[JBoss-user] [Tomcat, HTTPD, Servlets & JSP] - HTTP TLS/SSL "Exception getting SSL Cert"

Wed, 27 Jul 2005 12:38:38 -0700 

I'm using JBoss 4.0.2.
I'd like to use SSL/TLS with mutual client-server certificate authentication.

I set up a connector in tomcat's server.xml to listen on port 8443. (Note that 
the Tomcat docs state that sslProtocol="TLS" is the default but I had to 
specify it explicitly in order to have my connector use TLS.

I specified clientAuth="false" in the connector configuration, because I don't 
want to require client certificate authentication for everything running on the 
server. The tomcat documentation indicates that in this situation, if a web.xml 
specifies an auth-method of CLIENT-CERT that it will still request client 
certificate. I assume it accomplishes this through ssl renegotiation. This does 
not seem to be happening.

When I connect to a web application that specifies an auth-constraint of 
CLIENT-CERT, the connection is dropped and the server log shows the following:

15:27:48,117 INFO  [JSSE14Support] SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1069)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:187)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
        at 
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
        at java.io.InputStream.read(InputStream.java:89)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
        at 
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
        at 
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
        at org.apache.coyote.Request.action(Request.java:363)
        at 
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
        at 
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
15:27:48,123 WARN  [Http11Processor] Exception getting SSL Cert
javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1069)
        at 
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:187)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
        at 
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
        at java.io.InputStream.read(InputStream.java:89)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
        at 
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
        at 
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
        at org.apache.coyote.Request.action(Request.java:363)
        at 
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
        at 
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)


which is what I would expect, since the browser I am using (Firefox 1.0.6) 
never asks me to choose a certificate (it seems to work as expected for other 
sites, and when deploying the same web application to WebLogic Server 8.1.

If I change my tomcat connector configuration to specify clientAuth="want" 
instead of printing an error to the server logs, the browser is returned a HTTP 
error code 400 and states that no client certificate was provided (which again 
is expected because the browser didn't ask me to specify a certificate).

The only way that I can get CLIENT-CERT authentication to work is if I specify 
clientAuth="true" in the tomcat server.xml and that is really not what I want.

It seems that ssl is not renegotiating with the client to request a certificate 
when it encounters the CLIENT-CERT auth-constraint. How can I solve this 
problem?

Thanks,
Stephen Saucier

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3886910#3886910

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3886910


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to