Java + Cloudflare + Mutual authentication










0















I am trying to do a mutual authentication …
My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.



basically if I am going direct to IP works fine:



$ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info 


(this works fine)



$ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info 


(I got 525: SSL handshake failed)



I have enabled the ssl debugger and the certificates never reach the service.



some ssl log when I invoke the domain:



upcoming handshake states: server finished[20]
*** Certificate chain
https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
https-jsse-nio-8443-exec-2, called closeOutbound()
https-jsse-nio-8443-exec-2, closeOutboundInternal()


Is maybe something missing to enable ?










share|improve this question


























    0















    I am trying to do a mutual authentication …
    My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.



    basically if I am going direct to IP works fine:



    $ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info 


    (this works fine)



    $ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info 


    (I got 525: SSL handshake failed)



    I have enabled the ssl debugger and the certificates never reach the service.



    some ssl log when I invoke the domain:



    upcoming handshake states: server finished[20]
    *** Certificate chain
    https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
    javax.net.ssl.SSLHandshakeException: null cert chain
    %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
    https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
    https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
    https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
    https-jsse-nio-8443-exec-2, called closeOutbound()
    https-jsse-nio-8443-exec-2, closeOutboundInternal()


    Is maybe something missing to enable ?










    share|improve this question
























      0












      0








      0








      I am trying to do a mutual authentication …
      My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.



      basically if I am going direct to IP works fine:



      $ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info 


      (this works fine)



      $ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info 


      (I got 525: SSL handshake failed)



      I have enabled the ssl debugger and the certificates never reach the service.



      some ssl log when I invoke the domain:



      upcoming handshake states: server finished[20]
      *** Certificate chain
      https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
      javax.net.ssl.SSLHandshakeException: null cert chain
      %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
      https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
      https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
      https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
      https-jsse-nio-8443-exec-2, called closeOutbound()
      https-jsse-nio-8443-exec-2, closeOutboundInternal()


      Is maybe something missing to enable ?










      share|improve this question














      I am trying to do a mutual authentication …
      My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.



      basically if I am going direct to IP works fine:



      $ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info 


      (this works fine)



      $ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info 


      (I got 525: SSL handshake failed)



      I have enabled the ssl debugger and the certificates never reach the service.



      some ssl log when I invoke the domain:



      upcoming handshake states: server finished[20]
      *** Certificate chain
      https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
      javax.net.ssl.SSLHandshakeException: null cert chain
      %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
      https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
      https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
      https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
      https-jsse-nio-8443-exec-2, called closeOutbound()
      https-jsse-nio-8443-exec-2, closeOutboundInternal()


      Is maybe something missing to enable ?







      spring-boot ssl cloudflare






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 14 '18 at 17:21









      Pedro SosaPedro Sosa

      106




      106






















          1 Answer
          1






          active

          oldest

          votes


















          0














          I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.



          The second link also says:




          For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.




          This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.






          share|improve this answer























          • David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

            – Pedro Sosa
            Nov 14 '18 at 18:07












          • Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

            – David Goate
            Nov 14 '18 at 18:13











          • thank you. I guess I will use another domain and another certificate ...

            – Pedro Sosa
            Nov 14 '18 at 18:47










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305623%2fjava-cloudflare-mutual-authentication%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.



          The second link also says:




          For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.




          This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.






          share|improve this answer























          • David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

            – Pedro Sosa
            Nov 14 '18 at 18:07












          • Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

            – David Goate
            Nov 14 '18 at 18:13











          • thank you. I guess I will use another domain and another certificate ...

            – Pedro Sosa
            Nov 14 '18 at 18:47















          0














          I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.



          The second link also says:




          For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.




          This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.






          share|improve this answer























          • David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

            – Pedro Sosa
            Nov 14 '18 at 18:07












          • Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

            – David Goate
            Nov 14 '18 at 18:13











          • thank you. I guess I will use another domain and another certificate ...

            – Pedro Sosa
            Nov 14 '18 at 18:47













          0












          0








          0







          I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.



          The second link also says:




          For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.




          This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.






          share|improve this answer













          I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.



          The second link also says:




          For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.




          This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 14 '18 at 17:32









          David GoateDavid Goate

          1,17221538




          1,17221538












          • David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

            – Pedro Sosa
            Nov 14 '18 at 18:07












          • Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

            – David Goate
            Nov 14 '18 at 18:13











          • thank you. I guess I will use another domain and another certificate ...

            – Pedro Sosa
            Nov 14 '18 at 18:47

















          • David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

            – Pedro Sosa
            Nov 14 '18 at 18:07












          • Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

            – David Goate
            Nov 14 '18 at 18:13











          • thank you. I guess I will use another domain and another certificate ...

            – Pedro Sosa
            Nov 14 '18 at 18:47
















          David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

          – Pedro Sosa
          Nov 14 '18 at 18:07






          David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...

          – Pedro Sosa
          Nov 14 '18 at 18:07














          Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

          – David Goate
          Nov 14 '18 at 18:13





          Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).

          – David Goate
          Nov 14 '18 at 18:13













          thank you. I guess I will use another domain and another certificate ...

          – Pedro Sosa
          Nov 14 '18 at 18:47





          thank you. I guess I will use another domain and another certificate ...

          – Pedro Sosa
          Nov 14 '18 at 18:47



















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305623%2fjava-cloudflare-mutual-authentication%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Top Tejano songwriter Luis Silva dead of heart attack at 64

          政党

          天津地下鉄3号線