Hello, this pretty much sounds like the same problem I was experiencing and posted earlier today. Sadly, your link below only gives hints on how to intall a SERVER certificate, but not on how to configure everything to ask for a CLIENT cert. I have exactly the same problem where the initial handshake with the exchange of the SERVER cert is just fine, but then the connection breaks leaving you with absolutely NO LOG-entry as to why it broke ....
So far, I was only able to get an error-message out of Netscape (6.x) saying "unknown SSL Error -12227" Would it make sense to post this on the tomcat-development-list? Regards, Peter Werno On Mon, 1 Jul 2002 16:50:21 +0200 "Power-Netz \(Schwarz\)" <[EMAIL PROTECTED]> wrote: > > This is the answere: > > http://www.comu.de/docs/tomcat_ssl.htm > > > and its really easy. > > > > -----Ursprungliche Nachricht----- > > Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] > > Gesendet: Montag, 1. Juli 2002 16:43 > > An: tomcat-user > > Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially > > > > > > > > Greetings all... > > > > For those not interested in client certificates at the deep > >technical > > level, this is probably not your favorite cup of tea. Otherwise > >read on. > > > > Enabling SSL in Tomcat is really no sweat using your own home-made > > certificates, thanks to the excellent HOW-TO. Once you get your > >root CA > > certificate installed in the right places, and a suitable > >certificate > > installed in Tomcat, everything works just fine. > > > > However, creating client certificates that works with IE has (at > >least for > > me) shown to be a real pain. I've experimented for months, and > >tried > > numerous postings on this list, but noone seemed to know the > > finer details. > > It was only recently I had a breakthrough, in that a trial > > certificate from > > Verisign allowed me to compare that and a home-made one, and find > >the bits > > that makes the difference, that is, what it takes for it to be > > shown on the > > selection list in IE when the server asks for a client certificate. > > Last night I succeeded. The right combination of keytool and > >openssl > > maneuvres to setup a private CA, finally generated a certificate > >that > > installed without a hitch in IE, and came up when I subsequently > >connected > > to my SSL enabled Tomcat. So far so good. > > > > However there is still one major obstacle ... the server aborts the > > connection right away :-(((( > > > > IE tells me: > > > > "The page cannot be displayed > > The page you are looking for is currently unavailable. > > The Web site might be experiencing technical difficulties, > > or you may need to adjust your browser settings." > > > > In other words, the usual message that indicates that the server > >screwed > > up, and closed the connection. > > > > Interestingly enough the Verisign certificate works just fine. So > >there is > > apparently still a difference to Tomcat. > > Have tried to connect using openssl s_client - works A-OK, also > >with my > > home-made certificate. > > Have looked in the tomcat logs to no avail. There is no trace > >anywhere why > > the connection breaks. > > > > So the question to the list is: how would I go by diagnosing this? > >I > > believe that the problem must be related to the SSL container (?) > >that > > responds to the traffic on port 443, and does all the SSL > >handshaking, > > because my application never sees anything. > > Just like in Apache there's an error log for all the pages that > >fail - > > isn't there such a log in Tomcat? > > > > Thanks for any input or advice you might have! > > > > PS. If anyone is interested in a writeup or HOW-TO of making client > > certificates for Tomcat, let me know. This is certainly tricky > >stuff! > > > > Henrik Schultz > > Senior Systems Architect > > Consultant to Maersk Data AS > > Tel.: +45 39 10 21 13 > > Mobile: +45 22 12 24 29 > > E-mail: [EMAIL PROTECTED] > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
