Jul 26th, 2006, 09:06 AM
HttpInvoker with two way ssl
I am trying to write a webservice with the Spring HttpInvoker that requires mutual authentication. I successfully wrote both the client and server sides using only server side authentication. Then I configured Apache so that it would require a client certificate. I'm fairly sure that Apache is configured correctly because my web browsers and openssl client can not perform the ssl handshake without a client certificate, but with the client certificate they work correctly.
The problem is when I run my JUnit tests, the first test fails to connect to the server with an HTTP 405 error, and the next tests all pass. I haven't put my client certificate into the Java keystore yet, so I was expecting all of the tests to fail with a 403 error.
The server's error log says:
[debug] Changed client verification type will force renegotiation.
[error] SSL re-negotiation in conjunction with POST method not supported! Hint: try SSLOptions +OptRenegotiate
For my RequestExecutor, I am using a CommonsHttpInvokerRequestExecutor with the default settings. If I try it with a SimpleHttpInvokerRequestExecutor, all of my JUnit tests receive the same 405 error.
Does anyone know why my Java client can usually get into my secured web services when web browsers and openssl cannot?