tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hector Adolfo Alonso <>
Subject Re: SSL mutual communication problem with Tomcat5 --- Remote host closed connection during handshake
Date Tue, 13 Sep 2005 19:35:07 GMT
Hi Xia:
    I think you cannot use an self-signed certificate (as keytool 
generates) for mutual authentication.
User certificate's certificate authority signer shoul be the same that 
signs the server certificate. In this case,
the server certificate is self-signed. On the othe hand, who signs the 
client certificate ? It's self signed too ?
In this case, there is a problem, because both of them are self signed 
--> both of them are signed by
different CAs --> there is a handshake failure.
   INHO, Tomcat's cert shoud be signed by a true CA ... then the browser 
should recognize CA's cert.
   I'm sure there is a more technical and deep explanation, but I hope 
this help.


Xia, Hong wrote:

>I am trying to set up Tomcat5 ( as standalone web server ) with https mutal authentication.

>There is the connector config
><Connector port="443" maxHttpHeaderSize="8192"
>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>               enableLookups="true" disableUploadTimeout="true"
>               acceptCount="100" scheme="https" secure="true"
>               keystoreFile="F:\Apache Software Foundation\keystores\serverstore.jks"
>               keystorePass="changeit"
>               clientAuth="true"  sslProtocol="TLS"/>
>The keys and keystore were created using Keytool
>Client certificate client.cer was sent to the client machine which uses IE6 to connect
the tomcat server. IE6 imported the client certificate into IE6 under the Trusted Root Certification
>When the client IE6 connects to the tomcat web server, the Client Authentication Window
appeared without the client certificate. 
>Tomcat log gives following error:
>*** CertificateRequest
>Cert Types: RSA, DSS, 
>Cert Authorities:
><, OU=IS, O=Plug Power, L=Latham, ST=New York, C=US>
><CN=Client, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa-ken, C=JP>
>*** ServerHelloDone
>http-443-Processor25, WRITE: SSLv3 Handshake, length = 938
>http-443-Processor25, received EOFException: error
>http-443-Processor25, handling exception: Remote
host closed connection during handshake
>http-443-Processor25, SEND SSLv3 ALERT:  fatal, description = handshake_failure
>http-443-Processor25, WRITE: SSLv3 Alert, length = 2
>http-443-Processor25, called closeSocket()
>http-443-Processor25, called close()
>http-443-Processor25, called closeInternal(true)
>Has anyone know why does this error happen? I am suspecting that IE6 has a problem with
the imported client.cer file but I am not able to pinpoint it.
>Your help will be very much appreciated.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message