Thank you. Everything worked fine until "Two way TLS based on trusting the Certificate

so finally I & <a class="user-mention notranslate" data-hovercard-type="user" data

javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty,about hakky54/mutual-tls-ssl

Comments (33)

sameer-dighe commented on June 27, 2024 3

so finally I & @Hakky54 resolved the issue and it was something to do with classpath and truststore wasn't getting initialised properly. it got resolved after using the absolute path for store. more to it there were some other small problems but those got resolved in less time that the first one.

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024 1

MY BAD!!! THANK YOU ! David

…

________________________________ From: Hakky54 <[email protected]> Sent: Saturday, April 20, 2019 12:30 AM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Hi mpkmtv, The stack trace is complaining that one or both of the trustAnchor parameters are empty. Could you post your application.yml file of the client here? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6T7WYTTK2FR2PEKWMDPRLA7XANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

Hi mpkmtv,

thank you, good to know that up till the last section everything worked out well for you.

Regarding your issue, the stack trace is complaining that one or both of the trustAnchors parameters are empty. Basically what is means is:

The truststore is empty
The password of the truststore is empty
The truststore is not found, or
The truststore couldn't be opened (due to access permissions for example).

Could you post your application.yml file of the client here?

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

I fixed the application.yml file for the client , but it still gives me the exception. I'm on Mac OSX . Not sure what i did wrong. client application.yml : spring: main: banner-mode: "off" client: ssl: enabled: true key-store: identity.jks key-password: secret key-store-password: secret trust-store: truststore.jks trust-store-password: secret server application.yml : spring: banner: location: classpath:banner.txt server: port: 8443 ssl: enabled: true key-store: classpath:identity.jks key-password: secret key-store-password: secret trust-store: classpath:truststore.jks trust-store-password: secret client-auth: need tomcat: accesslog: enabled: true basedir: /tmp/tomcat

…

________________________________ From: Hakky54 <[email protected]> Sent: Saturday, April 20, 2019 9:28 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Closed #1<#1>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SDU4BVFY7XRSSZNF3PRPUQLANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

I copied your properties to the corresponding application.yml file of the server and client ond my machine and I am not getting an exception. Could you provide your stack-trace?

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

Thank you so much for your help. I did it a few times from scratch following the GitHub instructions. The result is the same. here is the exception: .... org.springframework.boot.test.autoconfigure.restdocs.RestDocsTestExecutionListener@7ee8290b, org.springframework.boot.test.autoconfigure.web.client.MockRestServiceServerResetTestExecutionListener@1f59a598, org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrintOnlyOnFailureTestExecutionListener@1e178745, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverTestExecutionListener@192c3f1e] 14:12:05.945 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1} . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.1.2.RELEASE) 2019-04-29 14:12:06.417 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 84979 (started by wdavid in /Users/wdavid/GitHub/mtls/client) 2019-04-29 14:12:06.419 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default 2019-04-29 14:12:07.227 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.279 seconds (JVM running for 2.485) Feature: Securing the connection between you and the world @demo Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4 Given Server is alive # HelloStepDefs.serverIsAlive() When I say hello # HelloStepDefs.iSayHello() javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28) at ✽.I say hello(src/test/resources/features/Hello.feature:6) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:91) at sun.security.validator.Validator.getInstance(Validator.java:181) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at cucumber.runtime.Utils$1.call(Utils.java:26) at cucumber.runtime.Timeout.timeout(Timeout.java:16) at cucumber.runtime.Utils.invoke(Utils.java:20) at cucumber.runtime.java.JavaStepDefinition.execute(JavaStepDefinition.java:48) at cucumber.runner.PickleStepDefinitionMatch.runStep(PickleStepDefinitionMatch.java:50) at cucumber.runner.TestStep.executeStep(TestStep.java:63) at cucumber.runner.TestStep.run(TestStep.java:49) at cucumber.runner.PickleStepTestStep.run(PickleStepTestStep.java:43) at cucumber.runner.TestCase.run(TestCase.java:44) at cucumber.runner.Runner.runPickle(Runner.java:40) at cucumber.runtime.junit.PickleRunners$NoStepDescriptions.run(PickleRunners.java:146) at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:68) at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:23) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at cucumber.runtime.junit.FeatureRunner.run(FeatureRunner.java:73) at cucumber.api.junit.Cucumber.runChild(Cucumber.java:124) at cucumber.api.junit.Cucumber.runChild(Cucumber.java:65) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at cucumber.api.junit.Cucumber$1.evaluate(Cucumber.java:133) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365) at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159) at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89) ... 68 more Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int) And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String) Failed scenarios: src/test/resources/features/Hello.feature:4 # Saying hello to the Server 1 Scenarios (1 failed) 4 Steps (1 failed, 2 skipped, 1 passed) 0m2.389s

