[jboss-user] [Security & JAAS/JBoss] - javax.net.ssl.SSLHandshakeException: null cert chain

erace do-not-reply at jboss.com
Fri Dec 7 05:39:18 EST 2007


Hi,

How can I find out what is the reason for the exception the "javax.net.ssl.SSLHandshakeException: null cert" chain when https connector is set to clientAuth="true"?

I have managed to make it work with self singed certs. The problem occurs when I receive a client certificate signed by some other CA than mine. 

The CA that has signed client cert is different than the CA that signed server cert but they have common RootCA. It looks as following:

RootCA
  | ^
  | |
  | SomeOtherCA
  | ^         ^
  | |         |
  | ServerCA  ClientCA

All CA's are imported into the truststore and used during configuration. Works the same via -Djavax.net.ssl.trustStore=/some.truststore and via truststoreFile="" as Connector's attribute.

I have imported PKCS#12 cert in web browser (Firefox 2.0 Linux). 

The only strange thing I can see in the logs is this :

11:07:26,454 INFO  [STDOUT] http-127.0.0.1-8443-1, READ: TLSv1 Handshake, length = 109
  | 11:07:26,454 INFO  [STDOUT] *** Certificate chain
  | 11:07:26,454 INFO  [STDOUT] ***
  | 11:07:26,462 INFO  [STDOUT] http-127.0.0.1-8443-1
  | 11:07:26,462 INFO  [STDOUT] , SEND TLSv1 ALERT:  
  | 11:07:26,462 INFO  [STDOUT] fatal, 
  | 11:07:26,462 INFO  [STDOUT] description = bad_certificate
  | 11:07:26,462 INFO  [STDOUT] http-127.0.0.1-8443-1, WRITE: TLSv1 Alert, length = 2
  | 11:07:26,462 INFO  [STDOUT] [Raw write]: length = 7

After that I receive:

*11:07:26,463 INFO  [STDOUT] http-127.0.0.1-8443-1, called closeSocket()
  | 11:07:26,463 INFO  [STDOUT] http-127.0.0.1-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
  | 11:07:26,463 DEBUG [JIoEndpoint] Handshake failed
  | javax.net.ssl.SSLHandshakeException: null cert chain
  |         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
  |         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
  |         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
  |         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
  |         at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206)
  |         at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
  |         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
  |         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
  |         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
  |         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
  |         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
  |         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
  |         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:156)
  |         at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:628)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  |         at java.lang.Thread.run(Thread.java:619)
  | 11:07:26,464 INFO  [STDOUT] http-127.0.0.1-8443-1, called close()
  | 11:07:26,464 INFO  [STDOUT] http-127.0.0.1-8443-1, called closeInternal(true)

I am pretty stuck with this. Any hints?

/p

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4111161#4111161

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4111161



More information about the jboss-user mailing list