tomcat - Client certificate is not sent to server -


i trying set two-way ssl authentication soap web-service running on jboss 4.2.3. have created ca purpose root ca , 2 intermediate ca-s (development , production environments).

however trying test setup client certificate signed 1 of intermediate ca-s, have run problems.

the server set root ca in jvm-s cacerts keystore , relevant intermediate ca in keystore used tomcat connector truststore. complete connector config following:

<connector port="443" address="${jboss.bind.address}"            protocol="http/1.1" sslenabled="true"            maxthreads="150" scheme="https" secure="true"            clientauth="true" sslprotocol="tls"            keystorefile="keystore.p12"            keystorepass="******" keystoretype="pkcs12"            emptysessionparth="true" enablelookups="false" acceptcount="100"            truststorefile="truststore.jks"            truststorepass="******" truststoretype="jks"            disableuploadtimeout="true" />

connecting openssl s_client can see, "acceptable client certificate ca names" lists our intermediate ca. providing correct client certificate , key in -cert , -key options. far can understand openssl output, certificate never sent. tried concatenating client certificate, intermediate , root ca single pem file, present entire chain, didn't either.

the s_client command line following:

openssl s_client -host localhost -port 443 -cert client_cert.crt -key client_key.key -capath /etc/ssl/certs/ -debug -state

the same behaviour observerd when try test service google chrome , relevant certificates installed in windows. wireshark output looks same - certificate requested, correct acceptable ca presented, browser never gives me choice of certificate , empty client certificate message sent server.

so question - missing here? have assumed acceptable ca list should used client decide certificates send, making decision go otherwise , no certificate sent. again assuming, server configured correctly, because expected ca sent in negotiation, missing on client side?

edit:

as requested @bruno, looked @ key usage of certificates. used client certificate gives followin information when printed openssl x509 -noout -text -in client.cer

        x509v3 basic constraints: critical             ca:false         x509v3 key usage: critical             .....         x509v3 extended key usage:              tls web client authentication

looking @ - empty key usage field seems culprit. values should there? can't seem figure out phrase google such information. i'll have @ ca management software then.

thanks hint given @bruno, investigated key usage part of client certificates. turns out, generating certificates empty key usage attribute.

i have configured our ca management software generate certificates followin key usage/extended key usage attributes. confess don't understand, each of these does, made system work now. have not added potentially dangerous here.

        x509v3 key usage: critical             digital signature, non repudiation, key encipherment, data encipherment, key agreement         x509v3 extended key usage:             tls web client authentication

after googling around information key usage bits, stumbled upon this question explained things somewhat.


Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm...
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } ...
Read more

android - Keyboard hides my half of edit-text and button below it even in scroll view -

i having trouble keyboard covers edit-text , half of button in scroll view. here's layout , please tell me how should resolve problem. many questions on topic none of them s working me. <?xml version="1.0" encoding="utf-8"?> <linearlayout xmlns:android="http://schemas.android.com/apk/res/android" android:layout_width="match_parent" android:background="@drawable/bg" android:layout_height="match_parent"> <scrollview android:layout_width="match_parent" android:fillviewport="true" android:layout_height="match_parent"> <relativelayout android:layout_width="match_parent" android:layout_height="wrap_content" android:orientation="vertical"> <linearlayout android:layout_width="match_parent" android:layout_height="w...
Read more