwNzMwMjAzOTIwWhcNMjExMDEzMjAzOTIwWjA7MQswCQYDVQQGEwJVUzEM
> MAoGA1UEChMDSUJNMQwwCgYDVQQLEwNTV0cxEDAOBgNVBAMTB2pzZXJ2ZXIwgZ8w
> DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIQhMysAHrupK8YLnu54xipwbYfJw1ac
> xMSNQPphN2ZQEznGNp1E8tONwN4RJ4nCW/5mQRFkErOUJW3ZQKP/gwK37HwKz1+V
> OVOlQ9fitArsnEZTeqzdmBLa+vx7B7bZ8bIRPzI0CeWgQiYZZjSCsZz8JcQZxLM6
> ob9mKE28VeZvAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAEPCRwEUBxz6+9A5/AoPB
> LiYInrowLfY+w3xJyDCie+GneLnirL+1HXRBbNOJYQTCpzN00Cgq2M/LU6tUeeZQ
> 3gwidiqFUculi2Z+8wd60q8vy6qdJ1kvg9atwMdQV2LFf7TPNccmULD9/LV9h3AV
> oBbsFukZAroF0ZvO+/4vrIk=
> -----END CERTIFICATE-----
>

This is fine.

> My colleague once tried to
>  send soap message created by gsoap,
> although the message itself is wrong. But he still get some error
> message back and in the console of the server, there are some error
> messages like I mentioned before.

can you send those error messages? even if that is not axis2 we may be
able to get an idea about what's going wrong.

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-user-help@ws.apache.org