From a8e726382b0472ad030d7a579fe8d6878a216bd4 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Thu, 27 Jun 2019 13:11:53 +0200 Subject: Fixes; SSL Client Auth Works! - Switch to java 12 for now. Reason: Bug [1] in JDK 11 (up to jdk-11+28) impairs SSLHandshake ("Unsupported Operation Exception"), but was fixed in Java 12. - Set HTTP policy to infinite. - Fix key/truststore path resolution - Fix NPE in ConfigUtil.merge - Rearrange application.yaml to include two config profiles (one with and one without SSL for the msg client). - Add key material for testcases (Note: expires: May 2 14:47:08 2020 GMT) - Update MsgClient Testcases [1] https://bugs.openjdk.java.net/browse/JDK-8214098 --- src/main/resources/application.yaml | 38 ++++++----------------------- src/main/resources/ssl/client.cert.key.p12 | Bin 0 -> 6221 bytes src/main/resources/ssl/truststore.jks | Bin 0 -> 1648 bytes src/main/resources/ssl/truststore.p12 | Bin 0 -> 1776 bytes 4 files changed, 8 insertions(+), 30 deletions(-) create mode 100644 src/main/resources/ssl/client.cert.key.p12 create mode 100644 src/main/resources/ssl/truststore.jks create mode 100644 src/main/resources/ssl/truststore.p12 (limited to 'src/main/resources') diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index a0040ca..2d376a8 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -13,56 +13,34 @@ spring: # Order: DeliveryRequest/Config > [chosen-profile] > default delivery-request-configuration-profiles: default: - perform-query-person-request: false + msg-client.url: http://localhost:8081/services/DeliveryRequest - ## All parameters for MSG client. + ssl-profile: + perform-query-person-request: false msg-client: - - url: http://localhost:8081/services/DeliveryRequest - + url: https://localhost/zusemsg/services/DeliveryRequest ssl: - ## Boolean; if true, app will trust all server certificates; ## if false, server certificate needs to be in truststore. trust-all: false - ## Boolean; if true, app ignores mismatches between server's host name and ## Certificate's common name / alternative subject name. lax-hostname-verification: false - ## Parameters for ssl client auth keystore: - ## Absolute path to file - filename: ssl/client.jks + ## Path to file + filename: ssl/client.cert.key.p12 ## Password to unlock key store. - password: 1233 + password: 123456 ## JKS or PKCS12 - type: JKS - - - - app-profile-1: - msg: - url: https://msg-url1.com - perform-query-person-request: true - - app-profile-2: - msg: - url: https://msg-url2.com + type: PKCS12 ## If set to false, moa zs ignores an incomplete default DeliveryRequest-configuration ## profile and continues startup. See 'delivery-request-configuration-profiles'. ## Default value: true # verify-completeness-of-default-delivery-request-configuration: false -## todo: fix this -# ssl.keystore.file=../keys/www.egiz.gv.at.p12 -# egovutil.mis.ssl.keystore.password=OSgmSn! -# egovutil.mis.ssl.keystore.type=PKCS12 -# egovutil.mis.ssl.trustall=true -# egovutil.mis.ssl.laxhostnameverification=false - ### logging logging: level: diff --git a/src/main/resources/ssl/client.cert.key.p12 b/src/main/resources/ssl/client.cert.key.p12 new file mode 100644 index 0000000..f3becbf Binary files /dev/null and b/src/main/resources/ssl/client.cert.key.p12 differ diff --git a/src/main/resources/ssl/truststore.jks b/src/main/resources/ssl/truststore.jks new file mode 100644 index 0000000..3f90814 Binary files /dev/null and b/src/main/resources/ssl/truststore.jks differ diff --git a/src/main/resources/ssl/truststore.p12 b/src/main/resources/ssl/truststore.p12 new file mode 100644 index 0000000..67eb611 Binary files /dev/null and b/src/main/resources/ssl/truststore.p12 differ -- cgit v1.2.3