I am attempting to use client certificates as the authentication mechanism over an SSL connection.
The server (Tomcat 5.5) is configured to require all connections be accompanied with a valid client certificate. As far as the browser and server are concerned, this works fine. The mxml file is requested by the browser, the server challenges the browser for a client certificate, which it receives, and the mxml file is retrieved and displayed correctly. So far, so good. The problem is that any subsequent HTTPS requests from the flex client (NOTE: the flex client, NOT the browser) do not contain the client certificate. The 'http-service-proxy-debug' log states: 07/11 17:09:04 ERROR %%500%%Software caused connection abort: recv failed 07/11 17:09:04 ERROR -- GET status: 500, target: https://localhost:8443/mtx-dx-test/GetUserRoles.do ?includeRoles=manager&excludeRoles= Setting the JVM option '-Djavax.net.debug=ssl:handshake', std out states: *** CertificateRequest Cert Types: RSA, DSS, Cert Authorities: <CN=XYZ, O=ABC, C=US> *** ServerHelloDone *** Certificate chain *** *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 Random Secret: { 3, 1, 98, 222, 236, 8, 188, 11, 125, 15, 19, 82, 146, 121, 7, 125, 112, 90, 106, 20, 52, 112, 243, 205, 233, 196, 212, 228, 50, 46, 93, 138, 215, 219, 156, 75, 41, 133, 252, 66, 27, 255, 165, 240, 240, 115, 141, 50 } http-8443-Processor24, WRITE: TLSv1 Handshake, length = 141 http-8443-Processor23, READ: TLSv1 Handshake, length = 141 *** Certificate chain *** http-8443-Processor23, SEND TLSv1 ALERT: fatal, description = bad_certificate http-8443-Processor23, WRITE: TLSv1 Alert, length = 2 http-8443-Processor23, called closeSocket() http-8443-Processor23, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain http-8443-Processor23, called close() http-8443-Processor23, called closeInternal(true) Relaxing the server configuration to not require client certificates fixes the problem, so it appears fairly clear that the client certificate is not being managed correctly by flex. Is there an flex-config.xml option I am missing? Is this a supported configuration? Thanks in advance. ...Col -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
