Re: JSS SSLSocket problems choosing Client Certificates

[Nelson B Bolyard]

On 2011/09/07 09:38 PDT, praspa wrote:
 
 I'm trying to make two separate HTTPS requests to a remote host using two
 client sockets and two different client certificates respectively (client
 cert A and B). [...]

 From my host, I'm able to make two connections on two different sockets to
 the remote host. I'm able to receive a 200 OK back from the remote web
 server for both individual connections.
 
 My problem is that client certificate 'A' is being used for both connections
 'A' and 'B'.  [...]

 I placed a line in my implemented
 SSLClientCertificateSelectionCallback select() function to indicate when the
 call back is executed. The select() method is only ever called once during
 the creation of the first SSLSocket (selecting Client Cert 'A') and never on
 future SSLSocket instantiations when Client Cert B is specified. In fact, I
 have to restart my app for select() to be run again.
 
 Is there a way I can trigger the native callback code to run select() when a
 certificate is requested by the remote server?

The callback method *IS* called every time a cert is requested by the remote
server.  The problem, in your case, is that the server is only requesting
the certificate once.  This is because each time the client establishes a
connection to the server, it looks to see if it has previously negotiated a
shared master secret with the server, and if so, it tells the server
Let's reuse this old secret.  If the server agrees,
then it does not request the certificate again, because the server has kept
a copy of the certificate associated with the master secret.

The only solution available through JSS (IINM) is to disable the JSS client
session cache.  NSS (the underlying native library) also offers another
method which allows multiple client session caches, and allows each socket
to be associated with a particular session cache.  With this method, one may
have as many users (client identities) as sockets, if desired.
Unfortunately, JSS offers no interface by which to use that feature.  So,
The only method remaining for use by JSS is to disable the client cache
completely.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

JSS SSLSocket problems choosing Client Certificates

[praspa]

I'm trying to make two separate HTTPS requests to a remote host using two
client sockets and two different client certificates respectively (client
cert A and B). My test program is a modified version of:
http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLTest.java.

From my host, I'm able to make two connections on two different sockets to
the remote host. I'm able to receive a 200 OK back from the remote web
server for both individual connections.

My problem is that client certificate 'A' is being used for both connections
'A' and 'B'. 

I've been using this constructor: 
public SSLSocket(java.lang.String host,
 int port,
 java.net.InetAddress localAddr,
 int localPort,
 SSLCertificateApprovalCallback certApprovalCallback,
 SSLClientCertificateSelectionCallback
clientCertSelectionCallback)

I've also implemented the interface SSLClientCertificateSelectionCallback in
order to use the above constructor and pass the correct client certificate.
Also, I placed a line in my implemented
SSLClientCertificateSelectionCallback select() function to indicate when the
call back is executed. The select() method is only ever called once during
the creation of the first SSLSocket (selecting Client Cert 'A') and never on
future SSLSocket instantiations when Client Cert B is specified. In fact, I
have to restart my app for select() to be run again.

Is there a way I can trigger the native callback code to run select() when a
certificate is requested by the remote server?

Thanks,
pr


-- 
View this message in context: 
http://old.nabble.com/JSS-SSLSocket-problems-choosing-Client-Certificates-tp32417631p32417631.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto