I'm getting trouble with browser-client connecting with two-way-ssl to WLS8.1
sp2. Client cert is from a smartcard and has one intermediate and one root ca-cert.
Connection worked fine with a cert with only one ca, but I don't really know if
thats important.
Won't go in to much detail about the settings, incase some one can point the right
direction with just the ssl-debug (but been through all the obvious ca-certs
in server and client).
So roughly what's this exception about?
--Igor
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx):
27844797>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is):
3853423>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <17892731 readRecord()>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <17892731 SSL Version 2 with
no padding>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <17892731 SSL3/TLS MAC>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <17892731 received SSL_20_RECORD>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 58>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 3366>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=SHP
ROOT CA, O=SHP, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=wss.topsel.fi,
O=Fujitsu Services Oy, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=GTE
CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation,
C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=SatShp
CA, O=Satakunnan sairaanhoitopiiri, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: EMAILADDRESS=persona...@thawte.com,
CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: EMAILADDRESS=personal...@thawte.com,
CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=finigostyr2,
OU=fubar, O=fujitsu, L=helsinki, ST=uusimaa, C=fi>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=GTE
CyberTrust Root, O=GTE Corporation, C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: EMAILADDRESS=server...@thawte.com,
CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: EMAILADDRESS=personal...@thawte.com,
CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: EMAILADDRESS=premium...@thawte.com,
CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting
cc, L=Cape Town, ST=Western Cape, C=ZA>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=PSHP
TEST CA, O=Pirkanmaan Sairaanhoitopiiri, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Secure
Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=Baltimore
CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=Fujitsu
Test CA, O=Fujitsu Services Oy, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=GTE
CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=PSHP
CA, O=Pirkanmaan sairaanhoitopiiri, C=FI>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: CN=Baltimore
CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 2598>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 4>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <17892731 readRecord()>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <close(): 17892731>
<May 3, 2004 4:00:03 PM EEST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@7f0b4e
Severity: 1 Type: 0
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.t3.srvr.ListenThread.rejectCatastrophe(ListenThread.java:439)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:533)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
What happens here is client is requested the id-cert he wants and after selecting
it, it is asked again after which page is not found.
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@1091c3f
Severity: 2 Type: 42
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
Pavel.
<May 3, 2004 3:50:42 PM EEST> <Info> <HTTP> <BEA-101047> <[ServletContext(id=8252845,name=/,context-path=)]
/*: Using standard I/O>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx):
25663554>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is):
18697006>
<May 3, 2004 3:50:44 PM EEST> <Info> <WebLogicServer> <BEA-000213> <Adding address:
IP-TAKEN-OFF to licensed client list>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <28449506 readRecord()>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <28449506 SSL Version 2 with
no padding>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <28449506 SSL3/TLS MAC>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <28449506 received SSL_20_RECORD>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 58>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 3366>
<!-- CONVERTING ALL PRINCIPAL'S ->
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 2598>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 4>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <28449506 readRecord()>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <close(): 28449506>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@119e82c
Severity: 1 Type: 0
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.t3.srvr.ListenThread.rejectCatastrophe(ListenThread.java:439)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:533)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <avalable(): 28449506 : 0
+ 0 = 0>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <write ALERT offset = 0 length
= 2>
<May 3, 2004 3:50:44 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx):
25663554>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx):
25077087>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is):
26945727>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 3:50:54 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <7344120 readRecord()>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <7344120 SSL Version 2 with
no padding>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <7344120 SSL3/TLS MAC>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <7344120 received SSL_20_RECORD>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 58>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 3366>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<!-- CONVERTING ALL PRINCIPAL'S ->
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 2598>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <write HANDSHAKE offset =
0 length = 4>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<May 3, 2004 3:51:05 PM EEST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <7344120 readRecord()>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <7344120 SSL3/TLS MAC>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <7344120 received HANDSHAKE>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<!-- CONVERTING ALL PRINCIPAL'S ->
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@1091c3f
Severity: 2 Type: 42
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
>
<May 3, 2004 3:51:11 PM EEST> <Debug> <TLS> <000000> <write ALERT offset = 0 length
= 2>
<May 3, 2004 3:51:11 PM EEST> <Debug> <TLS> <000000> <close(): 26487356>
<May 3, 2004 3:51:11 PM EEST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx):
31422227>
Pavel.
The cert situation is that we have two separate certs, one that has only one CA
and other that has a root and intermediate CA's. The one with two CA's doesn't
work.
Actually here's the bad chain, incase you can see other problems (hope not).
