Tomcat 5.5.17 APR/SSL Client Certificat

Hi,

I cannot obtain client certificate with SSL/client certificate authentication using APR components  
My configuration :
Tomcat 5.5.17,
jdk1_5.0_06,
Apr-1.2.7,
Openssl-0.9.8,
tomcat-native-1.1.3 under solaris 8

I configured tomcat to use SSL client-certificate authentication and i need to
access the client certificate.
When i set SSLVerifyClient="none" the authentification works correctly, but when i
set SSLVerifyClient="require" the authentification ask the client certificate
and after it "freeze". I thing that it can't get client certificate
because when i shutdown tomcat, the log contains this line "ssl3_check_client_hello" and
after no lines.

My tomcat installation, according the guide http://tomcat.apache.org/tomcat-5.5-doc/apr.html
and the BUILDING in APR-1.2.7

This is the SSL HTTP connector extract from my server.xml :
   <Connector
           protocole="org.apache.coyote.http11.Http11AprProtocol"
           port="443"
           maxHttpHeaderSize="8192"
           maxThreads="150"
           minSpareThreads="25"
           maxSpareThreads="75"
           enableLookups="false"
           disableUploadTimeout="true"
           acceptCount="100"
           scheme="https"
           secure="true"
           SSLEngine="on"
           SLProtocole="all"
           SSLCipherSuite="ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
           SSLCertificateFile="${catalina_base}/srv.crt"
           SSLCertificateKeyFile="${catalina_base}/srv.key"
           SSLPassword="xxxxx"
           SSLCACertificatePath="${catalina_base}"
           SSLCACertificateFile="${catalina_base}/ca.crt"
           SSLVerifyClient="require"
           SSLVerifyDepth="1"
/>

I don't know what missing to work correctly.
Thanks

Hi,

> I cannot obtain client certificate with SSL/client certificate
> authentication using APR components
> ...

It's probably a stupid question, but did you generate the client
certificate and did you import in the browser from which you are
trying to connect to your application? How did you create it? You made
no reference to that part

Regards,

Gaël

The authorty who issues the certificate has to be authorized(imported) in the browser.
Then the certificate has to be imported into the browser.
 
The server's host name must match the host name in its certificate.
 
Then the client's host name must match the host name in its certifcate.
 
Do not forget add a user in tomcat-user.xml
 
Please search postings of Gael and Frank on SSL for more instrution. I will poste it on https://breakevilaxis.org later.
 
Frank Peng.

-----Original Message-----
From: Gaël Lams <lamsgael@...>
To: Tomcat Users List <users@...>
Sent: Tue, 20 Jun 2006 08:43:53 +0200
Subject: Re: Tomcat 5.5.17 APR/SSL Client Certificat


Hi,
 
> I cannot obtain client certificate with SSL/client certificate
> authentication using APR components
> ...
 
It's probably a stupid question, but did you generate the client
certificate and did you import in the browser from which you are
trying to connect to your application? How did you create it? You made
no reference to that part
 
Regards,
 
Gaël

Thanks for your answer

I use openssl 0.9.8 to generate self-signed ca-certificat , and server certificat and user certificat
if i use tomcat whitout apr but with jsse i get my client certificat  (of course i use keytool to import
all certificats generated by openssl ). If i use apache 2 + mod_jk + tomcat everything work well, i
get also my client certificat.

Well, i am under solaris 8, and i use the same user-account to install all products (apache tomcat and so one) i.e. i have the good right to do that.

Regards,
Jean-Michel

thanks for your reponse

But i find the trouble , tomcat 5.5.17 with tomcat-native-1.1.3 and APR-1.2.7 work well with only
openssl-0.9.7 series not with openssl-0.9.8 series.

regards,
Jean-Michel