tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: SSL mutual communication problem with Tomcat5 --- Remote host closed connection during handshake
Date Tue, 13 Sep 2005 21:11:32 GMT
Hector Adolfo Alonso wrote:
> Hi Xia:
>    I think you cannot use an self-signed certificate (as keytool 
> generates) for mutual authentication.
> User certificate's certificate authority signer shoul be the same that 
> signs the server certificate. In this case,
> the server certificate is self-signed. On the othe hand, who signs the 
> client certificate ? It's self signed too ?
> In this case, there is a problem, because both of them are self signed 
> --> both of them are signed by
> different CAs --> there is a handshake failure.
>   INHO, Tomcat's cert shoud be signed by a true CA ... then the browser 
> should recognize CA's cert.
>   I'm sure there is a more technical and deep explanation, but I hope 
> this help.

This is simply wrong. There is *no* requirement that the client and 
server certificates must be signed by the same CA for the handshake to 
work.

Possible causes of the problem are:
- CA cert client not in $JAVA_HOME/jre/lib/security/cacerts on server
- client certificate not created with correct usage types
- wrong key algorithm / signing algorithm selected

First, get HTTPS working with a server certificate. Then get it 
working over HTTPS using BASIC auth and then get it working using 
CLIENT-CERT auth.

Mark




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message