GeeCON Prague 2014*
The moose likes Security and the fly likes Problems with clientAuth= Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "Problems with clientAuth="true" on Jboss (Tomcat)" Watch "Problems with clientAuth="true" on Jboss (Tomcat)" New topic
Author

Problems with clientAuth="true" on Jboss (Tomcat)

Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
1)Setup clientAuth="false" (among the rest Connector data in server.xml), all works fine (Firfox asks for certificate on attempt to open on https://...:8443), opens the page when I import certificate.

2)Change to clientAuth="true"

WORKS FINE FOR THE VERY FIRST TIME (certificate is there form previous test).
When I delete certificate, I get security warning (Secure Connection Failed - as expected).

But when I re-introduce certificate, I got the error message:


An error occurred during a connection to ...:8443.
SSL peer was not expecting a handshake message it received.
(Error code: ssl_error_handshake_unexpected_alert)


This is the very same error message as if I instead of importing certificate just tried to "add exception".

This is tested on FIREFOX 3.0.3.

Under IE 6.0.2... I just get:

Cannot find server or DNS Error


When clientAuth="false" IE work kind of expected way.

After tests I run at work, I have repeated the same process at home, with the same results.

Is this client issue? Or Tomcat/Jboss thing? Any experience with this kind of setup? Any one have it up and running with expected results?
Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Problem solved, truststoreFile was not set up properly.
Alexandre Shimono
Greenhorn

Joined: Dec 22, 2008
Posts: 1
Hi!

I had the same problem, and apparently, neither Firefox nor IE allow you to see the certificates in your browser if their root CAs are not listed in the truststore file. So, to solve this problem, you need to get all the certificates in the chain until the root certificate from the client side, and add all of them in the truststore.

See ya!
Keshav Jha
Greenhorn

Joined: Aug 15, 2013
Posts: 3
Dear Alexandre and Dejan

May I ask you to help by kindly elaborating your answer. I am a newbie on this and I am stuck in my project due to this problem.
By truststoreFile you mean the keystore file?
More specifically what is meant by "you need to get all the certificates in the chain until the root certificate from the client side, and add all of them in the truststore"? can you please provide the steps? I am trying to do this on localhost so my client and server both are the same machine. Also, i am using firefox, so do i have to download the root certificate form firefox and add this to keystore (truststore)? what is a chain? There are simply too many questions and assumptions which are making me a mess, so may i request you to provide the steps or give some pointer?

B Regards


 
GeeCON Prague 2014
 
subject: Problems with clientAuth="true" on Jboss (Tomcat)