Home > Archive > Java Security > March 2004 > Retrieving SSL server certificate without performing client authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Retrieving SSL server certificate without performing client authentication
|
|
| Thilo-Alexander Ginkel 2004-03-19, 8:55 pm |
| Hello,
I am currently looking for a method to obtain the X.509 certificate of a
SSL server which has client authentication enabled. Unfortunately, I do
not have access to the correct client certificate at the time I need to
retrieve the server certificate. My current Java implementation works well
when client authentication is disabled:
-- 8< --
[...]
SSLContext ctx = UserSSLContextFactory.getDefault().getContext("TLS");
SSLSocketFactory sf = ctx.getSocketFactory();
SSLSocket sock = (SSLSocket) sf.createSocket(host, port);
sock.setUseClientMode(true);
sock.setEnableSessionCreation(true);
SSLSession sess = sock.getSession();
javax.security.cert.X509Certificate[] chain = null;
try {
sock.startHandshake();
chain = sess.getPeerCertificateChain();
} catch (IOException e) { };
[...]
-- 8< --
Unfortunately, as soon as client authentication is enabled on the server,
sock.startHandshake() throws an exception and there seems to be no way to
get access to the certificate which has already been transferred during
the handshake's ServerHello message.
Is there any way to get access to this information without re-implementing
the whole SSL protocol (or at least the required sub-set)?
Eric Rescorla's PureTLS [1] seems to have the same behavior, but at least
comes with full source code, so I could modify it to fit my needs.
Are there any third-party libraries which have built-in support for this
scenario?
Thanks,
Thilo
[1] http://www.rtfm.com/puretls/
| |
| Thilo-Alexander Ginkel 2004-03-19, 8:55 pm |
| Thilo-Alexander Ginkel wrote:
> Unfortunately, as soon as client authentication is enabled on the server,
> sock.startHandshake() throws an exception and there seems to be no way to
> get access to the certificate which has already been transferred during
> the handshake's ServerHello message.
Of course, this should read "Certificate" instead of "ServerHello".
Regards,
Thilo
| |
| Thilo-Alexander Ginkel 2004-03-19, 8:55 pm |
| Thilo-Alexander Ginkel wrote:
> Unfortunately, as soon as client authentication is enabled on the server,
> sock.startHandshake() throws an exception and there seems to be no way to
> get access to the certificate which has already been transferred during
> the handshake's ServerHello message.
>
> Is there any way to get access to this information without re-implementing
> the whole SSL protocol (or at least the required sub-set)?
Problem solved: The TrustManager's checkServerTrusted method is called even
if the handshake fails.
Regards,
Thilo
|
|
|
|
|