Re: Identifying Clients via SSL Certificates

2009-11-11 Thread Nilesh Patil 
Hi..
   Form Last few days Even I am also working on SSL Implementation.
I am Using Jboss 5.1.0 GA.
 I had implemented server certificate but i dont knwo how to implement
Client / Server Mutual Authentication.

Do U work On that part ? can u help me .?

another Issue I have is I can access my application from server but if i
access the same application from Client Machine I am getting following
exception

{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:  }

Thanks an advance..

Please Replay


On Tue, Nov 10, 2009 at 3:59 AM, Jorge Medina jmed...@e-dialog.com wrote:


 OpenSSL hashes the subject name.
This is used in OpenSSL to form an index to allow certificates in a
 directory to be looked up by subject name. 
 but that seems weak.


 http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#




 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: Monday, November 09, 2009 2:06 PM
 To: Tomcat Users List
 Subject: Identifying Clients via SSL Certificates

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 All,

 I've been playing around with client SSL certificates, not for
 authentication per se, but as a gateway to a relaxed authentication
 mechanism for one of our webapps.

 I have a client SSL cert working (see my previous thread mod_jk  Client
 SSL Certificates) and successfully verifying the signature of the client
 cert by the server.

 I'd like to be able to uniquely identify the client certificate being used
 to authenticate via SSL, but I'm a newbie at this sort of thing and I'd
 appreciate some suggestions as to how to do that. A few ideas I've had are:

 1. Use a directory-style 'CN' attribute like UID=myuniqueid

 2. Use the fingerprint of the client certificate

 3. Use the full text of the client certificate

 All 3 of the above can be used to then link to appropriate records in the
 database for limited authentication.

 Does anyone have any suggestions or preferred techniques?

 Thanks,
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
 lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
 =gPOY
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Identifying Clients via SSL Certificates

2009-11-09 Thread Jorge Medina 
 
OpenSSL hashes the subject name. 
This is used in OpenSSL to form an index to allow certificates in a 
directory to be looked up by subject name. 
but that seems weak.

http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#




-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Monday, November 09, 2009 2:06 PM
To: Tomcat Users List
Subject: Identifying Clients via SSL Certificates

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

I've been playing around with client SSL certificates, not for authentication 
per se, but as a gateway to a relaxed authentication mechanism for one of our 
webapps.

I have a client SSL cert working (see my previous thread mod_jk  Client SSL 
Certificates) and successfully verifying the signature of the client cert by 
the server.

I'd like to be able to uniquely identify the client certificate being used to 
authenticate via SSL, but I'm a newbie at this sort of thing and I'd appreciate 
some suggestions as to how to do that. A few ideas I've had are:

1. Use a directory-style 'CN' attribute like UID=myuniqueid

2. Use the fingerprint of the client certificate

3. Use the full text of the client certificate

All 3 of the above can be used to then link to appropriate records in the 
database for limited authentication.

Does anyone have any suggestions or preferred techniques?

Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
=gPOY
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org