Client ignoring authentication request from server
I齰e been attempting to get XMLRPC working, but I'm having some problems with SSL. For some reason, the client has mysteriously stopped authenticating itself to the server. I had it working, but then it mysteriously stopped working, despite the fact I haven't touched the relevent code in a while.
Acording to the logs (obtained via the flag javax.net.debug=all), this is what is happening:
1)Client sends ClientHello to the client
2)Server responds with ServerHello. The ServerHello includes (among other things) a CertificateRequest. That is, the server asks the client for a certificate to authenticate the client.
3)Client sends a ClientKeyExchangeMessage
4)The server responds with the error "unexpected_message"
The problem is that according to the SSL spec, it齭 missing a step between step 2 and 3. My understanding is that when a server sends a CertificateRequest, the first thing the client must do is send a client certificate (or send a "no certificate alert" if no suitable certificate is available).
It seems the client has, for whatever mysterious reason, stopped sending a certificate for itself even though the server is requesting it. This would explain why I齧 getting the 齯nexpected_message?error.
On a possibly related topic, I note from the logs that the server requests the follows CAs:
begin
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=XYZ Daemon, OU=Response Center, O=Acme, L=Smalltown, ST=ON, C=CA>
<CN=SP Daemon, OU=Response Center, O=Acme, L=Smalltown, ST=ON, C=CA>
<CN=Client XML-RPC, OU=Response Center, O=Acme, L=Smalltown, ST=ON, C=CA>
end
I would have expected it to also request the CA for the self-signed certificate that I exported to the server-side truststore:
begin
Owner: CN=acme.com, OU=foo, O=Acme Inc., L=Smalltown, ST=ON, C=CA
Issuer: CN=acme.com, OU=foo, O=Acme Inc., L=Smalltown, ST=ON, C=CA
Serial number: 416eca06
Valid from: Thu Oct 14 11:48:38 PDT 2004 until: Wed Oct 14 11:48:38 PDT 2054
Certificate fingerprints:
MD5: 3D:82:E0:D3:C8:E9:BA:C0:68:18:E8:6E:E8:8F:EA:B4
SHA1: C2:87:10:AD:0B:6F:BC:29:15:86:71:65:C6:93:3F:08:25:7B:0C:AE
end
Here齭 the contents of the server-side truststore:
begin
Keystore type: jks
Keystore provider: SUN
Your keystore contains 4 entries
xyzdaemon, Jul 8, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 25:F2:54:D7:C5:B3:2C:00:16:89:56:ED:61:92:9C:64
xmlrpcclient, Jul 8, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 74:9A:87:39:D8:AA:E5:96:2A:B7:C8:E0:A5:17:EA:B9
acmeclient, Oct 14, 2004, trustedCertEntry,
Certificate fingerprint (MD5): 3D:82:E0:D3:C8:E9:BA:C0:68:18:E8:6E:E8:8F:EA:B4
spdaemon, Jul 8, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 44:00:5D:E3:31:3C:18:58:A5:BC:9E:01:18:69:C7:13
end
For the sake of completeness, here are the contents of the client-side keystore:
begin
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
acmeclient, Oct 14, 2004, keyEntry,
Certificate fingerprint (MD5): 3D:82:E0:D3:C8:E9:BA:C0:68:18:E8:6E:E8:8F:EA:B4
end
The client-side truststore is just a copy of the server-side trust store.
Of course, none of this explains why the client isn齮, at very minimum, sending a 齨o certificate alert?
Does anyone have any ideas as to what I'm issing here? I'm well and truly baffled by this issue!!
