I'm running Tomcat 4.1.27 on Solaris 2.6 with JDK 1.4.0_01. I have a webapp configured to use CLIENT-CERT authentication. When I attempt to point my browser at one of the resources guarded by a security-constraint, I can select and send a client certificate, but the server throws a SocketException with the message "SSL Cert handshake timeout," and the requested resource does not load.
Googling for the SocketException message above shows five links, three of which contain code from the tomcat-devel list, but I didn't find any suggested fixes. Do I need to dig deeper in Google? I do realize that Solaris 2.6 is ancient, and JDK 1.4.0 is the best I can use on it. If an upgrade is necessary to make this work, I'll be thrilled--it'll give me evidence to tell my supervisor that the current platform is unacceptable.
Fiddling with the server and webapp settings produces at least one combination which allows me to access the protected resource. Here's what I've found so far:
- With clientAuth="false" in server.xml (SSL) and CLIENT-CERT in the webapp's web.xml, I get the "SSL Cert handshake timeout" above. - With clientAuth="true" in the server and BASIC authentication in the webapp, I can connect after providing both a client certificate and a valid username/password. In this case, initial access to the resource is governed by the username/password (as expected), and I can still use the certificate in the standard HttpServletRequest attribute for further authentication. (Joy! A viable workaround for the moment!) - With clientAuth="true" and CLIENT-CERT, I first get asked for a certificate as before, but then a basic-authentication box pops up with the realm name "unknown". No username/password combo works (not surprising because the realm is strange), and canceling the authentication yields an error page claiming that the resource requires HTTP authentication.
That's all I have so far. All suggestions are appreciated I apologize for the lack of actual excerpts from server logs. I can't get the logs on the Solaris box to an account from which I can send e-mail without printing and retyping them. (Yup. Bad situtation to be in. Preaching to the choir.)
Sincerely, Jonathan Higa ([EMAIL PROTECTED])
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
