Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Java Secure Socket Extension (JSSE)

Handling SSLHandshakeException in Tomcat 5.5.17

Hi,

How do I handle this exception, when the user clicks "Cancel" upon SSL Client authentication when prompted for a certificate.

javax.net.ssl.SSLHandshakeException: null cert chain

Tomcat throws this exception, but I would like to catch it and redirect the user to a proper error page. The full stack trace is as follows:

2007-05-14 10:35:36 org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake

INFO: SSL Error getting client Certs

javax.net.ssl.SSLHandshakeException: null cert chain

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)

at java.io.InputStream.read(Unknown Source)

at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87)

at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)

at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)

at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1126)

at org.apache.coyote.Request.action(Request.java:348)

at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Unknown Source)

2007-05-14 10:35:36 org.apache.coyote.http11.Http11Processor action

WARNING: Exception getting SSL attributes

javax.net.ssl.SSLHandshakeException: null cert chain

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)

at java.io.InputStream.read(Unknown Source)

at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87)

at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)

at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)

at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1126)

at org.apache.coyote.Request.action(Request.java:348)

at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Unknown Source)

regards,

kews

[5618 byte] By [PenguinClevina] at [2007-11-27 4:17:36]
«« Error while posting xml file to URL using URLConnection
»» hi how to use phase listener in jsf
# 1

You won't be able to respond to that exception even if you catch it. It is a fatal exception.

What happens on the client side when you click Cancel is that the browser closes the SSL connection (during the handshake, hence the exception). So even if you catch the exception you can't redirect the user because they have closed the connection.

The best bet for trying to get that working might be to try to do something client side with Javascript... perhaps on an insecure page try to load some Javascript off a secure site, if the user cancels that you may be able to detect that. eg. change a variable in the secure javascript and then in your page you can see if it has changed, ie. they didn't cancel the secure page... A bit of a long shot!

karlvra at 2007-7-12 9:24:16 > top of Java-index,Security,Java Secure Socket Extension (JSSE)...
Security
Java Secure Socket Extension (JSSE)

Security New Topic

Security Hot Topic

Security

All Classified