tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Werno" <pe...@werno.com>
Subject Re: AW: Tomcat 4 - OpenSSL - IE client certificate works partially
Date Mon, 01 Jul 2002 15:22:44 GMT
Hello,

this pretty much sounds like the same problem I was experiencing and 
posted earlier today. Sadly, your link below only gives hints on how 
to intall a SERVER certificate, but not on how to configure everything 
to ask for a CLIENT cert. I have exactly the same problem where the 
initial handshake with the exchange of the SERVER cert is just fine, 
but then the connection breaks leaving you with absolutely NO 
LOG-entry as to why it broke ....

So far, I was only able to get an error-message out of Netscape (6.x) 
saying "unknown SSL Error -12227"

Would it make sense to post this on the tomcat-development-list?

Regards,
Peter Werno


On Mon, 1 Jul 2002 16:50:21 +0200
  "Power-Netz \(Schwarz\)" <schwarz@power-netz.de> wrote:
> 
> This is the answere:
> 
> http://www.comu.de/docs/tomcat_ssl.htm
> 
> 
> and its really easy.
> 
> 
> > -----Ursprungliche Nachricht-----
> > Von: Henrik Schultz [mailto:hsz@maerskdata.dk]
> > Gesendet: Montag, 1. Juli 2002 16:43
> > An: tomcat-user
> > Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially
> >
> >
> >
> > Greetings all...
> >
> > For those not interested in client certificates at the deep 
> >technical
> > level, this is probably not your favorite cup of tea. Otherwise 
> >read on.
> >
> > Enabling SSL in Tomcat is really no sweat using your own home-made
> > certificates, thanks to the excellent  HOW-TO. Once you get your 
> >root CA
> > certificate installed in the right places, and a suitable 
> >certificate
> > installed in Tomcat, everything works just fine.
> >
> > However, creating client certificates that works with IE has (at 
> >least for
> > me) shown to be a real pain. I've experimented for months, and 
> >tried
> > numerous postings on this list, but noone seemed to know the
> > finer details.
> > It was only recently I had a breakthrough, in that a trial
> > certificate from
> > Verisign allowed me to compare that and a home-made one, and find 
> >the bits
> > that makes the difference, that is, what it takes for it to be
> > shown on the
> > selection list in IE when the server asks for a client certificate.
> > Last night I succeeded. The right combination of keytool and 
> >openssl
> > maneuvres to setup a private CA, finally generated a certificate 
> >that
> > installed without a hitch in IE, and came up when I subsequently 
> >connected
> > to my SSL enabled Tomcat. So far so good.
> >
> > However there is still one major obstacle ... the server aborts the
> > connection right away :-((((
> >
> > IE tells me:
> >
> > "The page cannot be displayed
> > The page you are looking for is currently unavailable.
> > The Web site might be experiencing technical difficulties,
> > or you may need to adjust your browser settings."
> >
> > In other words, the usual message that indicates that the server 
> >screwed
> > up, and closed the connection.
> >
> > Interestingly enough the Verisign certificate works just fine. So 
> >there is
> > apparently still a difference to Tomcat.
> > Have tried to connect using openssl s_client - works A-OK, also 
> >with my
> > home-made certificate.
> > Have looked in the tomcat logs to no avail. There is no trace 
> >anywhere why
> > the connection breaks.
> >
> > So the question to the list is: how would I go by diagnosing this? 
> >I
> > believe that the problem must be related to the SSL container (?) 
> >that
> > responds to the traffic on port 443, and does all the SSL 
> >handshaking,
> > because my application never sees anything.
> > Just like in Apache there's an error log for all the pages that 
> >fail -
> > isn't there such a log in Tomcat?
> >
> > Thanks for any input or advice you might have!
> >
> > PS. If anyone is interested in a writeup or HOW-TO of making client
> > certificates for Tomcat, let me know. This is certainly tricky 
> >stuff!
> >
> > Henrik Schultz
> > Senior Systems Architect
> > Consultant to Maersk Data AS
> > Tel.: +45 39 10 21 13
> > Mobile: +45 22 12 24 29
> > E-mail: hsz@maerskdata.dk
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> --
> To unsubscribe, e-mail: 
>   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-user-help@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message