You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Migdol <mm...@bevocal.com> on 2002/02/22 18:54:44 UTC
Need help with SSL Client Authorization
Hi all,
I know this is at least the third request I have seen regarding this topic.
Maybe we need more information in the Tomcat documentation?
I've been trying for a day now to get this to work without success.
Hopefully someone here can help. I'm running Tomcat 4.0.2 in standalone
mode. I have enabled SSL with the following configuration in my server.xml
:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="false"
acceptCount="10" debug="99" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
debug="1"
clientAuth="true" protocol="TLS"/>
</Connector>
This configuration works fine with secure="false" (i.e. no client
authentication)
First, I used keytool to add the tomcat alias to USER_HOME/.keystore. Then,
I used OpenSSL (OpenSSL 0.9.6c 21) to create a CA, and have added that CA
to the cacerts keystore (using -trustcacerts with keytool). I then used the
local OpenSSL CA to request and then sign a user certificate.
I am testing my server-side configuration in two ways that both fail. In
both cases, I have set javax.net.debug=ssl for the server.
1) Convert both the user and CA certificates to PKCS12, import them both
into Internet Explorer, and then attempt to go to
https://localhost:8443/index.html . This gets me a "Page cannot be
displayed" error on the client side. On the server side I get
"handshake-failed" messages.
2) Run a Java program that uses the user certificate to connect to TC. This
program fails with an exception:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Couldn't
find trusted certificate . On the server side i get "certificate_unknown"
error messages.
I'm more concerned with the second case, since this is closer to what we are
actually trying to do, although I need to get both scenarios working. Can
anyone summarize the criteria used by Tomcat+SSL to determine that the
certificate passed over was "unknown"? What exactly is the role of the
self-signed Tomcat alias certificate that is required?
Thanks in advance,
Michael
Michael Migdol
Senior Staff SW Engineer
1380 Bordeaux Drive
Sunnyvale, CA 94089
work 408-907-6265
cell 408-375-8001
Supercharge your telephone! -- write your VoiceXML
application for free at http://cafe.bevocal.com
BeVocal Cafe - Rated #1 VoiceXML development environment and
voice hosting service by CT Labs!
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>