…

________________________________ From: Hakky54 <[email protected]> Sent: Tuesday, April 30, 2019 12:30 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) I copied your properties to the corresponding application.yml file of the server and client ond my machine and I am not getting an exception. Could you provide your stack-trace? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SCZIXRQ3LHXKD7Y7TPTCM6ZANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

It looks like an issue with the truststore within the client project. This specific exception could mean:
The truststore is:

empty,
not found, or
couldn't be opened

The valid location for the truststore.jks and identity.jks are:

mutuals-tls/client/src/test/resources/identity.jks
mutuals-tls/client/src/test/resources/truststore.jks

Could you check the above options? If it is still not resolved, let's do a remote session so I can assist you instantly through a video call.

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

Here they are: ~/GitHub/mtls$ ls -l client/src/test/resources/ total 64 drwxr-xr-x 11 wdavid staff 352B Apr 19 13:06 ./ drwxr-xr-x 4 wdavid staff 128B Apr 19 12:52 ../

…

-rw-r--r-- 1 wdavid staff 86B Apr 19 13:19 application.yml

-rw-r--r-- 1 wdavid staff 1.8K Apr 19 13:03 client-private.key

-rw-r--r-- 1 wdavid staff 1.1K Apr 19 13:01 client-signed.cer

-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 client-signed.p12

-rw-r--r-- 1 wdavid staff 1.0K Apr 19 12:57 client.csr

-rw-r--r-- 1 wdavid staff 2.5K Apr 19 13:03 client.p12 drwxr-xr-x 3 wdavid staff 96B Apr 19 12:52 features/

-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 identity.jks

-rw-r--r-- 1 wdavid staff 901B Apr 19 13:06 truststore.jks ~ [cid:6f4fdbf9-ee19-4cf2-82ea-fa4970f5baba] [cid:6142a971-afc7-45ab-8918-2a8a991b1712]

________________________________ From: Hakky54 <[email protected]> Sent: Tuesday, April 30, 2019 2:05 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Reopened #1<#1>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6VWCQ5KYVQJZ6RJZU3PTCYDPANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

I cleaned some changes I made and recompiled the code . Now I'm more confused . I got different exception . sorry for this ... 14:43:11.239 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1} 2019-04-30 14:43:11.702 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 98094 (started by wdavid in /Users/wdavid/GitHub/mtls/client) 2019-04-30 14:43:11.704 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default 2019-04-30 14:43:12.806 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.564 seconds (JVM running for 2.643) Feature: Securing the connection between you and the world @demo Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4 Given Server is alive # HelloStepDefs.serverIsAlive() When I say hello # HelloStepDefs.iSayHello() javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779) at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156) at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28) at ✽.I say hello(src/test/resources/features/Hello.feature:6) Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int) And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String) Failed scenarios: src/test/resources/features/Hello.feature:4 # Saying hello to the Server 1 Scenarios (1 failed) 4 Steps (1 failed, 2 skipped, 1 passed) 0m2.225s

…

________________________________ From: David Wallman <[email protected]> Sent: Tuesday, April 30, 2019 2:24 PM To: Hakky54/mutual-tls Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Here they are: ~/GitHub/mtls$ ls -l client/src/test/resources/ total 64 drwxr-xr-x 11 wdavid staff 352B Apr 19 13:06 ./ drwxr-xr-x 4 wdavid staff 128B Apr 19 12:52 ../

