[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [iaik-jce] [iaik-ssl] Why is client certificate unavailabe?
On Fri, 18 Aug 2000 10:00:50 -0400, Timothy Wall wrote:
>Ah, at last a response! Thanks Andr.
>Normally, jacorb looks up the keystore and asks (via console) for passwords and user/alias. I
>hacked a few things to pull in the alias, keystore and passphrase via different methods. Jacorb
>*is* using the keystore, and extracting a cert and key for a given alias.
So you didn't define any CA, isn't it?
Also look if the mico-openssl sends the CAs it accepts, otherwise there will be no match.
>Keystore: I've used both a custom one I set up (using KeyStoreManager, creating a key, importing a
>certificate generated using openssl) and the demo keystore generated by the iSaSiLk demo. If I
>direct the iSaSiLk demo to talk to the openssl s_server, the certificate info is transmitted
>correctly. Using the demo keystore to talk to mico+openssl, the certificate info is missing. So I
>don't think the problem is in my keystore.
Your KeyStore must also have a trusted certificate entry for each CA.
Once again, check if the mico-openssl sends the CAs it accepts, otherwise there will be no match:
no CA so no possible trusted certificate chain I think.
>The jacorb setup is the default in SSLSetup.java/.orig -- the keystore is loaded, the x509 chain for
>a given alias loaded, along with the private key, and addClientCredentials is called on the
>clientContext. I haven't changed any of that.
>I added debug statements to jacorb to verify that the client x509 chain really contained the
>information I thought it did, and the information shows up (just before the call to
>addClientCredentials). I didn't do any verification of the loaded private key.
>On the openssl side, I have set the verify depth to 0 (which requests a client certificate, but
>ignores CAs). I've played around with changing the requested ciphersuite on openssl, but that
>doesn't seem to have any effect.
I think your keystore isn't OK.I could send you a keystore, just to be sure.
I also recommend you to read the readSSL file and use let jacorb do the ssl setup.
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html
To unsubscribe send an email to email@example.com with the folowing content: UNSUBSCRIBE iaik-jce