tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Can't get SSL client certificate but can get cipher suite and key size??
Date Mon, 21 Jul 2003 05:06:18 GMT
It's a well-known bug in TC 4.1.18-4.1.24.  See
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790 for more details.
The 4.1.26 release should be coming out later this month with a fix for
this.

"Darren Marvin" <djm@it-innovation.soton.ac.uk> wrote in message
news:0016E6145796E14680B831BB76A2129E0141A561@mailserver.it-innovation.soton
.ac.uk...
Hi all,

I am using Apache 1.3.27, Tomcat 4.1.24 and mod_jk. Normal connection seems
to work well over HTTP and HTTPS but I want to get the client X509
certificate from Apache. I have read the documentation that comes with the
connector package and applied the suggestions.

I also have a test servlet (distributed on this mailing list a while ago)
that tries to read the X509, cipher suite and key size. The test servlet
correctly obtains the cipher suite and key size but cannot obtain the client
certificate. Catalina.out shows the following error:

Starting service Tomcat-Standalone
Apache Tomcat/4.1.24
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009
[INFO] JkMain - -Jk running ID=0 time=1/131
config=/usr/local/apache.org/jakart
a/tomcat/jakarta-tomcat-4.1.24/conf/jk2.properties
java.security.cert.CertificateException: Unable to initialize,
java.io.IOExcepti
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009
[INFO] JkMain - -Jk running ID=0 time=1/131
config=/usr/local/apache.org/jakart
a/tomcat/jakarta-tomcat-4.1.24/conf/jk2.properties
java.security.cert.CertificateException: Unable to initialize,
java.io.IOExcepti
on: insufficient data
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:147)
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Facto
ry.java:84)
        at
java.security.cert.CertificateFactory.generateCertificate(Certificate
Factory.java:281)
        at
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
        at org.apache.coyote.Response.action(Response.java:222)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapte
r.java:310)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:22
1)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
        at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.ja
va:562)
        at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:619)
        at java.lang.Thread.run(Thread.java:479)
[ERROR] JkCoyoteHandler - -Certificate convertion failed
<java.security.cert.Cer
tificateException: Unable to initialize, java.io.IOException: insufficient
data>


I haven't changed anything in the default server.xml file for tomcat
4.1.24 - should I?

I am using virtual hosts in my httpd.conf

Outside virtual hosts I have:

...

JkWorkersFile /usr/local/apache/conf/workers.properties
JkLogFile /usr/local/apache/logs/mod_jk.log
JkLogLevel debug
JkExtractSSL On
JkOptions +ForwardKeySize +ForwardURICompat +ForwardDirectories

...

Inside my virtual host declaration I have:
...
SSLOptions +StdEnvVars +ExportCertData
JkOptions +ForwardKeySize +ForwardURICompat +ForwardDirectories
JkMount /examples/* ajp13
JkExtractSSL On
...



I am unsure if I also need the declaration:

JkEnvVar SSL_CLIENT_CERT "<UNSET>"

Here is my workers.properties file in case that is useful:

# Define 1 real worker using ajp13
worker.list=ajp13

# Set properties for worker1 (ajp13)
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009

Thanks in advance.

Darren.







---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message