Java + Cloudflare + Mutual authentication
I am trying to do a mutual authentication …
My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.
basically if I am going direct to IP works fine:
$ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info
(this works fine)
$ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info
(I got 525: SSL handshake failed)
I have enabled the ssl debugger and the certificates never reach the service.
some ssl log when I invoke the domain:
upcoming handshake states: server finished[20]
*** Certificate chain
https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
https-jsse-nio-8443-exec-2, called closeOutbound()
https-jsse-nio-8443-exec-2, closeOutboundInternal()
Is maybe something missing to enable ?
spring-boot ssl cloudflare
add a comment |
I am trying to do a mutual authentication …
My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.
basically if I am going direct to IP works fine:
$ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info
(this works fine)
$ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info
(I got 525: SSL handshake failed)
I have enabled the ssl debugger and the certificates never reach the service.
some ssl log when I invoke the domain:
upcoming handshake states: server finished[20]
*** Certificate chain
https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
https-jsse-nio-8443-exec-2, called closeOutbound()
https-jsse-nio-8443-exec-2, closeOutboundInternal()
Is maybe something missing to enable ?
spring-boot ssl cloudflare
add a comment |
I am trying to do a mutual authentication …
My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.
basically if I am going direct to IP works fine:
$ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info
(this works fine)
$ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info
(I got 525: SSL handshake failed)
I have enabled the ssl debugger and the certificates never reach the service.
some ssl log when I invoke the domain:
upcoming handshake states: server finished[20]
*** Certificate chain
https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
https-jsse-nio-8443-exec-2, called closeOutbound()
https-jsse-nio-8443-exec-2, closeOutboundInternal()
Is maybe something missing to enable ?
spring-boot ssl cloudflare
I am trying to do a mutual authentication …
My current problem is that is not working using the domain … looks like cloud flare is not forwarding my cert.
basically if I am going direct to IP works fine:
$ curl -k -E clientkey.pem https://18.228.142.39:8443/logged_info
(this works fine)
$ curl -E clientkey.pem https://xxx.mysite.com:8443/logged_info
(I got 525: SSL handshake failed)
I have enabled the ssl debugger and the certificates never reach the service.
some ssl log when I invoke the domain:
upcoming handshake states: server finished[20]
*** Certificate chain
https-jsse-nio-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
https-jsse-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
https-jsse-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
https-jsse-nio-8443-exec-2, called closeOutbound()
https-jsse-nio-8443-exec-2, closeOutboundInternal()
Is maybe something missing to enable ?
spring-boot ssl cloudflare
spring-boot ssl cloudflare
asked Nov 14 '18 at 17:21
Pedro SosaPedro Sosa
106
106
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.
The second link also says:
For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.
This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305623%2fjava-cloudflare-mutual-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.
The second link also says:
For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.
This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
add a comment |
I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.
The second link also says:
For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.
This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
add a comment |
I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.
The second link also says:
For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.
This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.
I think that cloudflare is terminating the TLS connection and then initiating a new connection to your origin so it can't (as far as I know) just proxy the certificate through as it never got sight of the private key on the client. It appears based on this and this that you can provide your root CA to cloudflare if you're an enterprise customer and they will validate the client identify for you, against that CA. The first article also suggests you can turn on "Authenticated Origin Pulls" which will ensure only cloudflare can talk directly to your origin servers.
The second link also says:
For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.
This indicates that you can forward a field from the key to your origin in order that your origin can know who the request came from.
answered Nov 14 '18 at 17:32
David GoateDavid Goate
1,17221538
1,17221538
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
add a comment |
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
David, Many thanks for your answer ... I'm not an enterprise customer ... so ... what alternatives do I have to accomplish a mutual authentication ? My cert is manage by cloudflare. so I am thinking in use Lets encrypt ...
– Pedro Sosa
Nov 14 '18 at 18:07
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
Sadly, if you plan to continue using cloudflare and you can't or won't pay for enterprise - I don't think you'd have an option :( Perhaps there are alternatively like using cloudflare for dns but pointing directly to your origin in this case (although I presume you'd then lose a lot of the DDOS protection and easy access to web application firewall settings).
– David Goate
Nov 14 '18 at 18:13
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
thank you. I guess I will use another domain and another certificate ...
– Pedro Sosa
Nov 14 '18 at 18:47
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305623%2fjava-cloudflare-mutual-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown