tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darren Marvin" <...@it-innovation.soton.ac.uk>
Subject Can't get SSL client certificate but can get cipher suite and key size??
Date Sun, 20 Jul 2003 12:04:31 GMT
Hi all,

I am using Apache 1.3.27, Tomcat 4.1.24 and mod_jk. Normal connection seems to work well over
HTTP and HTTPS but I want to get the client X509 certificate from Apache. I have read the
documentation that comes with the connector package and applied the suggestions.

I also have a test servlet (distributed on this mailing list a while ago) that tries to read
the X509, cipher suite and key size. The test servlet correctly obtains the cipher suite and
key size but cannot obtain the client certificate. Catalina.out shows the following error:

Starting service Tomcat-Standalone
Apache Tomcat/4.1.24
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009
[INFO] JkMain - -Jk running ID=0 time=1/131  config=/usr/local/apache.org/jakart
a/tomcat/jakarta-tomcat-4.1.24/conf/jk2.properties
java.security.cert.CertificateException: Unable to initialize, java.io.IOExcepti
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009
[INFO] JkMain - -Jk running ID=0 time=1/131  config=/usr/local/apache.org/jakart
a/tomcat/jakarta-tomcat-4.1.24/conf/jk2.properties
java.security.cert.CertificateException: Unable to initialize, java.io.IOExcepti
on: insufficient data
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:147)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Facto
ry.java:84)
        at java.security.cert.CertificateFactory.generateCertificate(Certificate
Factory.java:281)
        at org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
        at org.apache.coyote.Response.action(Response.java:222)
        at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapte
r.java:310)
        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:22
1)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.ja
va:562)
        at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:619)
        at java.lang.Thread.run(Thread.java:479)
[ERROR] JkCoyoteHandler - -Certificate convertion failed <java.security.cert.Cer
tificateException: Unable to initialize, java.io.IOException: insufficient data>


I haven't changed anything in the default server.xml file for tomcat 4.1.24 - should I?

I am using virtual hosts in my httpd.conf

Outside virtual hosts I have:

...

JkWorkersFile /usr/local/apache/conf/workers.properties
JkLogFile /usr/local/apache/logs/mod_jk.log
JkLogLevel debug
JkExtractSSL On
JkOptions +ForwardKeySize +ForwardURICompat +ForwardDirectories  

...

Inside my virtual host declaration I have:
...
SSLOptions +StdEnvVars +ExportCertData
JkOptions +ForwardKeySize +ForwardURICompat +ForwardDirectories
JkMount /examples/* ajp13
JkExtractSSL On
...



I am unsure if I also need the declaration:

JkEnvVar SSL_CLIENT_CERT "<UNSET>"

Here is my workers.properties file in case that is useful:

# Define 1 real worker using ajp13
worker.list=ajp13

# Set properties for worker1 (ajp13)
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009

Thanks in advance.

Darren.


 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message