Cannot set up client X509 auth in Java

Question

I've tried to setup server-side client aith in my Java application as follows:

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setNeedClientAuth(true);

TrustManager[] trustManagers = new TrustManager[
        ]{new X509TrustManager() {
    @Override
    public void checkClientTrusted(X509Certificate[] arg0, String arg1)
            throws CertificateException {
        LoggerFactory.getLogger().fatal("Check client trusted");
    }

    @Override
    public void checkServerTrusted(X509Certificate[] arg0, String arg1)
            throws CertificateException {
        LoggerFactory.getLogger().fatal("Check server trusted");
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        LoggerFactory.getLogger().fatal("Returning accepted issuers");

        try {
            InputStream inStream = new FileInputStream("/home/sk_/client.cer");
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream);
            inStream.close();

            return new X509Certificate[]{cert};
        } catch (Exception e) {
            e.printStackTrace();
            LoggerFactory.getLogger().fatal("AFDASDFSAASD", e);

            return null;
        }
    }
}};

SSLContext context = SSLContext.getInstance("TLSv1.1");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
FileInputStream fin = new FileInputStream(".hive/certs/mjolnirr.jks");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(fin, "passwd".toCharArray());

kmf.init(ks, "passwd".toCharArray());
context.init(kmf.getKeyManagers(), trustManagers, null);

SSLEngine engine = context.createSSLEngine();
engine.setNeedClientAuth(true);
engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
engine.setEnabledProtocols(engine.getSupportedProtocols());

sslContextFactory.setSslContext(context);

Also I've added SSL settings to the client:

-Djavax.net.debug=ssl 
-Djavax.net.ssl.keyStoreType=jks 
-Djavax.net.ssl.keyStore=/home/sk_/client-truststore.jks 
-Djavax.net.ssl.keyStorePassword=passwd 
-Djavax.net.ssl.trustStoreType=jks 
-Djavax.net.ssl.trustStore=/home/sk_/client-truststore.jks 
-Djavax.net.ssl.trustStorePassword=passwd

client.cer was exported from the client truststore (client-trustore.jks). Client fails with the following error:

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1705)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:122)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:972)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1087)
...

WHat's wrong with my application?

EDIT I've added debug for ssl and handshake to the server, here is output:

*** ServerHelloDone
qtp935608254-28, WRITE: TLSv1 Handshake, length = 1442
qtp935608254-29, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
qtp935608254-29, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
qtp935608254-29, SEND TLSv1 ALERT:  fatal, description = bad_certificate
qtp935608254-29, WRITE: TLSv1 Alert, length = 2
qtp935608254-29, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain

Answer 1

Your client certificate isn't trusted by the server's truststore. The server sends a list of trusted CAs and the client has to send a certificate that is trusted by one of them. It couldn't, so it sent a null cert chain instead. If your client certificate is self-signed, or signed by an untrusted CA, you need to export it from your client keystore and import it as a trusted cert into the server's truststore.