Does Tomcat support two way trust (HTTPS) between the client and itself,
where the server requests for a X509 certificate from the client connecting
to it? I read somewhere that this feature isn't complete in the 4.1.x
version of Tomcat.
I've tried setting the config file as follows (I'm running Jboss
3.0.4/Tomcat 4.1.12 on Win2K server):
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="E:\\jboss-3.0.4_tomcat-4.1.12\\bin\\TOMCAT.KS"
keystorePass="TOMCAT"
clientAuth="true" protocol="TLS" />
</Connector>
I am able to connect to Tomcat using a simple java-based ssl program when
clientAuth="false", but it fails when I set it to true. I've specified a
trust store (and trust store password) containing all the valid CA certs ,
in an environment variable: CATALINA_OPTS.
The trace of the execution is as follows:
Client write key:
0000: 82 17 82 46 A4 94 00 54 A8 13 D7 88 B0 92 17 C1 ...F...T........
Server write key:
0000: E0 C4 6E A4 D8 0F 78 23 B7 B0 6A 97 98 46 AD 40 ..n...x#..j..F.@
... no IV for cipher
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 134
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 195, 128, 75, 187, 144, 183, 187, 156, 108, 255, 102, 85 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal al
ert: bad_certificate
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
Any ideas?
Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
