0

Currently I have a problem with enable the mutual SSL on server and client.

On the server side, I config the tomcat with enable ClientAuth and config the client's certificate to the truststore.

So during ssl handshake, I can see the server's certificate request: 

 [java] *** CertificateRequest
   [java] Cert Types: RSA, DSS, ECDSA
   [java] Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
   [java] Cert Authorities:
   [java] <CN=https-test.domain.com, O=Domain.com, L= XX, ST=XX, C=US>

We can see the server is requestoing certificate with the Subject Distinguish Name. But at client side, when client filter the keys, it is treat the DN as Issuer DN, see code here: http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/ssl/SunX509KeyManagerImpl.java#378

So this will lead to a problem :

[java] Warning: no suitable certificate found - continuing without client authentication
   [java] *** Certificate chain
   [java] <Empty>
   [java] ***

So the handshake just failed.

Here is some of the certificate information: 

Issuer: DC=com, DC=domain, CN=Domain. com Security
Subject: C=US, ST=XX, L=XX, O=Domain.com, CN=https-test.domain.com

My question here is Why the Server request client certificate with the Subject DN, but client will filter with IssuerDN?

To let them connection successfully, i need to config my server's truststore with client's parent certificate with will have the Subject DN the same as Issuer: DC=com, DC=domain, CN=Domain. com Security

Any Idea on this ? I might have some misunderstanding on this, but still want to know why.

user2737230
  • 101
  • 3
  • 1
    The server does NOT request client cert by subject name. See in the trace for cert req where it says 'Cert **authorities**' ? The issuer of a cert is a CA, and the CA(s) requested is(are) the issuer(s) (possibly separated by one or mroe chain cert(s)) of (leaf) certs considered acceptable. Generally you should have an end-entity cert in a SSL/TLS truststore only when that entity cert is selfsigned and thus has Issuer = Subject (and you trust the selfsigning process, of course). – dave_thompson_085 Aug 16 '17 at 01:50
  • I might not tell the question clearly, But in my server if I only config one isolated certificate which is not selfsigned, say Subject = S, Issuer = B, (self-sign Subject=Issuer) in the trust store, when server send CertificateRequest to client, it will pick up the DN as S . I want to know why it does so, is that mean at server side, the truststore only means the CAs you trust? i can't just trust one specific certificate? – user2737230 Aug 17 '17 at 04:37
  • (Sorry I missed the notification.) In Java you _can_ _trust_ a leaf cert that is in the truststore, but can't _request_ it because the request is defined to be CAs hence at least one level up, so the client will have to ignore the request and choose/send the cert anyway. But the whole point of having certs issued by CAs is so that you save work by trusting the CAs; if not you might as well just use selfsigned and do all the admin yourself. – dave_thompson_085 Aug 22 '17 at 17:47

0 Answers0