tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus Better <>
Subject JDK 1.4 beta breaks TLS re-negotiation?
Date Mon, 21 Jan 2002 23:51:04 GMT


I have tried to use TLS/SSL client authentication in Tomcat 4.0.1 and
JDK 1.4 beta3, and think that something changed in the JDK that breaks
renegotiation.  It seems to work correctly with JDK 1.3.1.

I have an SSL connector with clientAuth="false" in server.xml, and
have set up web.xml to require authentication with the CLIENT-CERT
method.  This means that the SSL connection has to be renegotiated
when a particular URL is requested.  My log file then says:

2002-01-07 12:08:17 CertificatesValve[/myapp]:  verify: SSLPeerUnverifiedException
2002-01-07 12:08:17 CertificatesValve[/myapp]:  verify: SSLPeerUnverifiedException

I get two lines like this every time the servlet is invoked.

I can see that these messages are generated by the CertificatesValve.
The first one is generated when it checks for client certificates when
there are none (the connector had clientAuth="false").  It then does
initiates a new handshake:

        // Force a new handshake to request the client certificates
        //        if (debug >= 2)
        //            log(" verify: Invalidating current session");
        //        if (debug >= 2)
        //            log(" verify: Forcing new SSL handshake");
        try {
        } catch (IOException e) {
            log(" verify: ", e);

        // Revalidate the existence of the required certificates

It then goes on to check for client certificates again, doesn't find
any, and writes the second error message.

Testing with OpenSSL s_client, I can see that the handshake doesn't
actually take place until after the servlet exits (complaining that
the client certs are missing).  

This is different from the behaviour under JDK 1.3.1, when a new SSL
handshake takes place directly after the URL is requested, and the
servlet is called in the proper way.

I noted that the code above does not use a HandshakeCompletedListener
to wait for the HandshakeCompletedEvent, but just goes on with
checking if the handshake completed immediately.  My guess is that the
behaviour of JSSE changed in JDK 1.4 beta, so that this no longer
works.  It might be necessary to wait for the event before checking
the client certificates again.

I would really like to use other functionality from JDK 1.4 in my
application, so any ideas on a workaround would be appreciated.



To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message