[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] [iaik-ssl] Why is client certificate unavailabe?



Hi again,

On Fri, 18 Aug 2000 10:00:50 -0400, Timothy Wall wrote:

>Ah, at last a response!  Thanks Andr.
>
>Normally, jacorb looks up the keystore and asks (via console) for passwords and user/alias.  I
>hacked a few things to pull in the alias, keystore and passphrase via different methods.  Jacorb
>*is* using the keystore, and extracting a cert and key for a given alias.

So you didn't define any CA, isn't it?
Also look if the mico-openssl sends the CAs it accepts, otherwise there will be no match.

>Keystore:  I've used both a custom one I set up (using KeyStoreManager, creating a key, importing a
>certificate generated using openssl) and the demo keystore generated by the iSaSiLk demo.  If I
>direct the iSaSiLk demo to talk to the openssl s_server, the certificate info is transmitted
>correctly.  Using the demo keystore to talk to mico+openssl, the certificate info is missing.  So I
>don't think the problem is in my keystore.

Your KeyStore must also have a trusted certificate entry for each CA.
Once again, check if the mico-openssl sends the CAs it accepts, otherwise there will be no match:
no CA so no possible trusted certificate chain I think.

>
>The jacorb setup is the default in SSLSetup.java/.orig -- the keystore is loaded, the x509 chain for
>a given alias loaded, along with the private key, and addClientCredentials is called on the
>clientContext.  I haven't changed any of that.
>
>I added debug statements to jacorb to verify that the client x509 chain really contained the
>information I thought it did, and the information shows up (just before the call to
>addClientCredentials).  I didn't do any verification of the loaded private key.
>
>On the openssl side, I have set the verify depth to 0 (which requests a client certificate, but
>ignores CAs).  I've played around with changing the requested ciphersuite on openssl, but that
>doesn't seem to have any effect.
>
>Tim
>
I think your keystore isn't OK.I could send you a keystore, just to be sure.
I also recommend you to read the readSSL file and use let jacorb do the ssl setup.

Regards, André


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-jce