Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 65136 invoked from network); 14 Nov 2006 00:58:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 14 Nov 2006 00:58:36 -0000 Received: (qmail 50209 invoked by uid 500); 14 Nov 2006 00:58:35 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 49308 invoked by uid 500); 14 Nov 2006 00:58:32 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 49287 invoked by uid 99); 14 Nov 2006 00:58:32 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Nov 2006 16:58:32 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [203.25.40.75] (HELO rrmailscan3.safenetbox.biz) (203.25.40.75) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Nov 2006 16:58:18 -0800 Received: from rrmailscan3.safenetbox.biz (rrmailscan3.safenetbox.biz [127.0.0.1]) by rrmailscan3.safenetbox.biz (Postfix) with ESMTP id 125F81D4843E; Tue, 14 Nov 2006 11:57:56 +1100 (EST) Received: from andrewf (unknown [10.30.149.33]) (Authenticated sender: remote) by rrmailscan3.safenetbox.biz (Postfix) with ESMTP id CD97D1D48434; Tue, 14 Nov 2006 11:57:54 +1100 (EST) From: "Andrew Friebel" To: "'Mark Thomas'" , "'Tomcat Users List'" Subject: RE: Accessing ssl pages using client authentication Date: Tue, 14 Nov 2006 12:02:53 +1100 Message-ID: <007101c70788$9da2fe40$21951e0a@andrewf> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0072_01C707E4.D1137640" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <4559083F.5040502@apache.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Importance: Normal X-Virus-Checked: Checked by ClamAV on apache.org ------=_NextPart_000_0072_01C707E4.D1137640 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Mark, Thanks for your input. I have got normal SSL working, and that works like a charm (using both IE - doGet, and via a servlet - doPost). My certificates are self signed, to answer your questions: o I do not believe this is an issue with self signed certificates - as the issuer of the server certificate is created when the keystore is created. o I did forget this step, I have now put the server certificate in the trust store of the client (this is the keystore that I use in my java code from my client) o The client certificate is in the trust store of the server (the keystore as defined in server.xml) If any of my above answers have incorrect assumptions that they are based around, please let me know. I am assuming that I have something wrong (assumption, code, or whatever), rather than tomcat doing the wrong thing. I re-tested after installing the server certificate in the client trust store, and I now get a connection, but with the following stack trace (I am slowly getting there): Nov 14, 2006 1:42:40 PM org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE1 4Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.ja va:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSE Support.java:120) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:104 9) at org.apache.coyote.Request.action(Request.java:361) at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java: 929) at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequest Facade.java:214) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe nticator.java:137) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator Base.java:504) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79 9) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57 7) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:683) at java.lang.Thread.run(Thread.java:534) Nov 14, 2006 1:42:40 PM org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE1 4Support.java:88) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.ja va:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSE Support.java:120) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:104 9) at org.apache.coyote.Request.action(Request.java:361) at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java: 929) at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequest Facade.java:214) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe nticator.java:137) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator Base.java:504) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79 9) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57 7) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:683) at java.lang.Thread.run(Thread.java:534) Regards, Andrew Friebel -----Original Message----- From: Mark Thomas [mailto:markt@apache.org] Sent: Tuesday, 14 November 2006 11:05 AM To: Tomcat Users List Subject: Re: Accessing ssl pages using client authentication Andrew Friebel wrote: > I am also having trouble access the page using a browser. I extract my > each certificate from my certificate chain, and import them into the > keystore on the server running tomcat. After I accept the server > certificate (before I select my client certificate to send), the > following stack trace is displayed on my server: > > Nov 13, 2006 2:56:52 PM org.apache.coyote.http11.Http11Processor action > WARNING: Exception getting SSL Cert > java.net.SocketException: Socket Closed > > Any ideas to what is causing this? Is the issuer of your server certificate in the trust store used by the server? Is the issuer of your server certificate in the trust store used by the client? Is the issuer of your client certificate in the trust store used by the server? I would get SSL working on its own before adding CLIENT-CERT Mark ------=_NextPart_000_0072_01C707E4.D1137640--