Does JSSE support mutual authentication with PFX files?
Hi, I am working with JSSE for SSL communications. I am facing some problems in doing the mutual authentication with the server certificates exported to the PFX format. I am doing a mutual authentication by intiialising the keystores with the PFX file and the truststores with the DER file all in the PKCS12 type. But only one side authentication is happening. The client does not send its public certificate to the server and hence getting a null certificate received exception. It would be greatly helpful if I could get some suggestions on this fronts. First of all I want to confirm if the PKCS12 form supports mutual authentication. Expecting to get back on this issue. Thanks, Alak.
Re: Does JSSE support mutual authentication with PFX files?
This really isn't the right forum for this question. Surely there is a JSSE mailing list. That said... E Alaknantha [EMAIL PROTECTED] writes: I am working with JSSE for SSL communications. I am facing some problems in doing the mutual authentication with the server certificates exported to the PFX format. I am doing a mutual authentication by intiialising the keystores with the PFX file and the truststores with the DER file all in the PKCS12 type. But only one side authentication is happening. The client does not send its public certificate to the server and hence getting a null certificate received exception. It would be greatly helpful if I could get some suggestions on this fronts. First of all I want to confirm if the PKCS12 form supports mutual authentication. Let's take a step back. PKCS12/PFX is just a carrier for keying material. It doesn't support or not support mutual authentication. If both sides have suitable keying material than mutual authentication is posssible. Otherwise it is not. The way that authentication works with SSL/TLS is that you have required server auth but optional client auth. [0] The server automatically sends its certificate. If the server wants to authenticate the client it sends a CertificateRequest message containing a list of suitable CAs. If the client has a suitable certificate it sends that, otherwise it sends an empty certificate message or an alert indicating that it won't client authenticate. Most SSL implementations do not ask for client authentication by default. Have you set the configuration flag that tells JSSE to do so? -Ekr [0] There are actually anonymous modes where neither server or client authenticates but these are very rarely used. -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/
Re: Does JSSE support mutual authentication with PFX files?
Eric, I already answered E. Alaknantha with a code snippet answering his question, sorry I forgot to CC the entire list so everyone would know... It realy would be nice if folks just followed up privately to off topic posts. -rick (cc'ing the list so eveyone knows the way) On 20 Dec 2001, Eric Rescorla wrote: This really isn't the right forum for this question. Surely there is a JSSE mailing list. That said... E Alaknantha [EMAIL PROTECTED] writes: I am working with JSSE for SSL communications. I am facing some problems in doing the mutual authentication with the server certificates exported to the PFX format. I am doing a mutual authentication by intiialising the keystores with the PFX file and the truststores with the DER file all in the PKCS12 type. But only one side authentication is happening. The client does not send its public certificate to the server and hence getting a null certificate received exception. It would be greatly helpful if I could get some suggestions on this fronts. First of all I want to confirm if the PKCS12 form supports mutual authentication. Let's take a step back. PKCS12/PFX is just a carrier for keying material. It doesn't support or not support mutual authentication. If both sides have suitable keying material than mutual authentication is posssible. Otherwise it is not. The way that authentication works with SSL/TLS is that you have required server auth but optional client auth. [0] The server automatically sends its certificate. If the server wants to authenticate the client it sends a CertificateRequest message containing a list of suitable CAs. If the client has a suitable certificate it sends that, otherwise it sends an empty certificate message or an alert indicating that it won't client authenticate. Most SSL implementations do not ask for client authentication by default. Have you set the configuration flag that tells JSSE to do so? -Ekr [0] There are actually anonymous modes where neither server or client authenticates but these are very rarely used. -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/
Re: Does JSSE support mutual authentication with PFX files?
Very sorry for my previous post. _Alak.