Bad certificate (null certificate chain) failure
843811Jan 13 2010 — edited Apr 16 2010Hi,
I am trying to implement two-way SSL authentication between JBOSS 4.3.0 (acting as a server), and Tomcat 4.1 (acting as a client).
I am using self-generated certificates. On Tomcat I configured client's keystore for the client, and trusted store (where I imported server's certificate as a trusted certificate).
On the server (JBOSS) I configured server's keystore and trusted store (where I imported client's certificate as a trusted certificate).
On both server and a client I configured SSL connector.
Here is my issue:
If I use only one-way authentication (configuring clientAuth="false" on the server), the authentication is working.
However, if I try mutual authentication (configuring clientAuth="true" on the server), authentication fails with the error message on the server
javax.net.ssl.SSLHandshakeException: null cert chain
I enabled debug on both server and client, and I see in the log file that all certificates from the keystore and trusted store I loaded successfully both on the client and on the server when JBOSS and Tomcat start.
I see in the log how server is sending certificate to the client, and how client reads this certificates, and verifies that it's trusted.
However, I don't see in the log file that Tomcat (client) is sending a certificate to the server:
The following is a snippet from the log file after client finished verifying server's certificate:
... no IV for cipher
Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 138, 162, 5, 141, 152, 169, 2, 53, 188, 57, 126, 132 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 8A A2 05 8D 98 A9 02 35 BC 39 7E 84 ...........5.9..
Plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C 8A A2 05 8D 98 A9 02 35 BC 39 7E 84 ...........5.9..
0010: 6C 9D 09 FF 00 10 D8 77 6C EF A1 E5 D7 7D 16 36 l......wl......6
Thread-3, WRITE: TLSv1 Handshake, length = 32
Thread-3, READ: TLSv1 Alert, length = 2
Thread-3, RECV TLSv1 ALERT: fatal, bad_certificate
Thread-3, called closeSocket()
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
13:30:38,187 ERROR [CAPAnomalyEscalation] ; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
So, when the server is trying to do certificate chain, it doesn't find any certificate in the response coming from the client:
2010-01-12 15:39:12,249 INFO [STDOUT] http-0.0.0.0-8443-1, READ: TLSv1 Handshake, length = 141
2010-01-12 15:39:12,249 INFO [STDOUT] *** Certificate chain
2010-01-12 15:39:12,249 INFO [STDOUT] ***
2010-01-12 15:39:12,249 INFO [STDOUT] http-0.0.0.0-8443-1
2010-01-12 15:39:12,249 INFO [STDOUT] , SEND TLSv1 ALERT:
2010-01-12 15:39:12,264 INFO [STDOUT] fatal,
2010-01-12 15:39:12,264 INFO [STDOUT] description = bad_certificate
2010-01-12 15:39:12,264 INFO [STDOUT] http-0.0.0.0-8443-1, WRITE: TLSv1 Alert, length = 2
2010-01-12 15:39:12,264 INFO [STDOUT] [Raw write]: length = 7
2010-01-12 15:39:12,264 INFO [STDOUT] :
2010-01-12 15:39:12,264 INFO [STDOUT]
In the Tomcat log file I don't see any error regaring loading the certificate, or trying to send it to the server. It looks like Tomcat doesn't even know that it's supposed to send the certificate to the server.
I don't have any SSL code in my client application. It's just a regular web service call (web service is running on JBOSS), and SSL configuration.
I could not append here the whole log file, because my message will exceed the allowed number of characters, but If someone has an idea what is going on, and willing to look at the full log file, I will send it.
Can someone tell me what I am missing?
Thanks in advance