ietf
[Top] [All Lists]

Re: Does JSSE support mutual authentication with PFX files?

2001-12-20 11:50:04

Eric,

I already answered E. Alaknantha with a code snippet answering
his question, sorry I forgot to CC the entire list so everyone would
know...

It realy would be nice if folks just followed up privately to off topic
posts.

-rick (cc'ing the list so eveyone knows the way)


On 20 Dec 2001, Eric Rescorla wrote:

This really isn't the right forum for this question. Surely
there is a JSSE mailing list.

That said...

"E Alaknantha" <EAlaknantha(_at_)novell(_dot_)com> writes:
I am working with JSSE for SSL communications. I am facing some
problems in doing the mutual authentication with the server certificates
exported to the PFX format.

I am doing a mutual authentication by intiialising the keystores with
the PFX file and the truststores with the DER file all in the PKCS12
type.
But only one side authentication is happening. The client does not send
its public certificate to the server and hence getting a null
certificate received exception.

It would be greatly helpful if I could get some suggestions on this
fronts. First of all I want to confirm if the PKCS12 form supports
mutual authentication.
Let's take a step back.

PKCS12/PFX is just a carrier for keying material. It doesn't
support or not support mutual authentication. If both sides
have suitable keying material than mutual authentication is
posssible. Otherwise it is not.

The way that authentication works with SSL/TLS is that you have
required server auth but optional client auth. [0] The server
automatically sends its certificate. If the server wants to
authenticate the client it sends a CertificateRequest message
containing a list of suitable CAs. If the client has a suitable
certificate it sends that, otherwise it sends an empty certificate
message or an alert indicating that it won't client authenticate.

Most SSL implementations do not ask for client authentication by
default. Have you set the configuration flag that tells JSSE
to do so?

-Ekr

[0] There are actually anonymous modes where neither server or
client authenticates but these are very rarely used.

--
[Eric Rescorla                                   ekr(_at_)rtfm(_dot_)com]
Author of "SSL and TLS: Designing and Building Secure Systems"
                  http://www.rtfm.com/




<Prev in Thread] Current Thread [Next in Thread>