Hi.. Form Last few days Even I am also working on SSL Implementation. I am Using Jboss 5.1.0 GA. I had implemented server certificate but i dont knwo how to implement Client / Server Mutual Authentication.
Do U work On that part ? can u help me .? another Issue I have is I can access my application from server but if i access the same application from Client Machine I am getting following exception {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: } Thanks an advance.. Please Replay.... On Tue, Nov 10, 2009 at 3:59 AM, Jorge Medina <jmed...@e-dialog.com> wrote: > > OpenSSL hashes the subject name. > " This is used in OpenSSL to form an index to allow certificates in a > directory to be looked up by subject name. " > but that seems weak. > > > http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html# > > > > > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Monday, November 09, 2009 2:06 PM > To: Tomcat Users List > Subject: Identifying Clients via SSL Certificates > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I've been playing around with client SSL certificates, not for > authentication per se, but as a gateway to a relaxed authentication > mechanism for one of our webapps. > > I have a client SSL cert working (see my previous thread "mod_jk & Client > SSL Certificates") and successfully verifying the signature of the client > cert by the server. > > I'd like to be able to uniquely identify the client certificate being used > to authenticate via SSL, but I'm a newbie at this sort of thing and I'd > appreciate some suggestions as to how to do that. A few ideas I've had are: > > 1. Use a directory-style 'CN' attribute like "UID=myuniqueid" > > 2. Use the fingerprint of the client certificate > > 3. Use the full text of the client certificate > > All 3 of the above can be used to then link to appropriate records in the > database for limited authentication. > > Does anyone have any suggestions or preferred techniques? > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w > lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt > =gPOY > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >