javax.net.ssl.SSLHandshakeException: null cert chain
erace Dec 7, 2007 5:39 AMHi,
How can I find out what is the reason for the exception the "javax.net.ssl.SSLHandshakeException: null cert" chain when https connector is set to clientAuth="true"?
I have managed to make it work with self singed certs. The problem occurs when I receive a client certificate signed by some other CA than mine.
The CA that has signed client cert is different than the CA that signed server cert but they have common RootCA. It looks as following:
RootCA ^ | SomeOtherCA ^ ^ | | ServerCA ClientCA
All CA's are imported into the truststore and used during configuration. Works the same via -Djavax.net.ssl.trustStore=/some.truststore and via truststoreFile="" as Connector's attribute.
I have imported PKCS#12 cert in web browser (Firefox 2.0 Linux).
The only strange thing I can see in the logs is this :
11:07:26,454 INFO [STDOUT] http-127.0.0.1-8443-1, READ: TLSv1 Handshake, length = 109 11:07:26,454 INFO [STDOUT] *** Certificate chain 11:07:26,454 INFO [STDOUT] *** 11:07:26,462 INFO [STDOUT] http-127.0.0.1-8443-1 11:07:26,462 INFO [STDOUT] , SEND TLSv1 ALERT: 11:07:26,462 INFO [STDOUT] fatal, 11:07:26,462 INFO [STDOUT] description = bad_certificate 11:07:26,462 INFO [STDOUT] http-127.0.0.1-8443-1, WRITE: TLSv1 Alert, length = 2 11:07:26,462 INFO [STDOUT] [Raw write]: length = 7
After that I receive:
*11:07:26,463 INFO [STDOUT] http-127.0.0.1-8443-1, called closeSocket() 11:07:26,463 INFO [STDOUT] http-127.0.0.1-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain 11:07:26,463 DEBUG [JIoEndpoint] Handshake failed javax.net.ssl.SSLHandshakeException: null cert chain at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:156) at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:628) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) 11:07:26,464 INFO [STDOUT] http-127.0.0.1-8443-1, called close() 11:07:26,464 INFO [STDOUT] http-127.0.0.1-8443-1, called closeInternal(true)
I am pretty stuck with this. Any hints?
/p