Apache with SSL + Tomcat, problems retrieving SSL_CLIENT_CERT

Félix J.García Clemente Wed, 22 Jan 2003 02:34:00 -0800

Hi all,

I am trying retrieve the client certificate from a servlet:


   Object ostrX509 =
request.getAttribute("javax.servlet.request.X509Certificate");
   if (ostrX509 == null) {
        .... is null!!

but I can get the cipher suite:

   String cipherSuite = (String)
request.getAttribute("javax.servlet.request.cipher_suite");
      .... is RC4-MD5

The output file catalina.out shows the error "GRAVE: Certificate
convertion failed".

*Output with security provider SUN:
GRAVE: Certificate convertion failed
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: DerInputStream.getLength(): lengthTag=108, too big.

        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)

        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)

        at
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
        at org.apache.coyote.Response.action(Response.java:222)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)

        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
        at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
        at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590)

        at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:530)

        at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: DerInputStream.getLength():
lengthTag=108, too big.
        at
sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
        at
sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
        at sun.security.util.DerValue.<init>(DerValue.java:233)
        at
sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)

*Output with security provider IAIK:

GRAVE: Certificate convertion failed
java.security.cert.CertificateException: iaik.asn1.CodingException:
ASN1: NumericString does not support getComponentAt(int)!
        at iaik.x509.X509Certificate.b(Unknown Source)
        at iaik.x509.X509Certificate.decode(Unknown Source)
        at iaik.x509.X509Certificate.<init>(Unknown Source)
        at
iaik.x509.CertificateFactory.engineGenerateCertificate(Unknown Source)
        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)

        at
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
        at org.apache.coyote.Response.action(Response.java:222)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)

        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
        at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
        at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590)

        at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:530)

        at java.lang.Thread.run(Thread.java:536)

My http configuration is:

<IfDefine SSL>
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
SSLEngine on

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/usr/local/apache2/conf/cert/shire.umu.euro6ix.org.pem
SSLCertificateKeyFile
/usr/local/apache2/conf/cert/shire.umu.euro6ix.orgKey.der.p1
SSLCACertificateFile
/usr/local/apache2/conf/cert/Euro6IX_Root_PKI_IV.pem

SSLVerifyClient require
SSLVerifyDepth  10

SSLOptions +StdEnvVars +ExportCertData
....


What am I missing?
Any help greatly appreciated!

Félix


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Apache with SSL + Tomcat, problems retrieving SSL_CLIENT_CERT

Reply via email to