[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Hw to do client authentication only?

To: iaik-ssl@iaik.tu-graz.ac.at
Subject: Re: [iaik-ssl] Hw to do client authentication only?
From: Gerald Brose <brose@inf.fu-berlin.de>
Date: Wed, 06 Sep 2000 16:40:47 +0200
Organization: Freie Universität Berlin
References: <Pine.LNX.4.10.10009060837280.22339-100000@marcy.adiron.com> <026101c01802$45451390$4c981b81@iaik.tugraz.ac.at>
Sender: iaik-ssl-owner@iaik.tu-graz.ac.at

Andreas Sterbenz wrote:
> ...
> Getting back to the original question, client-only authentication is not
> specified in the SSL/TLS protocol. Assuming you are using iSaSiLk (or
> some other product with this feature) on both ends of the connection you
> can somewhat achieve the equivalent by manually reversing the client and
> server roles using setUseClientMode().

Ok, it seems a bit unwieldy, but alright. However, I run into 
a deadlock when trying to do it like this:

	Client					Server

					ss = new SSLServerSocket();
					SSLSocket ssock = (SSLSocket)s.accept();
SSLServerContext cctx = new ...()
cctx.addServerCredentials(..)
SSLSocket csock = new SSLSocket(..., cctx);
					ssock.setAutoHandshake(false);
					ssock.setUseClientMode(true);
					ssock.startHandshake();

csock.setAutoHandshake(false);
csock.setUseClientMode(false);
csock.setAutoHandshake(true);

Using this setting, both sides print:
					ssl_debug(1): Accepted connection from
ssl_debug(1): Starting handshake...	ssl_debug(1): Starting handshake...

and the system stalls. If I omit the last call on the client side,
the server complains: 

ssl_debug(1): Accepted connection from troll/160.45.112.102
ssl_debug(1): Starting handshake...
ssl_debug(1): SSLException while handshaking: Invalid SSL message, peer
seems to be talking plain!
ssl_debug(1): Sending alert: Alert Fatal: handshake failure
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): Shutting down SSL layer...
iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be
talking plain!
        at iaik.security.ssl.p.g(Unknown Source)
        at iaik.security.ssl.r.e(Unknown Source)
        at iaik.security.ssl.f.c(Unknown Source)
        at iaik.security.ssl.f.f(Unknown Source)
        at iaik.security.ssl.r.c(Unknown Source)
        at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
        at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
        at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
        at
jacorb.orb.BasicAdapter$RequestReceptor.run(BasicAdapter.java:449)

What is the right way to swap client and server roles?

Thanks, Gerald Brose.
--
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl

Follow-Ups:
- Re: [iaik-ssl] Hw to do client authentication only?
  - From: "Andreas Sterbenz" <Andreas.Sterbenz@iaik.at>

References:
- Re: [iaik-ssl] Hw to do client authentication only?
  - From: Polar Humenn <polar@adiron.com>
- Re: [iaik-ssl] Hw to do client authentication only?
  - From: "Andreas Sterbenz" <Andreas.Sterbenz@iaik.at>

Prev by Date: RE: [iaik-ssl] Hw to do client authentication only?
Next by Date: [iaik-ssl] verifying signing certificates in S/MIME
Prev by thread: Re: [iaik-ssl] Hw to do client authentication only?
Next by thread: Re: [iaik-ssl] Hw to do client authentication only?
Index(es):
- Date
- Thread