[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Hw to do client authentication only?

The code snippets you post seem to be ok but there must be a problem
somewhere. A "deadlock" would indicate that both peers are in server mode
and waiting for the other to send the first message. The second error
looks like the handshake is not performed at all by one peer and plain
application data is sent instead.

Note that you do not need to make any calls to setAutoHandshake() for
client server reversal, you only need to make the calls to
setUseClientMode() on both ends at a convenient place between socket
creation and handshake start. AND you need to use an SSLServerContext on
the peer then acting as the SSL server as it needs to get its
certificates from somewhere.


 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.at

-----Ursprüngliche Nachricht-----
Von: "Gerald Brose" <brose@inf.fu-berlin.de>
An: <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Mittwoch, 06. September 2000 16:40
Betreff: Re: [iaik-ssl] Hw to do client authentication only?

> Andreas Sterbenz wrote:
> > ...
> > Getting back to the original question, client-only authentication is
> > specified in the SSL/TLS protocol. Assuming you are using iSaSiLk (or
> > some other product with this feature) on both ends of the connection
> > can somewhat achieve the equivalent by manually reversing the client
> > server roles using setUseClientMode().
> Ok, it seems a bit unwieldy, but alright. However, I run into
> a deadlock when trying to do it like this:
> Client Server
> ss = new SSLServerSocket();
> SSLSocket ssock = (SSLSocket)s.accept();
> SSLServerContext cctx = new ...()
> cctx.addServerCredentials(..)
> SSLSocket csock = new SSLSocket(..., cctx);
> ssock.setAutoHandshake(false);
> ssock.setUseClientMode(true);
> ssock.startHandshake();
> csock.setAutoHandshake(false);
> csock.setUseClientMode(false);
> csock.setAutoHandshake(true);