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIDPOONMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkZJ
MQwwCgYDVQQKEwNTSFAxFDASBgNVBAMTC1NIUCBST09UIENBMB4XDTA0MDQwMjA4
NDAwNFoXDTI4MDkxMDA4NDAwNFowSDELMAkGA1UEBhMCRkkxJTAjBgNVBAoTHFNh
dGFrdW5uYW4gc2FpcmFhbmhvaXRvcGlpcmkxEjAQBgNVBAMTCVNhdFNocCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoQtaYT48hDdK/ruidyfAJ8
YtUKPNjKd3eiUfXTex5SD24jdJdKAppo2fPdjRHnNwSzf0p7FWBy0IwOhf2VzpJU
FiktAMgLF7J1TUX8HvaGxO64PB57BVSGrA669HXsEjenZROII/s5yqbMqoY1Sytv
ud3SD3n4fs1oCVyfI67RiU9ZkY56K6aeGtKPukN4F372EC0uEspVnFaLjWB26Br5
P0PwlV+5SfBd8iLMyJ287JXdpseL0vspiPgMTRFhlG9hComJ4TCkFlzk8UA0kDBS
qNRpGF1vmf4F1b/1SoAw1E3f4YpOeSIDdctgV/qtsCz5KI7pOoBLivRAqE8GNj8C
AwEAAaOCAlMwggJPMB8GA1UdIwQYMBaAFFWYz97OOsh/xUiCfjyXo8xa81hhMB0G
A1UdDgQWBBQb1Ar6W2v9+Q3HvvNizaA8Ts8nwDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBADCB8gYDVR0fBIHqMIHnMFagVKBShlBsZGFwOi8vbGRh
cC5zaHBjYS5maTozODkvQ049U0hQJTIwUk9PVCUyMENBLE89U0hQLEM9Rkk/Y2Vy
dGlmaWNhdGVyZXZvY2F0aW9ubGlzdDCBjKCBiaCBhoaBg2xkYXA6Ly8vQ049U0hQ
JTIwUk9PVCUyMENBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNhdHNocCxEQz1maT9jZXJ0
aWZpY2F0ZXJldm9jYXRpb25saXN0MIHzBggrBgEFBQcBAQSB5jCB4zBMBggrBgEF
BQcwAoZAbGRhcDovL2xkYXAuc2hwY2EuZmk6Mzg5L0NOPVNIUCBST09UIENBLE89
U0hQLEM9Rkk/Y2FDZXJ0aWZpY2F0ZTCBkgYIKwYBBQUHMAKGgYVsZGFwOi8vL0NO
PVNIUCBST09UIENBLENOPUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMsQ049UHVi
bGljIEtleSBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PXNhdHNocCxEQz1maT9jYUNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQCO
YMco5KWurnCLYEzoSGp9X1cbGDrD5MjImWzgPN28CKB2ttZqPKhDbTs3pHMcc/m+
mt+sw4T0rTE8nTYjlNhIPXs1M1HoSN7iSnt6HCz0M7jxRP9jHVGT9YL90vkgJMb1
PfoUhqHyWnC11U9Q687iQfTUKgd51iq7lTQWR76+yn4Z0UOgLHAfQgjZ5/VwUdcr
AH6SrUB0IsiPac74gIcmDOrdX0VBs1VTrCuStQCF5U36PF7ogNPdiGmwZoiZM88j
IB2v7KZHAk8IPA/nl1Zs83JMd73IVsOZ3SDAakWoWhUYwF6XWWlebyO6popILFa0
rbXWyDmzVxmgIkgYuDSn
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIDPOONMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkZJ
MQwwCgYDVQQKEwNTSFAxFDASBgNVBAMTC1NIUCBST09UIENBMB4XDTA0MDQwMjA4
NDAwNFoXDTI4MDkxMDA4NDAwNFowSDELMAkGA1UEBhMCRkkxJTAjBgNVBAoTHFNh
dGFrdW5uYW4gc2FpcmFhbmhvaXRvcGlpcmkxEjAQBgNVBAMTCVNhdFNocCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoQtaYT48hDdK/ruidyfAJ8
YtUKPNjKd3eiUfXTex5SD24jdJdKAppo2fPdjRHnNwSzf0p7FWBy0IwOhf2VzpJU
