Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 15848 invoked from network); 12 Jan 2010 17:31:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 12 Jan 2010 17:31:05 -0000 Received: (qmail 33038 invoked by uid 500); 12 Jan 2010 17:31:01 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 32979 invoked by uid 500); 12 Jan 2010 17:31:01 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 32968 invoked by uid 99); 12 Jan 2010 17:31:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jan 2010 17:31:01 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of pid@pidster.com does not designate 209.85.218.221 as permitted sender) Received: from [209.85.218.221] (HELO mail-bw0-f221.google.com) (209.85.218.221) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Jan 2010 17:30:53 +0000 Received: by bwz21 with SMTP id 21so14394024bwz.24 for ; Tue, 12 Jan 2010 09:30:31 -0800 (PST) Received: by 10.204.153.202 with SMTP id l10mr3358980bkw.92.1263317431358; Tue, 12 Jan 2010 09:30:31 -0800 (PST) Received: from phoenix.config ([72.14.240.161]) by mx.google.com with ESMTPS id 16sm9509297bwz.7.2010.01.12.09.30.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 12 Jan 2010 09:30:30 -0800 (PST) Message-ID: <4B4CB1B4.5060401@pidster.com> Date: Tue, 12 Jan 2010 17:30:28 +0000 From: Pid Reply-To: pid@pidster.com Organization: Pidster Inc User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Client authentication problems References: <85FA03E6BB6F0340B5A117013571A9B70469B4AB@exchange3.ad.sis.tv> In-Reply-To: <85FA03E6BB6F0340B5A117013571A9B70469B4AB@exchange3.ad.sis.tv> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit On 12/01/2010 16:32, John Watson wrote: > Dear tomcat users, > > > > I run tomcat 6.0.18 under java 6 and am attempting to set up client > authentication via SSL. I have followed the instructions here: > http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html, with Tomcat > using the default SSL implementation. We act as our own CA, so I have > set up java keystores at both server and client, each of which has the > same CA certificate, but a distinct actual certificate. I am attempting > to test using HttpClient as described here: > http://hc.apache.org/httpclient-3.x/sslguide.html and am using > AuthSSLProtocolSocketFactory. > > > > The client gets hold of the server certificates OK but then the test > fails with the error : > > > > Fatal transport error: Received fatal alert: certificate_unknown > > javax.net.ssl.SSLHandshakeException: Received fatal alert: > certificate_unknown > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > Source) > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > Source) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown > Source)..... > > > > I see no sign of any logging of the SSL handshake at the server side. Which side is seeing the error? The client or the server? p > If I switch off client authentication (in server.xml) at the server, > everything's fine. Similarly, if I actually use the keystore that > contains the server certs at the client side, all's OK too. > > > > I'd appreciate any help you can give - particularly if you can help me > log the SSL handshake at the server to try to figure out what's > happening. > > > > Cheers > > > > John Watson > > > > ********************************************************************** > > Satellite Information Services Limited. Registered Office: 17 Corsham Street, London, N1 6DR. Company No. 4243307 > > The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. > > ********************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org