0 Replies Latest reply on Dec 7, 2007 5:39 AM by Przemyslaw Rudzki

    javax.net.ssl.SSLHandshakeException: null cert chain

    Przemyslaw Rudzki Newbie


      How can I find out what is the reason for the exception the "javax.net.ssl.SSLHandshakeException: null cert" chain when https connector is set to clientAuth="true"?

      I have managed to make it work with self singed certs. The problem occurs when I receive a client certificate signed by some other CA than mine.

      The CA that has signed client cert is different than the CA that signed server cert but they have common RootCA. It looks as following:

      ^ ^
      | |
      ServerCA ClientCA

      All CA's are imported into the truststore and used during configuration. Works the same via -Djavax.net.ssl.trustStore=/some.truststore and via truststoreFile="" as Connector's attribute.

      I have imported PKCS#12 cert in web browser (Firefox 2.0 Linux).

      The only strange thing I can see in the logs is this :

      11:07:26,454 INFO [STDOUT] http-, READ: TLSv1 Handshake, length = 109
      11:07:26,454 INFO [STDOUT] *** Certificate chain
      11:07:26,454 INFO [STDOUT] ***
      11:07:26,462 INFO [STDOUT] http-
      11:07:26,462 INFO [STDOUT] , SEND TLSv1 ALERT:
      11:07:26,462 INFO [STDOUT] fatal,
      11:07:26,462 INFO [STDOUT] description = bad_certificate
      11:07:26,462 INFO [STDOUT] http-, WRITE: TLSv1 Alert, length = 2
      11:07:26,462 INFO [STDOUT] [Raw write]: length = 7

      After that I receive:

      *11:07:26,463 INFO [STDOUT] http-, called closeSocket()
      11:07:26,463 INFO [STDOUT] http-, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
      11:07:26,463 DEBUG [JIoEndpoint] Handshake failed
      javax.net.ssl.SSLHandshakeException: null cert chain
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
       at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206)
       at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
       at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:156)
       at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:628)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
      11:07:26,464 INFO [STDOUT] http-, called close()
      11:07:26,464 INFO [STDOUT] http-, called closeInternal(true)

      I am pretty stuck with this. Any hints?