Client SSL authentication not working

Posted on

I am attempting to enable 2 way SSL certificate authentication on a route using an https4 component in Fuse 6.2.1, e.g. using Camel 2.15.1.redhat-621090 and Karaf 2.4.0.redhat-621090. Per the online http4 component docs and this helpful github example, I think I have the correct code to create an endpoint that will send the client certificate & trust the target server's certificate as follows:

KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
keyStoreParameters.setResource(clientKeyStorePath);
keyStoreParameters.setPassword (clientKeyStorePassword);

KeyManagersParameters keyManagersParameters = new KeyManagersParameters();
keyManagersParameters.setKeyStore(keyStoreParameters);
keyManagersParameters.setKeyPassword(clientKeyPassword);

KeyStoreParameters trustStoreParameters = new KeyStoreParameters();
trustStoreParameters.setResource(serverKeyStorePath);
trustStoreParameters.setPassword(serverKeyStorePassword);
TrustManagersParameters trustManagersParameters = new TrustManagersParameters();
trustManagersParameters.setKeyStore(trustStoreParameters);

SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(keyManagersParameters);
sslContextParameters.setTrustManagers(trustManagersParameters);

HttpComponent httpComponent = getContext().getComponent("https4", HttpComponent.class);
httpComponent.setSslContextParameters(sslContextParameters);

Endpoint httpComponent = httpComponent.createEndpoint("https4://the.target.server");

There is no error stack trace, the component calls the target server properly, and it even accepts and trusts the server's SSL cert. So I know both certificate stores are being loaded and at least the trustManager piece of the code works which would seem to indicate to me that the correct sslContext is being used. However, the server responds with a 401 Not Authorized status with a message body indicating the client certificate is missing. Sure enough, enabling javax.net.ssl debugging on the JVM, I see this sequence in the SSL handshake dump

0160: D7 14 CA 11 50 39 4D 49 BE AD 6D DD 1C ....P9MI..m..
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** ECDHClientKeyExchange
ECDH Public value: {...
[write] MD5 and SHA1 hashes: len = 102

If I'm understanding the entire SSL handshake process correctly, there's supposed to be a Certificate message written by the client to the server immediately after the SeverHelloDone message and prior to the whole key exchange handshaking. But I don't see it, nor do I see it anywhere else in the SSL debug dump. Can anyone suggest what I might be doing wrong here?