It's probably not obvious from the log that a TLS CertificateRequest
message is a request from the server for the client to supply its
authentication credentials. The client can comply, by returning its
certificate chain, or it can decline, by returning an empty certificate
chain.
Although a server has requested client authentication it may choose to
continue with the handshake even if the client has declined its request.
I'll add additional server-side and client-side log messages to clarify.
On 21/08/2014 22:38, Seán Coffey wrote:
Looks good Vinnie. Thanks for handling this. One more comment from me..
I recently worked with a group who were reading the verbose security
messages when trying to debug an SSL connection issue. They weren't sure
if two-way SSL authentication was set up between the server and client.
Could we make the debug output a bit more obvious on that end also ? I
parsed the full debug logs from the connection issue above and neither
"client authentication" or "clientauthentication" appears in them (even
though it was in use)
see line 1446 :
http://cr.openjdk.java.net/~vinnie/8055207/webrev.00/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java.html
s.println("*** CertificateRequest");
To me this looks like the start of the client authentication request
phase. Could we make the message more informative. Perhaps something
like "*** CertificateRequest. Begin client authentication"
Is that the only time such a message can be printed ?
regards,
Sean.
On 21/08/2014 18:29, Vincent Ryan wrote:
Please review this trivial enhancement to JSSE to warn when TLS client
authentication cannot be completed
because of difficulty locating a suitable client certificate.
(Keystore file paths are already displayed by JSSE, when known)
This is useful to help troubleshoot configuration issues related to
keystores and truststores.
Thanks.
Webrev: http://cr.openjdk.java.net/~vinnie/8055207/webrev.00/
Bug: https://bugs.openjdk.java.net/browse/JDK-8055207