FiktAMgLF7J1TUX8HvaGxO64PB57BVSGrA669HXsEjenZROII/s5yqbMqoY1Sytv
ud3SD3n4fs1oCVyfI67RiU9ZkY56K6aeGtKPukN4F372EC0uEspVnFaLjWB26Br5
P0PwlV+5SfBd8iLMyJ287JXdpseL0vspiPgMTRFhlG9hComJ4TCkFlzk8UA0kDBS
qNRpGF1vmf4F1b/1SoAw1E3f4YpOeSIDdctgV/qtsCz5KI7pOoBLivRAqE8GNj8C
AwEAAaOCAlMwggJPMB8GA1UdIwQYMBaAFFWYz97OOsh/xUiCfjyXo8xa81hhMB0G
A1UdDgQWBBQb1Ar6W2v9+Q3HvvNizaA8Ts8nwDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBADCB8gYDVR0fBIHqMIHnMFagVKBShlBsZGFwOi8vbGRh
cC5zaHBjYS5maTozODkvQ049U0hQJTIwUk9PVCUyMENBLE89U0hQLEM9Rkk/Y2Vy
dGlmaWNhdGVyZXZvY2F0aW9ubGlzdDCBjKCBiaCBhoaBg2xkYXA6Ly8vQ049U0hQ
JTIwUk9PVCUyMENBLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxD
Tj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNhdHNocCxEQz1maT9jZXJ0
aWZpY2F0ZXJldm9jYXRpb25saXN0MIHzBggrBgEFBQcBAQSB5jCB4zBMBggrBgEF
BQcwAoZAbGRhcDovL2xkYXAuc2hwY2EuZmk6Mzg5L0NOPVNIUCBST09UIENBLE89
U0hQLEM9Rkk/Y2FDZXJ0aWZpY2F0ZTCBkgYIKwYBBQUHMAKGgYVsZGFwOi8vL0NO
PVNIUCBST09UIENBLENOPUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMsQ049UHVi
bGljIEtleSBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PXNhdHNocCxEQz1maT9jYUNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQCO
YMco5KWurnCLYEzoSGp9X1cbGDrD5MjImWzgPN28CKB2ttZqPKhDbTs3pHMcc/m+
mt+sw4T0rTE8nTYjlNhIPXs1M1HoSN7iSnt6HCz0M7jxRP9jHVGT9YL90vkgJMb1
PfoUhqHyWnC11U9Q687iQfTUKgd51iq7lTQWR76+yn4Z0UOgLHAfQgjZ5/VwUdcr
AH6SrUB0IsiPac74gIcmDOrdX0VBs1VTrCuStQCF5U36PF7ogNPdiGmwZoiZM88j
IB2v7KZHAk8IPA/nl1Zs83JMd73IVsOZ3SDAakWoWhUYwF6XWWlebyO6popILFa0
rbXWyDmzVxmgIkgYuDSn
-----END CERTIFICATE-----
Found out there's some options to cut down the validation of certs from command
line: -Dweblogic.security.SSL.enforceConstraints=off , but setting this didn't
seem to make a difference in our case.
--Igor
Pavel.
Thanks Pavel, you've been a great help to me and Igor. I opened a support case
for this problem which follows here. Any suggestions are welcome!
---8<--------------------------------------------------------------------------
You should read the following thread in weblogic.developer.interest.security newsgroup
for background information. The reason was found there but the solution not yet.
We are using WLS and 2-way-SSL for client authentication. Our user (client) certificates
have one extension field (SubjectAlternativeName) marked as critical as you can
see in the following base64 encoded cert.
