XFireFault: Can Not Invoke Service over SSL
I thought I would post this because it was totally my fault and prior to figuring it out myself, googling for this did not provide an answer. XFire is a SOAP framework for Java, which is incredibly popular. Earlier in the week, several developers contacted me with an interesting problem: Their web service requests over SSL were not getting a response back. It wasn't that they were not getting any data back--as far as they were concerned, they never connected to the site.
Tailing the web servers logs, I could confirm that the client's requests were never getting fulfilled but interestingly enough, when they connected with a web browser to the same exact ssl-encrypted resource, everything was fine. Making the issue even more vexing was that when I fired up tcpdump on my BigIP LTM, I could see them hitting the site but nothing was forwarded to the web server.
Development forwarded me a copy of their stack trace and the first entry in the stack trace was the following:
Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Couldn't send message
So, after reading through a tcpdump, I discovered that a TLS Alert was getting generated by the client along with a "Certificate Unknown" error message and it did not take long to deduce that the SSL Handshake was failing because XFire did not recognize that my cert was signed by a valid CA. My site was signed by an Intermediate peer certificate but the ssl_client profile was not configured to utilize this certificate in the chain. Once the profile on the BigIP was updated to chain that intermediate certificate, the web service client (and SOAPUI) was able to connect.
UPDATE-SEPTEMBER 26, 2009: If you are utilizing a self-signed certificate, the above method isn't really going to work but the XFire exception will be the same. As with any self-signed certificate, the problem is that your client does not recognize the CA that signed your self-signed certificate so the client generates a warning to that effect. Some clients do not trap these exceptions all that well and instead of generating a warning like browsers do that the CA is unrecognized, they generate many different types of errors like "Unknown Protocol Error" or "Unknown SSL Cipher" or similar.
To remedy the problem when self-signed certificates are being used, there are only three things you can do.
- Purchase a CA-signed certificate, or
- Import the self-signed certificate into your local ssl client's CA keystore, (like java's 'cacerts' file)
- Code an exception handler within your application that can handle the unknown CA warning (which can be hard depending on your choice of development language and for web services in particular, you might actually want the exception to occur for security reasons.)
