Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

Re: Tomcat 4 + ssl + client authentication

Bill Barker

2003-10-10

Replies:


"Kenneth Westelinck" <kennywest1@(protected)
news:BAY1-F73LdCtAklzz8300013bfe@(protected)...
> Hi all,
>
> I've been searching the internet for 2 days now and still haven't found a
> solution for my problem. I am trying to set up a Tomcat 4 server running
in
> HTTPS mode, contacted by a client written in Java. The client is using
> HTTPClient from apache. I have done everything the document at
> http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes.
> If I disable client authentication in the tomcat config, the client is
able
> to comunicate with the server. If I enable the authentication the client
> aborts with the following exception:
> java.net.SocketException: Software caused connection abort: JVM_recv in
> socket input stream read
> at java.net.SocketInputStream.socketRead0(Native Method)
> ...
>
> I enabled all possible debugging on the Tomcat server and this is part of
> what I found in the console:
> Thread-10, WRITE: SSL v3.1 Handshake, length = 625
> Thread-10, READ: SSL v3.1 Handshake, length = 141
> *** Certificate chain
> ***
> Thread-10, SEND SSL v3.1 ALERT: fatal, description = bad_certificate
> Thread-10, WRITE: SSL v3.1 Alert, length = 2
>
> The client's certificate cannot be bad. It was signed with the server's
key
> and it's in the server's keystore.
>

Client cert verification is done against the TrustStore, not the KeyStore.
Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited.

> I have no idea what is goin wrong. Can someone tell me how to make this
> work?
>

Assuming that you don't want to just import the signing cert into cacerts
(see the JSSE docs for how to do this), then you need to have something
like:


CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net
.ssl.trustStorePassword=myTrustStorePassword"

At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing :).


> MTIA
>
> regards,
>
> Kenneth
>
> _________________________________________________________________
> Op zoek naar makkelijk recept? http://www.msn.be/culinair




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)


©2008 junlu.com - Jax Systems, LLC, U.S.A.