[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] [iaik-ssl] Why is client certificate unavailabe?



Hi again,

On Fri, 18 Aug 2000 10:00:50 -0400, Timothy Wall wrote:

>Ah, at last a response!  Thanks Andr.
>
>Normally, jacorb looks up the keystore and asks (via console) for passwords
and user/alias.  I
>hacked a few things to pull in the alias, keystore and passphrase via
different methods.  Jacorb
>*is* using the keystore, and extracting a cert and key for a given alias.

So you didn't define any CA, isn't it?
Also look if the mico-openssl sends the CAs it accepts, otherwise there will
be no match.

>Keystore:  I've used both a custom one I set up (using KeyStoreManager,
creating a key, importing a
>certificate generated using openssl) and the demo keystore generated by the
iSaSiLk demo.  If I
>direct the iSaSiLk demo to talk to the openssl s_server, the certificate
info is transmitted
>correctly.  Using the demo keystore to talk to mico+openssl, the
certificate info is missing.  So I
>don't think the problem is in my keystore.

Your KeyStore must also have a trusted certificate entry for each CA.
Once again, check if the mico-openssl sends the CAs it accepts, otherwise
there will be no match:
no CA so no possible trusted certificate chain I think.

>
>The jacorb setup is the default in SSLSetup.java/.orig -- the keystore is
loaded, the x509 chain for
>a given alias loaded, along with the private key, and addClientCredentials
is called on the
>clientContext.  I haven't changed any of that.
>
>I added debug statements to jacorb to verify that the client x509 chain
really contained the
>information I thought it did, and the information shows up (just before the
call to
>addClientCredentials).  I didn't do any verification of the loaded private
key.
>
>On the openssl side, I have set the verify depth to 0 (which requests a
client certificate, but
>ignores CAs).  I've played around with changing the requested ciphersuite
on openssl, but that
>doesn't seem to have any effect.
>
>Tim
>
I think your keystore isn't OK.I could send you a keystore, just to be sure.
I also recommend you to read the readSSL file and use let jacorb do the ssl
setup.

Regards, Andr


--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-jce/jcethreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-jce


***************************************************************************
*                                                                         *
* IAIK S/MIME Mapper Security Info                                        *
* ===================================                                     *
*                                                                         *
* for message:                                                            *
*   From: "=?us-ascii?q?Andr=82_Benvenuti?=" <dedeben@freesurf.ch>        *
*   Date: Fri, 18 Aug 2000 17:29:11 +0200                                 *
*   Subject: Re: [iaik-jce] [iaik-ssl] Why is client certificate unavailabe?*
*                                                                         *
* Message S/MIME properties:                                              *
*                                                                         *
*   Encrypted using:    not encrypted                                     *
*                                                                         *
*   Digitally signed:   no                                                *
*   Signature valid:    n/a                                               *
*   Signature trusted   n/a                                               *
*                                                                         *
*                                                                         *
* Compliance with policy for email addresses *:                           *
*                                                                         *
*   Encryption:         OK (None or better required)                      *
*                                                                         *
*   Digital Signature:  OK (digital signature not required)               *
*                                                                         *
***************************************************************************