-rw-r--r-- 1 wdavid staff 86B Apr 19 13:19 application.yml

-rw-r--r-- 1 wdavid staff 1.8K Apr 19 13:03 client-private.key

-rw-r--r-- 1 wdavid staff 1.1K Apr 19 13:01 client-signed.cer

-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 client-signed.p12

-rw-r--r-- 1 wdavid staff 1.0K Apr 19 12:57 client.csr

-rw-r--r-- 1 wdavid staff 2.5K Apr 19 13:03 client.p12 drwxr-xr-x 3 wdavid staff 96B Apr 19 12:52 features/

-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 identity.jks

-rw-r--r-- 1 wdavid staff 901B Apr 19 13:06 truststore.jks ~ [cid:6f4fdbf9-ee19-4cf2-82ea-fa4970f5baba] [cid:6142a971-afc7-45ab-8918-2a8a991b1712]

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again?

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

Wait, I have THE SAME ca-root certificate in the server and the client truststores: [cid:e94f3828-cb29-4cac-820f-5294641613e3]

…

________________________________ From: Hakky54 <[email protected]> Sent: Tuesday, April 30, 2019 3:07 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6XMHQNB4BATU27GOTLPTC7IRANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

Could this be a problem? ~/GitHub/mtls$ keytool -importkeystore -srckeystore client/src/test/resources/identity.jks -destkeystore client/src/test/resources/client.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass secret -deststorepass secret Importing keystore client/src/test/resources/identity.jks to client/src/test/resources/client.p12... Import command completed: 0 entries successfully imported, 0 entries failed or cancelled

…

________________________________ From: David Wallman <[email protected]> Sent: Tuesday, April 30, 2019 3:46 PM To: Hakky54/mutual-tls Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Wait, I have THE SAME ca-root certificate in the server and the client truststores: [cid:e94f3828-cb29-4cac-820f-5294641613e3]

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

Having the same root-ca certificate in both of the trust stores are fine.

The import message from your last comment doesn't look ok. It should have given you the following message: Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Could you please try again exactly all the steps from chapter Creating a Certificate Authority including the openssl commands.
Somehow exporting your identity certificate and signing it with the root-ca has not happend.

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

I did everything from scratch and still getting the exception. Can we do a session with shared desktop? It might be very helpful 16:21:17.931 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1} 2019-04-30 16:21:18.399 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 366 (started by wdavid in /Users/wdavid/GitHub/mtls/client) 2019-04-30 16:21:18.400 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default 2019-04-30 16:21:19.463 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.529 seconds (JVM running for 2.606) Feature: Securing the connection between you and the world @demo Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4 Given Server is alive # HelloStepDefs.serverIsAlive() When I say hello # HelloStepDefs.iSayHello() javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779) at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156) at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28) at ✽.I say hello(src/test/resources/features/Hello.feature:6) Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int) And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String) Failed scenarios: src/test/resources/features/Hello.feature:4 # Saying hello to the Server 1 Scenarios (1 failed) 4 Steps (1

…

________________________________ From: Hakky54 <[email protected]> Sent: Tuesday, April 30, 2019 3:59 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Yes, that part doesn't look ok. It should have give you the following message: Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Could you please try again exactly all the steps from chapter Creating a Certificate Authority Somehow exporting your identity certificate and signing it with the root-ca has not happend. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SHND7PQ4XG5OKSCILPTDFNRANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

Sure, add me at Discord and let's continue over there. My username is Hakky54#8471

from mutual-tls-ssl.

mpkmtv commented on June 27, 2024

Thanks, I created discord account , but i'm new to it. Here is the chat invitation : https://discord.gg/5DqB4E David

…

________________________________ From: Hakky54 <[email protected]> Sent: Tuesday, April 30, 2019 11:36 PM To: Hakky54/mutual-tls Cc: mpkmtv; Author Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1) Sure, add me at discord and let's continue over there. My username is Hakky54#8471 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6TNLQ72W72UNW57XKDPTE265ANCNFSM4HHIGSTQ>.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

