Getting a "peer not authenticated" Exception using Openssl
843811Sep 16 2002 — edited Feb 5 2008Hi all
I'm pretty frustrated right now. I'm trying to get a Java program to do client and server certificate authentication with an Apache server.
Let me say beforehand I got the server side authentication part going. Its only the client authentication I'm having trouble with.
I have an Apache server vs 1.3.20 (running on a RH Linux 6.2) which talks to a Tomcat server (3.2.1) hosting some servlet. I also have Apache SSL enabled (via mod_ssl 2.8.4 and openssl_0.9.6a) and talking to an openldap server (vs 2.1.3) via a module called mod_authz_ldap. This module allows for both certificate and basic authentication.
I then my b2b Java program (running from Win2000), which uses the Sun's JSSE 1.0.3 plus the HTTPClient program from Innovation: http://www.innovation.ch/java/HTTPClient/https.html.
To start with, the exception I'm getting on the client side is:
"javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275) at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:2950)"
And on the Apache server ssl_engine.log I'm getting:
"[16/Sep/2002 15:21:33 17063] [info] Connection to child 2 established (server 165.148.58.144:443, client 165.148.59.202)
[16/Sep/2002 15:21:33 17063] [info] Seeding PRNG with 1160 bytes of entropy
[16/Sep/2002 15:21:42 17063] [error] SSL handshake failed (server 165.148.58.144:443, client 165.148.59.202) (OpenSSL library error follows)
[16/Sep/2002 15:21:42 17063] [error] OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
Now what I did to setup my certificates was:
1. Created my own CA using openssl (from the Linux box)
2. Created the server certificate and extracted the key
3. Created the client certificate.
I then bundled all of these by concantanating them into a single file called ca-bundle.crt (I used a simple cat command)
In Apache httpd.conf I added:
"SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /jose/CA2/server.crt
SSLCertificateKeyFile /jose/CA2/server.key
SSLCACertificateFile /jose/CA2/demoCA/newcerts/ca2-bundle.crt
SSLVerifyClient require
SSLVerifyDepth 10"
I then copied the ca cert, the server cert and client cert into my client win2000 machine.
I then imported these into a single .keystore file using keytool, which I then use on my program like:
--------------------------------------------------
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and Settings\\correij\\.keystore");
SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");
//no need to call the init(KeyStore) method as by the default it accesses
//the above set property "javax.net.ssl.trustStore"
sc.init(null, tmf.getTrustManagers(), null);
//URL url = new URL (urlString);
HTTPConnection con = new HTTPConnection("https", urlString, -1);
//sc.getSocketFactory().setNeedClientAuth(true);
con.setSSLSocketFactory(sc.getSocketFactory());
con.addBasicAuthorization("AuthzLDAP","Jaco", "water");
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
-----------------------------------------
When I run this, I'm getting the above errors... I did turn the SSL debug on I'm getting a:
main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown
main, WRITE: SSL v3.1 Alert, length = 2
%% No cached client session
I don't know if its the client that is not recognizing any of the attached server certificates or the other way around...?
Any ideas pleaseeeeeee....!!
Thanks in advance
Jose Correia