[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Hw to do client authentication only?



Andreas Sterbenz wrote:
> ...
> Getting back to the original question, client-only authentication is not
> specified in the SSL/TLS protocol. Assuming you are using iSaSiLk (or
> some other product with this feature) on both ends of the connection you
> can somewhat achieve the equivalent by manually reversing the client and
> server roles using setUseClientMode().

Ok, it seems a bit unwieldy, but alright. However, I run into 
a deadlock when trying to do it like this:

	Client					Server

					ss = new SSLServerSocket();
					SSLSocket ssock = (SSLSocket)s.accept();
SSLServerContext cctx = new ...()
cctx.addServerCredentials(..)
SSLSocket csock = new SSLSocket(..., cctx);
					ssock.setAutoHandshake(false);
					ssock.setUseClientMode(true);
					ssock.startHandshake();

csock.setAutoHandshake(false);
csock.setUseClientMode(false);
csock.setAutoHandshake(true);

Using this setting, both sides print:
					ssl_debug(1): Accepted connection from
ssl_debug(1): Starting handshake...	ssl_debug(1): Starting handshake...

and the system stalls. If I omit the last call on the client side,
the server complains: 

ssl_debug(1): Accepted connection from troll/160.45.112.102
ssl_debug(1): Starting handshake...
ssl_debug(1): SSLException while handshaking: Invalid SSL message, peer
seems to be talking plain!
ssl_debug(1): Sending alert: Alert Fatal: handshake failure
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): Shutting down SSL layer...
iaik.security.ssl.SSLException: Invalid SSL message, peer seems to be
talking plain!
        at iaik.security.ssl.p.g(Unknown Source)
        at iaik.security.ssl.r.e(Unknown Source)
        at iaik.security.ssl.f.c(Unknown Source)
        at iaik.security.ssl.f.f(Unknown Source)
        at iaik.security.ssl.r.c(Unknown Source)
        at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
        at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
        at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
        at
jacorb.orb.BasicAdapter$RequestReceptor.run(BasicAdapter.java:449)

What is the right way to swap client and server roles?

Thanks, Gerald Brose.
--
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl