tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xia, Hong" <>
Subject SSL mutual communication problem with Tomcat5 --- Remote host closed connection during handshake
Date Tue, 13 Sep 2005 18:51:19 GMT

I am trying to set up Tomcat5 ( as standalone web server ) with https mutal authentication.

There is the connector config
<Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               keystoreFile="F:\Apache Software Foundation\keystores\serverstore.jks"
               clientAuth="true"  sslProtocol="TLS"/>

The keys and keystore were created using Keytool

Client certificate client.cer was sent to the client machine which uses IE6 to connect the
tomcat server. IE6 imported the client certificate into IE6 under the Trusted Root Certification

When the client IE6 connects to the tomcat web server, the Client Authentication Window appeared
without the client certificate. 
Tomcat log gives following error:

*** CertificateRequest
Cert Types: RSA, DSS, 
Cert Authorities:
<, OU=IS, O=Plug Power, L=Latham, ST=New York, C=US>
<CN=Client, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa-ken, C=JP>
*** ServerHelloDone
http-443-Processor25, WRITE: SSLv3 Handshake, length = 938
http-443-Processor25, received EOFException: error
http-443-Processor25, handling exception: Remote host
closed connection during handshake
http-443-Processor25, SEND SSLv3 ALERT:  fatal, description = handshake_failure
http-443-Processor25, WRITE: SSLv3 Alert, length = 2
http-443-Processor25, called closeSocket()
http-443-Processor25, called close()
http-443-Processor25, called closeInternal(true)

Has anyone know why does this error happen? I am suspecting that IE6 has a problem with the
imported client.cer file but I am not able to pinpoint it.

Your help will be very much appreciated.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message