Java Security

Hi all

I'm pretty frustrated right now. I'm trying to get a Java program to do client and server certificate authentication with an Apache server.

Let me say beforehand I got the server side authentication part going. Its only the client authentication I'm having trouble with.

I have an Apache server vs 1.3.20 (running on a RH Linux 6.2) which talks to a Tomcat server (3.2.1) hosting some servlet. I also have Apache SSL enabled (via mod_ssl 2.8.4 and openssl_0.9.6a) and talking to an openldap server (vs 2.1.3) via a module called mod_authz_ldap. This module allows for both certificate and basic authentication.

I then my b2b Java program (running from Win2000), which uses the Sun's JSSE 1.0.3 plus the HTTPClient program from Innovation: http://www.innovation.ch/java/HTTPClient/https.html.

To start with, the exception I'm getting on the client side is:

"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275) at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2950)"

And on the Apache server ssl_engine.log I'm getting:

"[16/Sep/2002 15:21:33 17063] [info] Connection to child 2 established (server 165.148.58.144:443, client 165.148.59.202)
[16/Sep/2002 15:21:33 17063] [info] Seeding PRNG with 1160 bytes of entropy
[16/Sep/2002 15:21:42 17063] [error] SSL handshake failed (server 165.148.58.144:443, client 165.148.59.202) (OpenSSL library error follows)
[16/Sep/2002 15:21:42 17063] [error] OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"

Now what I did to setup my certificates was:

1. Created my own CA using openssl (from the Linux box)
2. Created the server certificate and extracted the key
3. Created the client certificate.

I then bundled all of these by concantanating them into a single file called ca-bundle.crt (I used a simple cat command)

In Apache httpd.conf I added:

"SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /jose/CA2/server.crt
SSLCertificateKeyFile /jose/CA2/server.key

SSLCACertificateFile /jose/CA2/demoCA/newcerts/ca2-bundle.crt

SSLVerifyClient require
SSLVerifyDepth 10"

I then copied the ca cert, the server cert and client cert into my client win2000 machine.

I then imported these into a single .keystore file using keytool, which I then use on my program like:

--------------------------------------------------
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\correij\\.keystore");

SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
//no need to call the init(KeyStore) method as by the default it accesses
//the above set property "javax.net.ssl.trustStore"
sc.init(null, tmf.getTrustManagers(), null);

//URL url = new URL (urlString);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
//sc.getSocketFactory().setNeedClientAuth(true);
con.setSSLSocketFactory(sc.getSocketFactory());
con.addBasicAuthorization("AuthzLDAP","Jaco", "water");
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();

-----------------------------------------

When I run this, I'm getting the above errors... I did turn the SSL debug on I'm getting a:

main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
%% No cached client session


I don't know if its the client that is not recognizing any of the attached server certificates or the other way around...?

Any ideas pleaseeeeeee....!!

Thanks in advance
Jose Correia