[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl]cu|| How to differentiate between Handshake problems



Hello,

yes, currently the only public available error status information is the one
given in the exception messages. Writing your own ChainVerifier only may
cover certificate related problems (which may be classified dependent on
your ChainVerifier implementation).

Regards,
Dieter

-----Ursprüngliche Nachricht-----
Von: iaik-ssl-owner@iaik.at [mailto:iaik-ssl-owner@iaik.at]Im Auftrag
von Johan Corveleyn
Gesendet: Montag, 04. November 2002 16:09
An: iaik-ssl@iaik.at
Betreff: [iaik-ssl]cu|| How to differentiate between Handshake problems


Hello,

I'm currently evaluating the iSaSiLk library. I have the following question
(I have searched the mailinglist archive, but not found an answer):

When a handshake with startHandshake() fails, an IOException is thrown (both
on client and server side), with a message describing what went wrong ("no
matching ciphersuite", "no trusted certificate", ...). We now want more
control over things that can go wrong during handshaking, because we want to
give useful feedback to the user. Because this feedback needs to be
langauge-specific, we need to be able to determine the cause of the
handshake failure. How can this be done, when we only get an IOException
with a message? Should we use the message string as an identifier for the
kind of problem (seems unflexible and error-prone)? Or can this only be done
by writing our own ChainVerifier, making our own verifications of the
certificate chains, with our own try-catch-blocks (seems like a lot of
work)?

The different handshake problems between which we want to differentiate are
a.o. (both on client and on server side):
     - other side seems to be talking plain
     - wrong SSL version/protocol
     - no common cyphersuites
     - remote side certificate expired
     - remote side certificate corrupt
     - remote side certificate not trusted (evt. difference between end
certificate or cert in chain)
     - unsupported key length\type

Regards,
Johan Corveleyn

--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-ssl


--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl