Version: Tomcat 4.0b1
OS: Win2000 SP1
This is a follow-up to a message posted by Jeff Lansing on 13-Feb-2001. His
problem, like mine, is the following. If Tomcat is configured to require
client authentication ono an SSL socket, Microsoft's IE (5.5 SP1 running
with 128-bit encryption) presents the browser-side user with an empty
which-certificate-to-send dialog box. That is, IE is declining to send any
client certs to Tomcat. This is not (at least in my case) a Tomcat
configuration problem, since a normal (no client auth) SSL connection to the
same Tomcat works just fine. I have some info to add to Jeff's message:
o I turned on the JSSE debugging via
set CATALINA_OPTS=-Djavax.net.debug=all
With debugging turned on, I can verify that Tomcat is in fact sending a list
of CAs from the cacert repository that includes the signer of the cert
loaded in the browser. In fact, the same CA signed both the Tomcat cert and
the user cert. The CA is an internal Templar Corp CA running Microsoft's
certificate authority stuff on a Win2000 server. Visual inspection seems to
imply that the problem isn't in Tomcat (but read on...). If anybody really,
really wants to double-check me, I'll be happy to send the session.txt file
by return mail -- it's almost 200k long, though.
o The browser does create a proper dialog box if the server is Microsoft's
IIS configured to ask for client authentication. The IIS certificate was
generated by the same CA as Tomcat's and is structurally the same (same
extensions etc).
o Netscape 6.0 will deliver a client cert if asked by Tomcat. The Netscape
cert in question is identical to the one loaded into IE -- to get a cert
into Netscape, I had to export the public/private keys from IE and load 'em
into Netscape. I ran Tomcat with JSSE debugging turned on and verified that
the user certificate was in fact being delivered to Tomcat.
I'm at a loss to figure out what's going on. It's starting to smell like a
config problem in IE, but I can't figure out what it could be -- and anyway,
a config problem in IE doesn't explain why IE happily delivers the client
cert to IIS. Anybody have any clues??
R.W. Shore
Templar Corporation
Alexandria VA
