tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: HTTP and client certificates
Date Wed, 17 Oct 2001 07:41:32 GMT
Stefan Wengi wrote:
> 
> Hi,
> 
> some people on user mailing list reported problems getting HTTPS with
> client
> authentication to work (setting "clientAuth" property to "true").
> It seems like the Tomcat SSL server factory ignores the CA certificates
> that are stored in the keystore and only sends the Thawte and Verisign
> CA info to the client. If you have certificates signed by another CA it
> won't work because the browser (at least Netscape 4.7x) looks for a user
> certificate signed by a CA known to the server.


Sounds strange, I was really thinking it was working (I tested it with my own CA
signed CC).
Now as I have Thawte certificate also I cannot use other ones...

But openssl s_client reports: 
+++
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server CA/Email=premium-server@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Freemail CA/Email=personal-freemail@thawte.com
/C=ES/ST=Catalunya/L=Barcelona/O=FSC/OU=COM5/CN=jean-frederic
clere/Email=jfclere@apache.org (that my CA!).
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Premium CA/Email=personal-premium@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Basic CA/Email=personal-basic@thawte.com
+++

> 
> We patched the SSLServerSocketFactory class to retrieve additional CA
> certs via the TrustManagerFactory. The code already had some
> preparations for that although it was disabled.
> 
> how can we get the fix into the Tomcat 4 code?
> 
> cheers
> 
> Stefan

Mime
View raw message