go to  ForumEasy.com   
JavaPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Error #6 The server failed to provide its certificate to client
 
Subject: Error #6 The server failed to provide its certificate to client
Author: X509
In response to: Error #5 SSLServerSocket.setWantClientAuth(boolean want) may drop connection
Posted on: 02/09/2010 07:59:12 PM

If the server failed to its certificate in the first place, the SSL negociation is doomed to fail.

On the server side, you would most likely see something like this:

  
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source)


On the client side, you would most likely see something like this:
  
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: 
  unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
	at sun.security.validator.Validator.validate(Validator.java:218)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:199)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:239)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:840)
	... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
	unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
	... 17 more



 

> On 01/29/2010 02:55:43 PM authen wrote:
void javax.net.ssl.SSLServerSocket.setWantClientAuth(boolean want)

public abstract void setWantClientAuth(boolean want)

Controls whether accepted server-mode SSLSockets will be initially configured 
to request client authentication. 

A socket's client authentication setting is one of the following: 

  • client authentication required 

  • client authentication requested 

  • no client authentication desired 

Unlike setNeedClientAuth(boolean),  if the accepted socket's option is set and 
the client chooses not to provide authentication information about itself, 
the negotiations will continue. 

Calling this method overrides any previous setting made by this method or
 setNeedClientAuth(boolean). 

The initial inherited setting may be overridden by calling SSLSocket.setNeedClientAuth(boolean) 
or SSLSocket.setWantClientAuth(boolean). 


Parameters:
   want - set to true if client authentication is requested, 
             or false if no client authentication is desired.
   See Also:
getWantClientAuth(), setNeedClientAuth(boolean), getNeedClientAuth(), setUseClientMode(boolean)



    • But if the accepted socket's option is set,some clients like Microsoft's LDP.exe DID choose to provide authentication information about itself, even the client certificate was expired, if the certificate is good the negotiations will continue; but if the certificate is not good the negotiations will drop.



    Here is the error message got on the client (LDP.exe) side:
    
ld = ldap_sslinit("myLDAPServer", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to myLDAPServer.





    Here is the error message got on the server side:
    
javax.net.ssl.SSLHandshakeException:  General SSLEngine problem 
	at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
	at javax.net.ssl.SSLEngine.wrap(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
	at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
	... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: timestamp check failed
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
	... 14 more
Caused by: java.security.cert.CertPathValidatorException:  timestamp check failed
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	... 21 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 20 09:32:16 PST 2009 
	at sun.security.x509.CertificateValidity.valid(Unknown Source)
	at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.verifyTimestamp(Unknown Source)
	at sun.security.provider.certpath.BasicChecker.check(Unknown Source)
	... 25 more







    References:

    		 


     
    Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.