Hey Jim,
Thanks for the clarification there. That's how I thought it should behave.... =)
Now if only I could get to figure out how to read my client certificate in Java. I'm always getting null... I've tried using both,
String cipherSuite = (String) request.getAttribute("javax.net.ssl.cipher_suite");
and
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
But they both return null. If anybody knows how, please holler. thanks!
Liam
Hi,
Apologies for dropping in on this thread, but I don't have the impression that a client will 'normally' actually connect to the CA to verify the server cert. Instead, I believe what happens is that the client should have the CA's root cert, which has the public key for the CA, and the client can then use that key to authenticate the server cert (e.g., by checking the digital signature of the server cert). That's why sometimes when you connect to a server, you get a popup with a warning that the server is "not trusted" ==> you don't have the CA's root cert.
Once the server cert has been authenticated thusly, then I think most clients (e.g., IE and Netscape) will check to see if the host name in the server cert matches the hostname in the URL that was used, and if not the same, will popup a warning message.
The only time I'm aware of a client connecting to the server cert CA would be if (1) the server cert has a CDP, pointing to the location of the CA's CRL, AND (2) if the client is enabled to check CRLs.
For example, IE normally has CRL checking disabled, so it doesn't check whether server certs have been revoked. You can enable it in Advanced Settings, and then it is suppose to check for revoked server cert.
Jim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
