hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Problem with SSL client certificates
Date Thu, 04 Nov 2004 08:49:26 GMT
Dave,
Strictly speaking this problem has nothing to do with HttpClient. I
believe none of us here qualifies as an SSL expert either. We know quite
a bit about JSSE, but I doubt any of us could troubleshoot low level SSL
protocol problems. 

(1) What kind of web server/SSL library does your customer use? Is is
OpenSSL based? 

(2) What JRE version / JSSE version does your customer use? Is it at the
latest service level?  

The quality of SSL protocol implementation varies between JSSE releases.
We have had issues with earlier releases of Sun's JSSE as well as IBM
JSSE.  

Oleg

On Wed, Nov 03, 2004 at 11:16:58AM -0500, Dave Seidel wrote:
> Hi,
>  
> We're using HttpClient 2.0 with AuthSSLProtocolSocketFactory.  Following the
> way that class is documented, we have a keystore and a truststore, and we
> instruct our users to add their client cert to the keystore and the server's
> CA cert to the truststore.  In our testing here, where the server is
> Apache/mod_ssl, this works fine, meaning that our client and the server
> mutually authenticate.
>  
> However, we have a customer who is unable to get this to work; he always
> gets a 403 response from the server  I've been able to get him to create
> Ethereal traces, and in the part of the conversation where the client issues
> the Certificate message, the certificate data is not actually present in the
> packet.  Looking at the Ethereal trace, I see a sequence like so:
>  
> (TCP/IP handshake...)
> client: Client Hello
> server: Server Hello, Certificate, Certificate Request, Server Hello Done
> client: Certificate[1], Client Key Exchange
> client: Change Cipher Spec
> client: Certificate[2]
> server: Change Cipher Spec, Client Key Exchange
> (encrypted data, consisting of an HTTP 403 error)
>  
> [1] This one is empty. i.e., certficate length = 0
> [2] This one looks bogus: Ethereal says that the certificate length is
> 14732467, but the total length of the TLS record in the packet is 37 bytes.
>  
> I am no SSL expert, so if anyone can provide any hint on what might be the
> problem, I would really appreciate it.
>  
> - Dave
> 

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message