Triaging Mutual Authentication Client Certificate SSL

Recently we needed to connect to a third party application that was using Mutual SSL authentication.

We had some trouble with firewalls and squid proxies when we deployed it to our client’s environment.

We wanted to capture some of the tools we used to help us triage the connection.

Testing the connection in the web browser:

We used Firefox but likely you could do the same in Chrome or IE.

Step #1: Install the client Certificate

When we try to connect to the https URL we get the following error:

To install the client certificate:

Tools -> Options -> Advanced -> Encryption <TAB> -> View Certificates

Under “Your Certificates” hit Import…

Now try and hit the URL:

We had the following error because our URL doesn’t support GET requests:

Error 405: HTTP method GET is not supported by this URL

Step #2: Install a plugin that allows you to do POST requests.

– We used the POSTER plugin for Firefox.

Tools -> Poster

– Enter URL

– Enter your post content. I put garbage in because I’m just testing connectivity.

– Hit POST:

Although it’s an http error I am connecting correctly.

We then posted a well formatted request and had a successful post.

Step #3: Take note of the squid proxy setup in the web browser:

Our java client application still could not connect, so we checked for a proxy setup in Firefox and low and behold found one:

Step #4: Use the proxy in our client application:

– We set this proxy up in the java HttpClient and we were able to successfully connect.

NOTE: We’re using apache HttpComponents HttpClient version 4.1 to connect.

Here’s how we did the proxy:

if (Boolean.getBoolean("useProxy")) {
httpclient.getCredentialsProvider().setCredentials(
new AuthScope("internet.apps.foo.ca", 8080),
new UsernamePasswordCredentials("user", "password"));
HttpHost proxy = new HttpHost("internet.apps.foo.ca", 8080, "http");
httpclient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
}
It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn

Leave a Reply