Steve Parkinson wrote: > Mike wrote: > >> Thanks for the info Steve. I tried your code below and still no luck, >> although I did see something interesting. I created my own >> SSLHandshakeCompletedListener and printed out all the information I >> could about the SSL Socket. One thing I noticed was when I called >> getPeerCertificate on the SSLSecurityStatus object, it said the >> nickname of the certificate was null...but was this for the server >> cert or the one my client is using? Everything else looked fine.
A cert that you've just received from a peer via SSL, and which you have not seen before, and have not saved in your local cert store, will not have a nickname. That's OK, and shouldn't be a problem. >> I also tried passing in my own custom >> SSLClientCertificateSelectionCallback object into the constructor for >> the SSLSocket (my class always returned the cert name I want to use in >> the select() method), but it looks like it never even got called by JSS. > That probably means that the server didn't ask the client for its > certificate. The client will never present its certificate until it's > asked. One common server configuration problem, which prevents servers from requesting client authentication, even when configured to do so, is that the server has not been given any CA certs whose names are to be sent to the client in the cert request. SSL/TLS require a non-empty set of CA names be sent to the client with a cert request, and conforming servers will not send a request with an empty CA name list. > To verify this, you might want to turn on SSL Tracing. Use a debug build > of NSS, and then run with the env variable SSLTRACE set to, say 100. It > will spit out tons of debug info - search for the string > 'Request-Certificate', which indicates the server is asking for the > client's certificate. I think a much simpler initial step is to use ssltap to capture the connections and their SSL handshakes. Most of the time that will show an obvious problem with the request coming from the server. In the case where it seems the server did well, and the mystery is why the client didn't respond to it, then it may be time to try SSLTRACE. But that's not the first tool I'd use. /Nelson _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
