Some HtTP 500 was being generated in a webapp.
by enabling these flags
we discovered this error:
Examining WebLogic config.xml we notice that
Setting the client-certificate-enforced to true fixed the issue.
by enabling these flags
-Djavax.net.debug=ssl:handshake
-Dssl.debug=true
-Dweblogic.log.StdoutSeverity=Debug
-Dweblogic.StdoutDebugEnabled=true
-Dwls.debug.https=true
we discovered this error:
weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK
bytesConsumed = 12 bytesProduced = 0.>
*** Certificate chain
***
ExecuteThread: '1' for queue: 'weblogic.socket.Muxer', fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
ExecuteThread: '1' for queue: 'weblogic.socket.Muxer', SEND TLSv1 ALERT: fatal, description = bad_certificate
ExecuteThread: '1' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1 Alert, length = 2
ExecuteThread: '1' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
<Jan 18, 2017 4:39:09 PM CET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[ExecuteThread: '1' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1227)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:489)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1137)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:450)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:68)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:66)
at weblogic.socket.JSSEFilterImpl.wrapAndWrite(JSSEFilterImpl.java:625)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:93)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:66)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:288)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:955)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:897)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:130)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
Caused By: javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:172)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1599)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:269)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:257)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1512)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:212)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:817)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:757)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1164)
at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:191)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:97)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:66)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:288)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:955)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:897)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:130)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
Examining WebLogic config.xml we notice that
and this also appears in the logs:
<ssl>
<client-certificate-enforced>false</client-certificate-enforced>
<listen-port>32008</listen-port>
<two-way-ssl-enabled>true</two-way-ssl-enabled>
</ssl>
<Jan 20, 2017 3:07:23 PM CET> <Debug> <SecuritySSL> <BEA-000000> <[Thread[DynamicJSSEListenThread[DefaultSecure],9,WebLogicServer]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setNeedClientAuth(boolean): value=true.>
Setting the client-certificate-enforced to true fixed the issue.