tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Tomcat 4 + ssl + client authentication
Date Fri, 10 Oct 2003 04:13:33 GMT

"Kenneth Westelinck" <kennywest1@hotmail.com> wrote in message
news:BAY1-F73LdCtAklzz8300013bfe@hotmail.com...
> Hi all,
>
> I've been searching the internet for 2 days now and still haven't found a
> solution for my problem. I am trying to set up a Tomcat 4 server running
in
> HTTPS mode, contacted by a client written in Java. The client is using
> HTTPClient from apache. I have done everything the document at
> http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes.
> If I disable client authentication in the tomcat config, the client is
able
> to comunicate with the server. If I enable the authentication the client
> aborts with the following exception:
> java.net.SocketException: Software caused connection abort: JVM_recv in
> socket input stream read
> at java.net.SocketInputStream.socketRead0(Native Method)
> ...
>
> I enabled all possible debugging on the Tomcat server and this is part of
> what I found in the console:
> Thread-10, WRITE:  SSL v3.1 Handshake, length = 625
> Thread-10, READ:  SSL v3.1 Handshake, length = 141
> *** Certificate chain
> ***
> Thread-10, SEND SSL v3.1 ALERT:  fatal, description = bad_certificate
> Thread-10, WRITE:  SSL v3.1 Alert, length = 2
>
> The client's certificate cannot be bad. It was signed with the server's
key
> and it's in the server's keystore.
>

Client cert verification is done against the TrustStore, not the KeyStore.
Tomcat 5 has some improvements for this.  Tomcat 4 is still a bit limited.

> I have no idea what is goin wrong. Can someone tell me how to make this
> work?
>

Assuming that you don't want to just import the signing cert into cacerts
(see the JSSE docs for how to do this), then you need to have something
like:


CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net
.ssl.trustStorePassword=myTrustStorePassword"

At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing :).


> MTIA
>
> regards,
>
> Kenneth
>
> _________________________________________________________________
> Op zoek naar makkelijk recept? http://www.msn.be/culinair




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message