Hello everybody,
I am working on SSL communication now, I have set up Tomcat to
support SSL, but I got an error when I tried to make a connection to
Tomcat-SSL server. My procedures are as follows: (by the way my server
and client are sitting in the same Linux PC (Lisbon))
1. create the key pair for server and client
2. request the certificates from thawte from both of them
3. import the reply certifcates to server and client keystores
4 export the server and client certficates and import them as the
trusted certficates
Detailed procedures, please see the end of the mail
when I desable clientAuth, everything is fine, but when I turn on the
clientAuth, the following erros come up.
In server side:
SecureServer is listening on port 8444.
Accepted connection to 192.168.0.60 (192.168.0.60) on port 40342.
IOException occurred when processing request.
javax.net.ssl.SSLException: null cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppInputStream.read([DashoPro-V1.2-120198])
at java.io.FilterInputStream.read(FilterInputStream.java:69)
at HTTPInputStream.readLine(HTTPServer.java:150)
at HTTPInputStream.getRequest(HTTPServer.java:167)
at HTTPServerThread.run(HTTPServer.java:71)
in client side:
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C D5 E8 10 77 94 5F 1A 5C 3E 6F 94 DF
.......w._.\>o..
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C D5 E8 10 77 94 5F 1A 5C 3E 6F 94 DF
.......w._.\>o..
0010: E8 04 1B 46 74 29 F0 17 FF A8 B2 D3 28 FA 7B E7
...Ft)......(...
0020: A1 01 87 D4 ....
main, WRITE: SSL v3.1 Handshake, length = 36
Exception in thread "main" java.io.IOException: Broken pipe
at java.net.SocketOutputStream.socketWrite(Native Method)
at java.net.SocketOutputStream.write(SocketOutputStream.java:83)
at com.sun.net.ssl.internal.ssl.OutputRecord.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.e([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
at java.io.OutputStream.write(OutputStream.java:61)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V1.2-120198])
at Browser.run(Browser.java:36)
Any help is appreciated!!
thanks
Hai
Key generation procedures shown as follows:
Step1 : generate key pairs for server and clients:
1. keytool -genkey -v -alias tomcat -keyalg RSA -keysize 1024 -
sigalg MD5withRSA -keypass changeit -storepass changeit -storetype
jks -keystore server.keystore
What is your first and last name?
[Unknown]: lisbon.invisiblehand.net
What is the name of your organizational unit?
[Unknown]: IHN
What is the name of your organization?
[Unknown]: IHN
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: NY
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=lisbon.invisiblehand.net, OU=IHN, O=IHN, L=New York, ST=NY, C=US>
correct?
[no]: y
Generating 1024 bit RSA key pair and self-signed certificate
(MD5withRSA)
for: CN=lisbon.invisiblehand.net, OU=IHN, O=IHN, L=New York, ST=NY,
C=US
[Saving server.keystore]
1. keytool -genkey -v -alias tomcat -keyalg RSA -keysize 1024
-sigalg MD5withRSA -keypass changeit -storepass changeit
-storetype jks -keystore server.keystore client.keystore
What is your first and last name?
[Unknown]: lisbon.invisiblehand.net
What is the name of your organizational unit?
[Unknown]: ihn
What is the name of your organization?
[Unknown]: ihn
What is the name of your City or Locality?
[Unknown]: new york
What is the name of your State or Province?
[Unknown]: ny
What is the two-letter country code for this unit?
[Unknown]: us
Is <CN=lisbon.invisiblehand.net, OU=ihn, O=ihn, L=new york, ST=ny, C=us>
correct?
[no]: y
Generating 1024 bit RSA key pair and self-signed certificate
(MD5withRSA)
for: CN=lisbon.invisiblehand.net, OU=ihn, O=ihn, L=new york, ST=ny,
C=us
[Saving client.keystore]
Step 2: and then I generate a certifcate requests for both keys pairs
1. keytool -certreq -v -alias tomcat -sigalg MD5withRSA -file
server.csr -keypass changeit -keystore server.keystore -storepass
changeit -storetype jks
Certification request stored in file <server.csr>
Submit this to your CA
1. keytool -certreq -v -alias tomcat -sigalg MD5withRSA -file
client.csr -keypass changeit -keystore client.keystore -storepass
changeit -storetype jks
Certification request stored in file <client.csr>
Submit this to your CA
Step3: After these procedures, say I got two certificates from
Kwww.thawte.com/cgi/server/test.exe and root certifcate, i.e.,
clientreply.cer, serverreply.cer and root.cer
import the reply certificates and root certifcate as the trusted
certificate into both server and client keystores
1. keytool -import -v -trustcacerts -file server.cer -storepass
changeit -keystore server.keystore
Owner: CN=lisbon.invisiblehand.net, OU=IHN, O=IHN, L=New York, ST=NY,
C=US
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 303d08
Valid from: Fri Nov 16 12:13:45 EST 2001 until: Fri Dec 07 12:13:45 EST
2001
Certificate fingerprints:
MD5: 83:68:C7:0C:C6:62:50:D7:B6:74:0D:F6:FF:17:51:43
SHA1: 37:31:EC:11:A7:A6:D0:7D:72:F8:6B:EC:EE:35:39:FA:09:25:29:D7
Trust this certificate? [no]: y
Certificate was added to keystore
[Saving server.keystore]
1. keytool -import -v -trustcacerts -storepass changeit -file
clientreply.cer -keystore client.keystore
Owner: CN=lisbon.invisiblehand.net, OU=ihn, O=ihn, L=new york, ST=ny,
C=us
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 52fdfa
Valid from: Fri Nov 16 12:14:44 EST 2001 until: Fri Dec 07 12:14:44 EST
2001
Certificate fingerprints:
MD5: 46:C2:22:05:22:B2:45:83:47:35:9F:EE:53:A6:5E:8D
SHA1: 16:F2:1D:8C:F1:FC:50:43:F4:89:02:85:83:06:7E:EF:ED:AA:2F:AD
Trust this certificate? [no]: y
Certificate was added to keystore
[Saving client.keystore]
Sterp 4: and then import root certificate for both of them
1. keytool -import -alias root -file root.cer -keystore
server.keystore
Enter keystore password: changeit
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST
2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
Trust this certificate? [no]: y
Certificate was added to keystore
1. keytool -import -alias root -file root.cer -keystore
client.keystore
Enter keystore password: changeit
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte
Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST
2020
Certificate fingerprints:
MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
Trust this certificate? [no]: y
Certificate was added to keystore
Step5: then I export the certificates to each other
keytool -export -alias tomcat -file server.cer -keystore
server.keystore
Enter keystore password: changeit
Certificate stored in file <server.cer>
keytool -export -alias tomcat -file client.cer -keystore
client.keystore
Enter keystore password: changeit
Certificate stored in file <client.cer>
Step 6: import the exported certficate to eacch other as trusted
certifcate
1. keytool -import -v -trustcacert -alias client -file client.cer
-keystore server.keystore
1. keytool -import -v -trustcacerts -alias server -file server.cer
-keystore client.keystore
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
