interesting problem bug with client certificates?

Thu, 13 Feb 2003 06:30:42 -0800 

Team:
I have noticed something very inconsistent within Tomcat 4.1.18.

My application is using client certificates over ssl (these all occur
after I unlock and present my certificate (which btw is the same on all
three of these browsers).

When I access my protected resource with IE version 6.0 all works fine.

When I access my protected resource with Mozilla version 1.1 I receive
an error page from tomcat that says:
HTTP Status 400 - No client certificate chain in this request.
Description:The request sent by the client was syntactically incorrect
(No client certificate chain in this request).
If I hit reload it works fine.

When I access my protected resource with Netscape Communicator I receive
a blank page.
After hitting reload I am prompted for my certificate again and it works
correctly.

I believe this message is being generated by the following code in
org.apache.catalina.authenticator.SSLAuthenticator.java:

// Retrieve the certificate chain for this client
        HttpServletResponse hres =
            (HttpServletResponse) response.getResponse();
        if (debug >= 1)
            log(" Looking up certificates");
        X509Certificate certs[] = (X509Certificate[])

request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR);
        if ((certs == null) || (certs.length < 1)) {
            certs = (X509Certificate[])

request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR);
        }
        if ((certs == null) || (certs.length < 1)) {
            if (debug >= 1)
                log("  No certificates included with this request");
            hres.sendError(HttpServletResponse.SC_BAD_REQUEST,
                           sm.getString("authenticator.certificates"));
            return (false);
        }

My question is why the inconsistent behavior between browsers?  Secondly
if I do not do cert authentication within my webapp but instead turn it
on for the whole SSL context (using clientAuth) I do not get this
message with any of the above mentioned browsers.

Thanks,
Tony



--
Tony Dahbura
Deployment Director
Opsware Business Practice
EDS Inc.
13900 Lincoln Park Drive
Suite 405/WH-OPS
Herndon, VA  20171
voice: 703.742.1280
fax: 703.742.1163
[EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to