Hello,
I am able to set up a SSL connection for my client server program.
But now I need the server to _only_ trust one specific user certificate. It must _not_ trust all usercertificates from a CA!
If I only put a single user cert into the server truststore, I get an bad_certificate exception :(
Does anybody know a solution? Thanks for any help
omg
ejp, i really hope not all of your 10000+ posts are that kind of poor spam.
--
Of course, I am using valid certificates. The SSL connection will establish, as soon as I put the CA into the truststore. But thats not what I need. Case is simple:
I dont what all users owning a certificate from that CA having acces to my service. Only one specific user should gain access.
Is it somwhow possible via using the truststore, which only contains the user cert?
> bad_certificate exception
> Of course, I am using valid certificates.
Unfortunately the exception text doesn't agree with you.The conclusion is ineluctable.
I can see the exception: I can't see your certificate. If you were to post the complete text of the exception you might make it possible for well-meaning volunteers to help you further.
You could also set -Djavax.net.debug=ssl,handshake and show the output here.
If on the other hand you want to continue the abuse, you can forget it now.
hi,
im sorry for those sarcastic words, i didnt meant it.
ok, getting a bit into detail:
i forgott to say im using clientAuth = true
here comes the output from a working configuration: server truststore contains the cert from the CA:
client log:
-
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 156, 42, 54, 58, 61, 56, 178, 113, 155, 216, 41, 104 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 271
main, setSoTimeout(3000) called
main, READ: TLSv1 Application Data, length = 41
main, setSoTimeout(0) called
main, WRITE: TLSv1 Application Data, length = 287
main, READ: TLSv1 Application Data, length = 130
main, READ: TLSv1 Application Data, length = 5160
main, READ: TLSv1 Application Data, length = 21
server log:
--
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<EMAILADDRESS=..ca@email.., CN=CA, OU=... O=..., L=.., ..
><EMAILADDRESS=..user@email.., CN=user, OU=..., O=...
*** ServerHelloDone
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, WRITE: TLSv1 Handshake, length = 1489
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, READ: TLSv1 Handshake, length = 1319
*** Certificate chain
chain [0] = [
...
...
Found trusted certificate:
[
[
Version: V3
Subject: EMAILADDRESS=..user@email..., CN=user, OU=..., O=...., ...
you see, the server finds a cert in its store which it trusts.
now I remove the CA cert form the server truststore and put the user-cert into it.
NOT working configuration:
server truststore contains only one user certificate issued by CA
client log:
-
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 1
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
Jun 28, 2007 2:18:53 PM org.codehaus.xfire.transport.http.HttpChannel sendViaClient
SEVERE: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Jun 28, 2007 2:18:53 PM de.fzj.unicore.xuudb.client.AdminController list
WARNING: Error while invoking service: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFaul
org.codehaus.xfire.XFireRuntimeException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireF
org.codehaus.xfire.fault.XFireFault: Couldn't send message.
at org.codehaus.xfire.fault.XFireFault.createFault(XFireFault.java:89)
at org.codehaus.xfire.handler.OutMessageSender.invoke(OutMessageSender.java:30)
server log:
--
***
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
><EMAILADDRESS=...user@email..., CN=user, OU=...., ....
*** ServerHelloDone
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, WRITE: TLSv1 Handshake, length = 1317
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, READ: TLSv1 Handshake, length = 269
*** Certificate chain
***
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, SEND TLSv1 ALERT: fatal, description = bad_certificate
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, WRITE: TLSv1 Alert, length = 2
btpool0-1 - Acceptor0 SslSocketConnector @ 0.0.0.0:34463, called closeSocket()
so the results are: on the server side the certificate chain remains empty, the server does not match the incoming certificate with the certificate which is in its truststore.
and at the client side I get an bad_certificate exception, because the server does not accept it.
how do I make the server accept only that certificate from the specific user?>
I see. It isn't normally done this way. Normally you would let the truststore trust the CA, just letting it do authentication, and narrow it down further in the server as an authorization step. E.g. if you are coding the server in Java using SSLSockets, first thing in the connection thread you would get the certificate from the session and decide whether you want to continue with that user. Or you can do that via a handshake listener.
hi thanks again...
i investigated more time at the jsse reference guide e.i. and finally i did it:
solution was to write my own TrustManager, which ensures within the checkClientTrusted() method, that only certs are accepted which are in the server truststore. it needed a little hack to get this thing into jetty, but now its runing fine.
the CA certificate _still_ has to be included, because there comes a CA check before the checkClientTrusted() method call!
