This really isn't the right forum for this question. Surely
there is a JSSE mailing list.
That said...
"E Alaknantha" <[EMAIL PROTECTED]> writes:
> I am working with JSSE for SSL communications. I am facing some
> problems in doing the mutual authentication with the server certificates
> exported to the PFX format.
>
> I am doing a mutual authentication by intiialising the keystores with
> the PFX file and the truststores with the DER file all in the PKCS12
> type.
> But only one side authentication is happening. The client does not send
> its public certificate to the server and hence getting a null
> certificate received exception.
>
> It would be greatly helpful if I could get some suggestions on this
> fronts. First of all I want to confirm if the PKCS12 form supports
> mutual authentication.
Let's take a step back.
PKCS12/PFX is just a carrier for keying material. It doesn't
support or not support mutual authentication. If both sides
have suitable keying material than mutual authentication is
posssible. Otherwise it is not.
The way that authentication works with SSL/TLS is that you have
required server auth but optional client auth. [0] The server
automatically sends its certificate. If the server wants to
authenticate the client it sends a CertificateRequest message
containing a list of suitable CAs. If the client has a suitable
certificate it sends that, otherwise it sends an empty certificate
message or an alert indicating that it won't client authenticate.
Most SSL implementations do not ask for client authentication by
default. Have you set the configuration flag that tells JSSE
to do so?
-Ekr
[0] There are actually anonymous modes where neither server or
client authenticates but these are very rarely used.
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
