Client certificate related protocol error - certificates A & B ?

Fri, 23 Feb 2001 04:29:41 -0800 

I'm having some hard to track problems using a Stronghold v 3.0 web-server 
with modssl.

Our application calls for a java client, using https tunneling  via 
a  proxy web-server which forwards calls via a pluging
to a weblogic applications server. java client and web-server should use 
two-way authenticated SSL and client certificates.

Simple calls using just one SSL connection to the mod_ssl enabled 
web-server work correctly, indicating the client, server
and CA certificates appear to be installed correctly. However when using 
RMI calls via the tunneling proxy pluging (which
results in multiple HTTP GET/PUT requests and thus multiple SSL 
connections) we get the following error on the last
request:

[21/Feb/2001 14:47:56 06764] [trace] OpenSSL: Loop: SSLv3 read client 
certificate A
[21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Write: SSLv3 read client 
certificate B
[21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Exit: error in SSLv3 read 
client certificate B
[21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Exit: error in SSLv3 read 
client certificate B
[21/Feb/2001 14:47:56 06763] [error] SSL handshake failed (server 
webserver:443, client 192.168.17.112) (OpenSSL library error follows)
[21/Feb/2001 14:47:56 06763] [error] OpenSSL: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 
[Hint: No CAs known to server for verification?]

Now this is almost certainly the fault of the clients (weblogics) java SSL 
implementation - however I'd still like to know
how this log entry should be read. All other connections only ever request 
a "certificate A" - why is the server attempting
to read a client certificate B all of a sudden ? and how to certificates 
"A" and "B" differ ? Are these just some kind of
"slot" allowing the client to submit multiple client certificates ?

Thanks for any help,

                        -- yours sincerely,

                                                Rory Chisholm
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to