JDK 1.4 beta breaks TLS re-negotiation?
Hi, I have tried to use TLS/SSL client authentication in Tomcat 4.0.1 and JDK 1.4 beta3, and think that something changed in the JDK that breaks renegotiation. It seems to work correctly with JDK 1.3.1. I have an SSL connector with clientAuth=false in server.xml, and have set up web.xml to require authentication with the CLIENT-CERT method. This means that the SSL connection has to be renegotiated when a particular URL is requested. My log file then says: 2002-01-07 12:08:17 CertificatesValve[/myapp]: verify: SSLPeerUnverifiedException 2002-01-07 12:08:17 CertificatesValve[/myapp]: verify: SSLPeerUnverifiedException I get two lines like this every time the servlet is invoked. I can see that these messages are generated by the CertificatesValve. The first one is generated when it checks for client certificates when there are none (the connector had clientAuth=false). It then does initiates a new handshake: // Force a new handshake to request the client certificates //if (debug = 2) //log( verify: Invalidating current session); session.invalidate(); //if (debug = 2) //log( verify: Forcing new SSL handshake); socket.setNeedClientAuth(true); try { socket.startHandshake(); } catch (IOException e) { log( verify: , e); } // Revalidate the existence of the required certificates It then goes on to check for client certificates again, doesn't find any, and writes the second error message. Testing with OpenSSL s_client, I can see that the handshake doesn't actually take place until after the servlet exits (complaining that the client certs are missing). This is different from the behaviour under JDK 1.3.1, when a new SSL handshake takes place directly after the URL is requested, and the servlet is called in the proper way. I noted that the code above does not use a HandshakeCompletedListener to wait for the HandshakeCompletedEvent, but just goes on with checking if the handshake completed immediately. My guess is that the behaviour of JSSE changed in JDK 1.4 beta, so that this no longer works. It might be necessary to wait for the event before checking the client certificates again. I would really like to use other functionality from JDK 1.4 in my application, so any ideas on a workaround would be appreciated. Thanks, Marcus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JDK 1.4 beta breaks TLS re-negotiation?
Hi, I have tried to use TLS/SSL client authentication in Tomcat 4.0.1 and JDK 1.4 beta3, and think that something changed in the JDK that breaks renegotiation. It seems to work correctly with JDK 1.3.1. I have an SSL connector with clientAuth=false in server.xml, and have set up web.xml to require authentication with the CLIENT-CERT method. This means that the SSL connection has to be renegotiated when a particular URL is requested. My log file then says: 2002-01-07 12:08:17 CertificatesValve[/myapp]: verify: SSLPeerUnverifiedException 2002-01-07 12:08:17 CertificatesValve[/myapp]: verify: SSLPeerUnverifiedException I get two lines like this every time the servlet is invoked. I can see that these messages are generated by the CertificatesValve. The first one is generated when it checks for client certificates when there are none (the connector had clientAuth=false). It then does initiates a new handshake: // Force a new handshake to request the client certificates //if (debug = 2) //log( verify: Invalidating current session); session.invalidate(); //if (debug = 2) //log( verify: Forcing new SSL handshake); socket.setNeedClientAuth(true); try { socket.startHandshake(); } catch (IOException e) { log( verify: , e); } // Revalidate the existence of the required certificates It then goes on to check for client certificates again, doesn't find any, and writes the second error message. Testing with OpenSSL s_client, I can see that the handshake doesn't actually take place until after the servlet exits (complaining that the client certs are missing). This is different from the behaviour under JDK 1.3.1, when a new SSL handshake takes place directly after the URL is requested, and the servlet is called in the proper way. I noted that the code above does not use a HandshakeCompletedListener to wait for the HandshakeCompletedEvent, but just goes on with checking if the handshake completed immediately. My guess is that the behaviour of JSSE changed in JDK 1.4 beta, so that this no longer works. It might be necessary to wait for the event before checking the client certificates again. I would really like to use other functionality from JDK 1.4 in my application, so any ideas on a workaround would be appreciated. Thanks, Marcus -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]