[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] How to do client authentication only?



Just a final note:

the problem seems to be specific to Solaris 5.8, there are
no problems with using iSaSiLk 3.0/3.0.1 and native threads 
on other platforms. (WinNT or Solaris 5.7 worked alright)

Regards, Gerald Brose.

Gerald Brose wrote:
> 
> I noticed that my problem has to do with native threads
> on Solaris (we're using 2.8). If I run my programs on Windows
> NT or on Solaris using Java's green threads on the client
> side, the code (without any autohandshake settings) runs fine.
> This seems to indicate some (potential) synchronization problem
> somewhere in the background.
> 
> Regards and thanks, Gerald Brose.
> 
> Andreas Sterbenz wrote:
> >
> > The code snippets you post seem to be ok but there must be a problem
> > somewhere. A "deadlock" would indicate that both peers are in server mode
> > and waiting for the other to send the first message. The second error
> > looks like the handshake is not performed at all by one peer and plain
> > application data is sent instead.
> >
> > Note that you do not need to make any calls to setAutoHandshake() for
> > client server reversal, you only need to make the calls to
> > setUseClientMode() on both ends at a convenient place between socket
> > creation and handshake start. AND you need to use an SSLServerContext on
> > the peer then acting as the SSL server as it needs to get its
> > certificates from somewhere.
> >
> > Regards,
> >
> >  Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.at
> >
> > -----Ursprüngliche Nachricht-----
> > Von: "Gerald Brose" <brose@inf.fu-berlin.de>
> > An: <iaik-ssl@iaik.tu-graz.ac.at>
> > Gesendet: Mittwoch, 06. September 2000 16:40
> > Betreff: Re: [iaik-ssl] Hw to do client authentication only?
> >
> > > Andreas Sterbenz wrote:
> > > > ...
> > > > Getting back to the original question, client-only authentication is
> > not
> > > > specified in the SSL/TLS protocol. Assuming you are using iSaSiLk (or
> > > > some other product with this feature) on both ends of the connection
> > you
> > > > can somewhat achieve the equivalent by manually reversing the client
> > and
> > > > server roles using setUseClientMode().
> > >
> > > Ok, it seems a bit unwieldy, but alright. However, I run into
> > > a deadlock when trying to do it like this:
> > >
> > > Client Server
> > >
> > > ss = new SSLServerSocket();
> > > SSLSocket ssock = (SSLSocket)s.accept();
> > > SSLServerContext cctx = new ...()
> > > cctx.addServerCredentials(..)
> > > SSLSocket csock = new SSLSocket(..., cctx);
> > > ssock.setAutoHandshake(false);
> > > ssock.setUseClientMode(true);
> > > ssock.startHandshake();
> > >
> > > csock.setAutoHandshake(false);
> > > csock.setUseClientMode(false);
> > > csock.setAutoHandshake(true);
> 
> --
> Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
> FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
> Institut f. Informatik              Ph-one:        (++49-30) 838-75112
> Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
> --
> Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> 
> To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl
> 

--
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl