You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Dale McIntosh <da...@san.rr.com> on 2004/09/26 07:37:58 UTC
Re: Problems using AuthSSLProtocolSocketFactory to send ClientCertificate in HTTPS session handshake
Oleg,
The client certificate authentication is configured to be optional. The
clients can either authenticate via a user certificate or via a user name /
password. I am writing an automated interface that requires client
authentification.
The way that I determine that the client certificate wasn't sent, is by the
page returned in the HTTP response. If I request a particular page and get
the login page instead, I know the certificate was not sent. If I get the
requested page, I know the certificate was sent and accepted by the server.
I can validate this with IE by requesting a page without logging in. If I
have a vaid client cert, I get the desired page. If not, I get the login
page. My Java program, however, always gives me the login page. I am
assuming that this is because the server is not requesting the client
certificate.
My belief at this point is that Oracle is only sending the client
certificate to browser (IE) based clients. That would explain the problem. I
have created an Oracle TAR, to see if this is an Oracle problem.
I want to make sure that no client certificate request was made. I didn't
see one looking at the log and I assume you didn't either. I expect to hear
from Oracle soon, I'll let you know what they have to say about this.
Thanks,
Dale
----- Original Message -----
From: "Oleg Kalnichevski" <ol...@apache.org>
To: "Commons HttpClient Project" <co...@jakarta.apache.org>
Sent: Saturday, September 25, 2004 2:19 PM
Subject: Re: Problems using AuthSSLProtocolSocketFactory to send
ClientCertificate in HTTPS session handshake
> Dale,
> Do you know if the client authentication has been configured as required
> or optional? Does the server reject the connection when attempt is made
> to authenticate with an invalid certificate? The fact that IE pops up
> the certificate dialog does not not actually mean that the server
> validates the certificate or requests a client certificate at all. I
> tend to trust more the SSL log showing that the server did not request a
> client certificate.
>
> I retested the AuthSSLProtocolSocketFactory against Apache 2.0.51 with
> mod_ssl one more time and everything appeared to be OK.
>
> Oleg
>
>
>
> On Sat, 2004-09-25 at 22:26, Dale McIntosh wrote:
> > I have been trying for quite a wile to get the
AuthSSLProtocolSocketFactory
> > to send a client certificate and it doesn't seem to be working. I am
> > wondering if the server (Oracle single sign-on server) is requesting the
> > client cert. When the request is made from a browser, the browser does
send
> > the client cert. I have attached, my application, it is relatively
simple
> > and a debug log. The debug options I used were -
> > javax.net.debug="ssl,handshake,keymanager".
> >
> > I have looked at the debug log and I do not see a certificate request.
> > However, when IE is used, IE sends a client certificate.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Dale McIntosh
> >
> > ______________________________________________________________________
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: Problems using AuthSSLProtocolSocketFactory to send
ClientCertificate in HTTPS session handshake
Posted by Oleg Kalnichevski <ol...@apache.org>.
> My belief at this point is that Oracle is only sending the client
> certificate to browser (IE) based clients. That would explain the problem. I
> have created an Oracle TAR, to see if this is an Oracle problem.
>
Dale,
This assumption can be easily tested. The only way the target web server
can tell IE from other agents is by the User-Agent request header.
Try setting the user agent header to something like that and see if that
makes any difference.
GetMethod httpget = new GetMethod("/");
httpget.setRequestHeader("User-Agent",
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)");
This can also be a problem with the Sum implementation of JSSE, which
for whatever reason ignores the client certificate request issued by the
Oracle single signon server. Consider trying alternative JSSE
implementations such as IBM JSSE or IAIK iSaSiLk. Likewise, it may also
be a bug in the Oracle SSL library. Do you know exactly what SSL
implementation Oracle single signon server employs? It is based on
OpenSSL or some proprietary stuff?
Hope this helps
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org