4 Replies Latest reply on Oct 4, 2010 4:55 AM by Matt Carless

    Problems with clientAuth="true"

    Dejan Mratinkovic Newbie

      1)Setup clientAuth="false" (among the rest Connector data in server.xml), all works fine (Firefox asks for certificate on attempt to open on https://...:8443), opens the page when I import certificate.

      2)Change to clientAuth="true"

      WORKS FINE FOR THE VERY FIRST TIME (certificate is there form previous test).
      When I delete certificate, I get security warning (Secure Connection Failed - as expected).

      But when I re-introduce certificate, I got the error message:

      quote:
      An error occurred during a connection to ...:8443.
      SSL peer was not expecting a handshake message it received.
      (Error code: ssl_error_handshake_unexpected_alert)



      This is the very same error message as if I instead of importing certificate just tried to "add exception".

      This is tested on FIREFOX 3.0.3.

      Under IE 6.0.2... I just get:

      quote:Cannot find server or DNS Error



      When clientAuth="false" IE work kind of expected way.

      After tests I run at work, I have repeated the same process at home, with the same results.

      Is this client issue? Or Tomcat/Jboss thing? Any experience with this kind of setup? Any one have it up and running with expected results? Or me doing something wrong here?

        • 1. Re: Problems with clientAuth=
          Dejan Mratinkovic Newbie

          Problem solved, truststoreFile was not set up properly.

          • 2. Re: Problems with clientAuth=
            Patrick Walter Newbie

            I get the same error using FireFox. What should the trust file look like.
            I removed the certificate then accessed the https url and accepted the exception (created the new certifictate). BUT I still get the same error message using FireFox.

            thanks

            • 3. Re: Problems with clientAuth=
              Dejan Mratinkovic Newbie

              I can not recall exact details, but problem was with trust store setup.

              This is keystore with trusted certificates (describing which certificate authorities should be trusted) which is set up on server side, on JBoss. There are numbers of way you can set up trust stores on JBoss, check some manuals. This link might help, although is old:

              http://www.jboss.org/community/wiki/SSLSetup

              • 4. Re: Problems with clientAuth="true"
                Matt Carless Newbie

                I had the same problem. You need to make sure you have the CA certificate in your cacerts ($JAVA_HOME/jre/lib/security/cacerts)(severside). This is the CA that signed the client certificate that's being issued to your server.

                 

                If the client was certificate was signed by a repitable CA (THAWTE, VeriSign) you will proabaly have this CA already installed in your cacerts truststore. If you signed the certificate yourself you need to make sure the certificate you presenting to the server is trusted, thats why you need to add your CA to the cacerts truststore.

                 

                NOTE: on tomcat -6  I set up the ssl connector in server.xml  to define the location and password of the trustStore, for some reason tomcat did not use these settings.

                NOTE: if running tomcat from eclipse in dev environment make sure you know the JDK tomcat is using to run with. This will effect you cacerts location.

                This two note's and sketchy knowledge of how certificates work cost me hours.