tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Tomcat 4 + ssl + client authentication
Date Fri, 10 Oct 2003 04:13:33 GMT

"Kenneth Westelinck" <> wrote in message
> Hi all,
> I've been searching the internet for 2 days now and still haven't found a
> solution for my problem. I am trying to set up a Tomcat 4 server running
> HTTPS mode, contacted by a client written in Java. The client is using
> HTTPClient from apache. I have done everything the document at
> describes.
> If I disable client authentication in the tomcat config, the client is
> to comunicate with the server. If I enable the authentication the client
> aborts with the following exception:
> Software caused connection abort: JVM_recv in
> socket input stream read
> at Method)
> ...
> I enabled all possible debugging on the Tomcat server and this is part of
> what I found in the console:
> Thread-10, WRITE:  SSL v3.1 Handshake, length = 625
> Thread-10, READ:  SSL v3.1 Handshake, length = 141
> *** Certificate chain
> ***
> Thread-10, SEND SSL v3.1 ALERT:  fatal, description = bad_certificate
> Thread-10, WRITE:  SSL v3.1 Alert, length = 2
> The client's certificate cannot be bad. It was signed with the server's
> and it's in the server's keystore.

Client cert verification is done against the TrustStore, not the KeyStore.
Tomcat 5 has some improvements for this.  Tomcat 4 is still a bit limited.

> I have no idea what is goin wrong. Can someone tell me how to make this
> work?

Assuming that you don't want to just import the signing cert into cacerts
(see the JSSE docs for how to do this), then you need to have something


At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing :).

> regards,
> Kenneth
> _________________________________________________________________
> Op zoek naar makkelijk recept?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message