-----BEGIN CERTIFICATE-----
MIIFXzCCBEegAwIBAgIDPUh1MA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNVBAYTAkZJ
MSUwIwYDVQQKExxTYXRha3VubmFuIHNhaXJhYW5ob2l0b3BpaXJpMRIwEAYDVQQD
EwlTYXRTaHAgQ0EwHhcNMDQwNDA3MTIwOTAxWhcNMDkwNDA5MTIzOTAxWjCBgjEL
MAkGA1UEBhMCRkkxDzANBgNVBAoTBlNBVFNIUDEmMCQGA1UEAxMdVGVzdGFhamEg
VGVwcG8gU0FUU0hQMTAwMDAwMDExFzAVBgNVBAUTDlNBVFNIUDEwMDAwMDAxMREw
DwYDVQQEEwhUZXN0YWFqYTEOMAwGA1UEKhMFVGVwcG8wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAM7TEETN/1ce/jYAoKIeJTig7n93yVtf37mNJn96oRYzRe45
DdRjvXsZuxOXhw4coIp142FLPcbRdhwb72TU3/oOZ94lM3W7PscF2TDXbG74w5te
oAYjC6Y9lBHb9kIkZ4poz9Lc6FjacrWL94v/522CFivHzV8L4y4q/Yj06v2jAgMB
AAGjggKZMIIClTAfBgNVHSMEGDAWgBQb1Ar6W2v9+Q3HvvNizaA8Ts8nwDAdBgNV
HQ4EFgQU85g/2KT2Dnc7Ozehr15WSFkisWowDgYDVR0PAQH/BAQDAgSwMEwGA1Ud
EQEB/wRCMECgJgYKKwYBBAGCNxQCA6AYDBZhc2VubnVzaW52aWFAc2F0c2hwLmZp
gRZhc2VubnVzaW52aWFAc2F0c2hwLmZpMIHsBgNVHR8EgeQwgeEwVaBToFGGT2xk
YXA6Ly9sZGFwLnNocGNhLmZpOjM4OS9DTj1TYXRTaHAlMjBDQSxPPVNhdFNocCxD
PUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwgYeggYSggYGGf2xkYXA6Ly8v
Q049U2F0U2hwJTIwQ0EsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2F0c2hwLERDPWZpP2Nl
cnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCisG
AQQBgjcUAgIGCCsGAQUFBwMEMIHaBggrBgEFBQcBAQSBzTCByjBNBggrBgEFBQcw
AoZBbGRhcDovL2xkYXAuc2hwY2EuZmk6Mzg5L0NOPVNhdFNocCBDQSxPPVNBVFNI
UCxDPUZJP2NhQ2VydGlmaWNhdGUweQYIKwYBBQUHMAKGbWxkYXA6Ly8vQ049U2F0
U2hwIENBLENOPUFJQSxDTj1QdWJsaWMgS2V5IFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9c2F0c2hwLERDPWZpP2NhQ2VydGlmaWNhdGUw
DQYJKoZIhvcNAQEFBQADggEBAIY6P8AEMR4IWCLNY0nuZn0Buge0VPPmZC1kQmFh
cPFeiq38gBWNL2TPvq9KAURg8riyopzhvcWZFS9BP426acCj6LfJupYDgwUILw1V
PbHPpQUhjoUZ0No5gsj43CBWmgTBZ+DeBRyo3MaEUSWuIqBWN/Q/eRG0qlStpUFX
STozg4oq4lDlqZOYNOLRUPEyDZymJJVEkRxNYYFpKYVsPOBlIRjEp/H9J+sBFK0n
S2HBXTCX58s33JwlHjFNmOnMLpGHu1G0TRP8uOai/v7MYm9xzClhzjk5VXduDYqH
4zrs3H1Mb9p/Gz3smp99tcOJfC0wEcDHVv1O0YZPenAuxEE=
-----END CERTIFICATE-----
Some additional info on the extension in question:
---
SubjectAlternativeName (OID 2.5.29.17) extension in user certificate is marked
as critical.
SEQUENCE [76] {
OBJECT_ID [3] "2.5.29.17" -- subjectAltName
BOOLEAN [1] ff
OCTET_STRING [66]
3040a026 060a2b06 01040182 37140203 a0180c16 6173656e 6e757369 6e766961
40736174 7368702e 66698116 6173656e 6e757369 6e766961 40736174 7368702e
6669 }
SubjectAlternativeNames =
Following names detected =
EMAIL (rfc822), UPN (principal name)
Viewing specific name types =
EMAIL = asennu...@satshp.fi
UPN = <asennu...@satshp.fi>
[CRITICAL]
---
The problem is that Weblogic cannot handle this user certificate and throws on
exception for BAD_CERTIFICATE and the 2-way-SSL handshake fails. Here's a clip
from the ssl debug log.
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <Converting principal: OU=Class
2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<May 3, 2004 3:51:07 PM EEST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@1091c3f
Severity: 2 Type: 42 java.lang.Throwable: Stack trace at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source) at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source) at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown
Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source) at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source) at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source) at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source) at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source) at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
Quote from Pavel (see the newsgroup thread I mentioned):
"Certicom SSLPlus ssl implementation used by Weblogic only enforces the following
critical extentions: basic constraints, key usage, and extended key usage. It
is possible that the certificate is rejected because it contains some other extention
marked as critical, which SSLPlus does not know how to enforce."
This seems really to be the problem. Any suggestions what to do and how to get
around this problem? Is there any way to configure the ssl implementation to accept
our client certs? Would changing java.protocol.handler.pkgs (to what?) solve anything?