Subject: Error #1 The incoming connection (client) failed to provide certificate
Author: authen
In response to: SSL/TLS Error Database -- To Trust/Validate An Incoming Connection
Posted on: 02/28/2008 06:35:04 PM
If your application requires mutual authentication and the client failed to provide any certificate, you would most likely see something like this:
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
>
> On 02/28/2008 06:32:10 PM
authen wrote:
What's truststore?
A truststore is a keystore which is used when making decisions about what to trust. If you receive some data from an entity that you already trust, and if you can verify that the entity is the one it claims to be, then you can assume that the data really came from that entity.
An entry should only be added to a truststore if the user makes a decision to trust that entity. By either generating a keypair or by importing a certificate, the user has given trust to that entry, and thus any entry in the keystore is considered a trusted entry.
The default truststore is "$JAVA_HOME/lib/security/java.security/cacerts" with keystore password of "changeit". You can change the default settings by:
System.setProperty("javax.net.ssl.trustStore", "path_to_your_truststore");
What's CRL?
CRL stands for certificate revocation list where revoked certificates are itemized. CRL can be a static local file which can be pre-downloaded from CA or a dynamic repository pointed by the CA's certificate's CRLDP (CRL Distribution Point)
Steps to trust/Validate an incoming connection?
Whenever there is an incoming connection requesting SSL/TLS communication with its certificate, your application has to make decision to trust it or not before building a secure channel for SSL/TLS encrypt communication. The process to make decision is commonly referred as "handshaking". In order to validate a certificate, the following steps are usually involved:
Step 1) Certificate cipher Checking
Step 2) Certificate constraints (e.g. maxPathLength, naming) checking
Step 3) Certificate policies checking
Step 4) Certificate basic (e.g. before/after, subject/issure name chaining, signature) checking
Step 5) [Optional] Certificate revocation (e.g. static CRL files and dynamic CRLDPs) checking
References:
