Mark,
Thanks for your input. I have got normal SSL working, and that
works like a charm (using both IE - doGet, and via a servlet - doPost).
My certificates are self signed, to answer your questions:
o I do not believe this is an issue with self signed certificates
- as the issuer of the server certificate is created when the keystore
is created.
o I did forget this step, I have now put the server certificate in
the trust store of the client (this is the keystore that I use in my
java code from my client)
o The client certificate is in the trust store of the server (the
keystore as defined in server.xml)
If any of my above answers have incorrect assumptions that they are
based around, please let me know. I am assuming that I have something
wrong (assumption, code, or whatever), rather than tomcat doing the
wrong thing.
I re-tested after installing the server certificate in the client trust
store, and I now get a connection, but with the following stack trace (I
am slowly getting there):
Nov 14, 2006 1:42:40 PM org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHandshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE1
4Support.java:88)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.ja
va:67)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSE
Support.java:120)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:104
9)
at org.apache.coyote.Request.action(Request.java:361)
at
org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:
929)
at
org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequest
Facade.java:214)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe
nticator.java:137)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:504)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:137)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:117)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79
9)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57
7)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:683)
at java.lang.Thread.run(Thread.java:534)
Nov 14, 2006 1:42:40 PM org.apache.coyote.http11.Http11Processor action
WARNING: Exception getting SSL Cert
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE1
4Support.java:88)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.ja
va:67)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSE
Support.java:120)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:104
9)
at org.apache.coyote.Request.action(Request.java:361)
at
org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:
929)
at
org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequest
Facade.java:214)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe
nticator.java:137)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:504)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:137)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:117)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79
9)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57
7)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:683)
at java.lang.Thread.run(Thread.java:534)
Regards,
Andrew Friebel
-----Original Message-----
From: Mark Thomas [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 14 November 2006 11:05 AM
To: Tomcat Users List
Subject: Re: Accessing ssl pages using client authentication
Andrew Friebel wrote:
> I am also having trouble access the page using a browser. I extract
my
> each certificate from my certificate chain, and import them into the
> keystore on the server running tomcat. After I accept the server
> certificate (before I select my client certificate to send), the
> following stack trace is displayed on my server:
>
> Nov 13, 2006 2:56:52 PM org.apache.coyote.http11.Http11Processor
action
> WARNING: Exception getting SSL Cert
> java.net.SocketException: Socket Closed
>
> Any ideas to what is causing this?
Is the issuer of your server certificate in the trust store used by
the server?
Is the issuer of your server certificate in the trust store used by
the client?
Is the issuer of your client certificate in the trust store used by
the server?
I would get SSL working on its own before adding CLIENT-CERT
Mark
