You could also use a temporary Verisign certificate to test with, which is
what I have done so far.
No, I did not try Netscape myself due to a proxy issue, but someone else on
th list did that, and that came up with a strange error:
"unknown SSL Error -12227"
Have still no clue what this is. At least NS is saying something, contrary
to IE that just gives me that bloody "Page cannot be displayed".
When I've gotten it all to work I'll write up a HOW-TO. Promise. Enough
people have been struggling with this now for way too long.
Regards -
Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]
"Adam Greene" To: "Tomcat Users List"
<[EMAIL PROTECTED]>
<agreene@romuli cc:
n.com> Subject: RE: Tomcat 4 - OpenSSL - IE
client certificate works partially
02-07-2002
10:18
Please respond
to "Tomcat
Users List"
I would absolutely love a HOW-TO. I have a project that is going to
require
certs for security. I will ultimately have to use a Verisign or Thawte
cert, but I can certainly test with the homemade ones. Also, have you
tried
to get Netscape or Mozilla to work??
Adam Greene
ROMulin Group Inc
885 Main St, Suite 16
Moncton, NB
E1C 1G5
Ph: (506) 863-1014 x4
Fx: (506) 854-6886
http://www.romulin.com/
-----Original Message-----
From: Henrik Schultz [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 11:43 AM
To: tomcat-user
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially
Greetings all...
For those not interested in client certificates at the deep technical
level, this is probably not your favorite cup of tea. Otherwise read on.
Enabling SSL in Tomcat is really no sweat using your own home-made
certificates, thanks to the excellent HOW-TO. Once you get your root CA
certificate installed in the right places, and a suitable certificate
installed in Tomcat, everything works just fine.
However, creating client certificates that works with IE has (at least for
me) shown to be a real pain. I've experimented for months, and tried
numerous postings on this list, but noone seemed to know the finer details.
It was only recently I had a breakthrough, in that a trial certificate from
Verisign allowed me to compare that and a home-made one, and find the bits
that makes the difference, that is, what it takes for it to be shown on the
selection list in IE when the server asks for a client certificate.
Last night I succeeded. The right combination of keytool and openssl
maneuvres to setup a private CA, finally generated a certificate that
installed without a hitch in IE, and came up when I subsequently connected
to my SSL enabled Tomcat. So far so good.
However there is still one major obstacle ... the server aborts the
connection right away :-((((
IE tells me:
"The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings."
In other words, the usual message that indicates that the server screwed
up, and closed the connection.
Interestingly enough the Verisign certificate works just fine. So there is
apparently still a difference to Tomcat.
Have tried to connect using openssl s_client - works A-OK, also with my
home-made certificate.
Have looked in the tomcat logs to no avail. There is no trace anywhere why
the connection breaks.
So the question to the list is: how would I go by diagnosing this? I
believe that the problem must be related to the SSL container (?) that
responds to the traffic on port 443, and does all the SSL handshaking,
because my application never sees anything.
Just like in Apache there's an error log for all the pages that fail -
isn't there such a log in Tomcat?
Thanks for any input or advice you might have!
PS. If anyone is interested in a writeup or HOW-TO of making client
certificates for Tomcat, let me know. This is certainly tricky stuff!
Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <
mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <
mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
