Uploaded image for project: 'Mule'
  1. Mule
  2. MULE-5213

https:tls-client config not used with rest-service-component

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Do
    • Affects Version/s: 3.0.1
    • Fix Version/s: None
    • Labels:
      None
    • Severity:
      S2

      Description

      I'm in the process of migrating a solution from 2.2.1 to 3.0.1. When we move from 2.2.1 to 3.0.1 we also split the solution into a number of Mule apps. Now we have problem with one of these apps that uses the http:rest-service-component to communicate with a service over ssl what requires client authentication. When the rest-service-component calls the service I get javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
      This is the configuration of the https-connector:

      <https:connector name="httpConnector">
      <https:tls-client path="${clientstore.path}" storePassword="${clientstore.storePassword}" />
      <https:tls-key-store path="${keystore.path}" keyPassword="${keystore.keyPassword}" storePassword="${keystore.storePassword}" />
      <https:tls-server path="${truststore.path}" storePassword="${truststore.storePassword}" />
      </https:connector>

      To debug this I added -Djavax.net.debug=ssl then starting Mule. When Mule intialize the key mananger I just see the certificate from ${keystore.path}. I also can see that all certs in ${truststore.path} is added as trusted.

      I when used SSLPoke to see that my keystores are in order.
      java -Djavax.net.ssl.trustStore=trust.keystore -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=client.keystore -Djavax.net.ssl.keyStorePassword=changeit SSLPoke <hostname> 443
      The response from SSLPoke is: Successfully connected.

      If I remove client.keystore when running SSLPoke I get the same exception as in Mule: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
      java -Djavax.net.ssl.trustStore=trust.keystore -Djavax.net.ssl.trustStorePassword=changeit SSLPoke <hostname> 443

      If I change the config to this, it works for the http:rest-service-component.
      <https:connector name="httpConnector">
      <https:tls-client path="${clientstore.path}" storePassword="${clientstore.storePassword}" />
      <https:tls-key-store path="${clientstore.path}" keyPassword="${clientstore.storePassword}" storePassword="${clientstore.storePassword}" />
      <https:tls-server path="${truststore.path}" storePassword="${truststore.storePassword}" />
      </https:connector>

      We also has another Mule app that exposes a rest-interface over ssl that also calls the same service, but in this app the orginal https:connector config works just fine.

        Attachments

          Activity

            People

            Assignee:
            afelisatti@mulesoft.com Ana Laura Felisatti
            Reporter:
            heka Henrik Karlsson [X] (Inactive)
            Votes:
            5 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                PagerDuty