David and I did a remote video session and retried the steps described in the Readme and it worked with the first try. Looking at the exception what David had previously it could mean that the certificate was not trusted because it wasn't signed properly or wasn't trusted.

from mutual-tls-ssl.

sameer-dighe commented on June 27, 2024

Hey @Hakky54 , did you solve above issue with @mpkmtv ? I am also getting same issue and struggling with same.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

Yes we resolved the issue. We could not find the root cause but we started from scratch with the tutorial and followed everything step by step. So my assumption was that he missed a step in the tutorial back then. Can you try to run the script test-all-scenarios.sh file and share your results here?

from mutual-tls-ssl.

sameer-dighe commented on June 27, 2024

I checked your repo but you mentioned that Java 11 is must and I am on jdk 8 and I can't upgrade it.

from mutual-tls-ssl.

sameer-dighe commented on June 27, 2024

Yes we resolved the issue. We could not find the root cause but we started from scratch with the tutorial and followed everything step by step. So my assumption was that he missed a step in the tutorial back then. Can you try to run the script test-all-scenarios.sh file and share your results here?

do you have some time for video call?

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

I am not available today and tomorrow, but from Sunday onwards I am available everyday for a call. Let's continue the chat on Gitter and discuss the next steps https://gitter.im/hakky54/mutual-tls-ssl

from mutual-tls-ssl.

chetnajoshi889 commented on June 27, 2024

Hi @sameer-dighe , I'm also getting same error like Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Could you please help me to resolve this error?

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

The truststore is empty

The password of the truststore is empty

The truststore is not found, or

The truststore couldn't be opened (due to access permissions for example).

Hi @chetnajoshi889 your issue might be related to one of the options quoted above. Or your truststore does not contain the trusted certificates

from mutual-tls-ssl.

rajatzeal commented on June 27, 2024

Hi @Hakky54 ,
I am also facing the same issue, tried all sorts of corrections but no luck.
Please assist me in solving this, have an urgent delivery to make and I am stuck on this point since past two days.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

Hi @rajatzeal
Can you maybe share some code snippets, than I will be able to understand how you setup your client with ssl.

from mutual-tls-ssl.

rajatzeal commented on June 27, 2024

this is the basic setup for initialising Google chrome and it’s settings

from mutual-tls-ssl.

rajatzeal commented on June 27, 2024

I can share my screen if you are available for a call, I’m really stuck with the issue and would appreciate your help

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

I can understand your setup is not working. The ssl configuration of Selenium with the ChromeDriver is just not working with only the ChromeOptions. I would suggest to have a look at this stackoverflow answer here: https://stackoverflow.com/a/56170148/6777695

In the example above all https requests are getting intercepted and being executed alongside with ayour custom sslcontext.

The author has made his code snippet available here at GitHub: https://github.com/patricsteiner/seleniumSslProxy
I am fully booked today and tomorrow unfortunatelly , so I don't have time... But looking at the code snippet on that GitHub page I think you will get it working. Please give it a try and I still can try to assist you if you share your progress over here.

from mutual-tls-ssl.

rajatzeal commented on June 27, 2024

Ok , will try to check with these solutions.
Meanwhile please try if you could take out time today, just a quick call would do

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

I will be available at 13:00 CEST till 14:00 CEST, so we can have a look at it. Let's use Teamviewer. You can share your teamviewer id and password on the private Gitter chat with me directly

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

We did a short call with @rajatzeal and it seems like his HttpClient was not trusting the certificate of the server. It is the same point which I mentioned here: #1 (comment)

He needs to export the server certificate, create a SSLContext and configure his HttpClient so the client will trust the server.

from mutual-tls-ssl.

Hakky54 commented on June 27, 2024

I noticed that a-lot of developers are facing this exception or similar ones. If anyone has still trouble resolving these kind of issues feel free to ping me, I am able to provide support. My mail address is [email protected]

from mutual-tls-ssl.

javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty about mutual-tls-ssl HOT 33 CLOSED

Comments (33)

I noticed that a-lot of developers are facing this exception or similar ones. If anyone has still trouble resolving these kind of issues feel free to ping me, I am able to provide support. My mail address is [email protected]

Related Issues (19)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent