[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl]cu|| SSL Exception question



Hello,

according to TLS spec "certificate unknown" indicates some other
(unspecified) issue arose in processing the certificate, rendering
it unacceptable.

As you see, this is a more general alert message indicating some
(perhaps parsing) problems with the peer certificate? To you have
a handshake debug output?

> Also, is there a way to capture the
> Servers Certificate during runtime so I can compare it to the certificate
I
> have stored in my trustee certificate file?  I would like to be sure that
> the server certificate I am authenticating against matches the one they
sent
> me.
You may call method getPeerCertificateChain() of the SSLSocket you are using
to get the certificates sent by the peer. However, if you have added the
server cert itself as trusted cert to your ChainVerifier it is compared
against the one sent by the server anyway.

Regards,
Dieter Bratko


-----Ursprüngliche Nachricht-----
Von: iaik-ssl-owner@iaik.at [mailto:iaik-ssl-owner@iaik.at]Im Auftrag
von Stickley, Jim
Gesendet: Mittwoch, 27. Februar 2002 15:52
An: 'iaik-ssl@iaik.at'
Betreff: [iaik-ssl]cu|| SSL Exception question


I am running a JacORB SSL Client that connects to an CORBA SSL Server
(vendor unknown) which requires client authentication to successfully
authenticate the connection.  I have the client SSL key/cert loaded into a
IAIK cert file and I have the servers certificate loaded into a separate
trustee file these files are referenced as follows:

	CLIENT KEY AND CERT IS:
jacorb.security.keystore=./keystore.iaik.cacerts
	SERVERS CERT IS:		jacorb.security.trustees=./SBC.cer

I know I am establishing a good TCP/IP connection and that it begins
negotiating SSL, but for some reason SSL fails to authenticate.  What does
the SSL exception found at the end of this e-mail mean and what are possible
reasons for getting this exception?  Also, is there a way to capture the
Servers Certificate during runtime so I can compare it to the certificate I
have stored in my trustee certificate file?  I would like to be sure that
the server certificate I am authenticating against matches the one they sent
me.

Thanks.

EXCEPTION FOLLOWS:

[ starting authentication ]
[ added Provider IAIK ]
[ authentication succeeded ]
[ AuthenticationStatus.SecAuthSuccess ]
############################ StackTrace ############################
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: certificate
unknown
        at iaik.security.ssl.r.f(Unknown Source)
        at iaik.security.ssl.x.b(Unknown Source)
        at iaik.security.ssl.x.a(Unknown Source)
        at iaik.security.ssl.r.d(Unknown Source)
        at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
        at iaik.security.ssl.SSLTransport.getInputStream(Unknown Source)
        at iaik.security.ssl.SSLSocket.getInputStream(Unknown Source)
        at org.jacorb.orb.connection.ClientConnection.<init>(Unknown Source)
        at
org.jacorb.orb.connection.ConnectionManager._getConnection(Unknown Source)
        at
org.jacorb.orb.connection.ConnectionManager._getConnection(Unknown Source)
        at org.jacorb.orb.connection.ConnectionManager.getConnection(Unknown
Source)
        at org.jacorb.orb.Delegate.bind(Unknown Source)
        at org.jacorb.orb.Delegate.request(Unknown Source)
        at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:433)
        at
ansi_t1_267.LSOG6._CustomerServiceInformationStub.submit(_CustomerServiceInf
ormationStub.java:28)
        at
com.Birch.Preorder.TestClient.ClientMain_JacORB_iaik.main(ClientMain_JacORB_
iaik.java:271)
####################################################################
[ Retrying connection to 155.179.117.233:28586 ]

<<<< This exception repeats 5 more times and then the following exception is
thrown>>>>>>>>>>>>

org.omg.CORBA.TRANSIENT: Retries exceeded, couldn't connect to
155.179.117.233:28586  minor code: 0  completed: No
        at
org.jacorb.orb.connection.ConnectionManager._getConnection(Unknown Source)
        at
org.jacorb.orb.connection.ConnectionManager._getConnection(Unknown Source)
        at org.jacorb.orb.connection.ConnectionManager.getConnection(Unknown
Source)
        at org.jacorb.orb.Delegate.bind(Unknown Source)
        at org.jacorb.orb.Delegate.request(Unknown Source)
        at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:433)
        at
ansi_t1_267.LSOG6._CustomerServiceInformationStub.submit(_CustomerServiceInf
ormationStub.java:28)
        at
com.Birch.Preorder.TestClient.ClientMain_JacORB_iaik.main(ClientMain_JacORB_
iaik.java:271)


Jim Stickley
Birch Telecom
jstickley@birch.com
office: (816) 300-6743
mobile: (816) 213-4878


--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-ssl


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl