Hello,
this pretty much sounds like the same problem I was experiencing and
posted earlier today. Sadly, your link below only gives hints on how
to intall a SERVER certificate, but not on how to configure everything
to ask for a CLIENT cert. I have exactly the same problem where the
initial handshake with the exchange of the SERVER cert is just fine,
but then the connection breaks leaving you with absolutely NO
LOG-entry as to why it broke ....
So far, I was only able to get an error-message out of Netscape (6.x)
saying "unknown SSL Error -12227"
Would it make sense to post this on the tomcat-development-list?
Regards,
Peter Werno
On Mon, 1 Jul 2002 16:50:21 +0200
"Power-Netz \(Schwarz\)" <schwarz@power-netz.de> wrote:
>
> This is the answere:
>
> http://www.comu.de/docs/tomcat_ssl.htm
>
>
> and its really easy.
>
>
> > -----Ursprungliche Nachricht-----
> > Von: Henrik Schultz [mailto:hsz@maerskdata.dk]
> > Gesendet: Montag, 1. Juli 2002 16:43
> > An: tomcat-user
> > Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially
> >
> >
> >
> > Greetings all...
> >
> > For those not interested in client certificates at the deep
> >technical
> > level, this is probably not your favorite cup of tea. Otherwise
> >read on.
> >
> > Enabling SSL in Tomcat is really no sweat using your own home-made
> > certificates, thanks to the excellent HOW-TO. Once you get your
> >root CA
> > certificate installed in the right places, and a suitable
> >certificate
> > installed in Tomcat, everything works just fine.
> >
> > However, creating client certificates that works with IE has (at
> >least for
> > me) shown to be a real pain. I've experimented for months, and
> >tried
> > numerous postings on this list, but noone seemed to know the
> > finer details.
> > It was only recently I had a breakthrough, in that a trial
> > certificate from
> > Verisign allowed me to compare that and a home-made one, and find
> >the bits
> > that makes the difference, that is, what it takes for it to be
> > shown on the
> > selection list in IE when the server asks for a client certificate.
> > Last night I succeeded. The right combination of keytool and
> >openssl
> > maneuvres to setup a private CA, finally generated a certificate
> >that
> > installed without a hitch in IE, and came up when I subsequently
> >connected
> > to my SSL enabled Tomcat. So far so good.
> >
> > However there is still one major obstacle ... the server aborts the
> > connection right away :-((((
> >
> > IE tells me:
> >
> > "The page cannot be displayed
> > The page you are looking for is currently unavailable.
> > The Web site might be experiencing technical difficulties,
> > or you may need to adjust your browser settings."
> >
> > In other words, the usual message that indicates that the server
> >screwed
> > up, and closed the connection.
> >
> > Interestingly enough the Verisign certificate works just fine. So
> >there is
> > apparently still a difference to Tomcat.
> > Have tried to connect using openssl s_client - works A-OK, also
> >with my
> > home-made certificate.
> > Have looked in the tomcat logs to no avail. There is no trace
> >anywhere why
> > the connection breaks.
> >
> > So the question to the list is: how would I go by diagnosing this?
> >I
> > believe that the problem must be related to the SSL container (?)
> >that
> > responds to the traffic on port 443, and does all the SSL
> >handshaking,
> > because my application never sees anything.
> > Just like in Apache there's an error log for all the pages that
> >fail -
> > isn't there such a log in Tomcat?
> >
> > Thanks for any input or advice you might have!
> >
> > PS. If anyone is interested in a writeup or HOW-TO of making client
> > certificates for Tomcat, let me know. This is certainly tricky
> >stuff!
> >
> > Henrik Schultz
> > Senior Systems Architect
> > Consultant to Maersk Data AS
> > Tel.: +45 39 10 21 13
> > Mobile: +45 22 12 24 29
> > E-mail: hsz@maerskdata.dk
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
|