Retrieving SSL server certificate without performing client authentication

Hello,

I am currently looking for a method to obtain the X.509 certificate of a
SSL server which has client authentication enabled. Unfortunately, I do
not have access to the correct client certificate at the time I need to
retrieve the server certificate. My current Java implementation works well
when client authentication is disabled:

-- 8< --
[...]
SSLContext       ctx  = UserSSLContextFactory.getDefault().getContext("TLS")
;
SSLSocketFactory sf   = ctx.getSocketFactory();
SSLSocket        sock = (SSLSocket) sf.createSocket(host, port);

sock.setUseClientMode(true);
sock.setEnableSessionCreation(true);

SSLSession       sess = sock.getSession();

javax.security.cert.X509Certificate[] chain = null;

try {
sock.startHandshake();
chain = sess.getPeerCertificateChain();
} catch (IOException e) { };
[...]
-- 8< --

Unfortunately, as soon as client authentication is enabled on the server,
sock.startHandshake() throws an exception and there seems to be no way to
get access to the certificate which has already been transferred during
the handshake's ServerHello message.

Is there any way to get access to this information without re-implementing
the whole SSL protocol (or at least the required sub-set)?

Eric Rescorla's PureTLS [1] seems to have the same behavior, but at leas
t
comes with full source code, so I could modify it to fit my needs.

Are there any third-party libraries which have built-in support for this
scenario?

Thanks,
Thilo

[1] http://www.rtfm.com/puretls/

Thilo-Alexander Ginkel wrote:

> Unfortunately, as soon as client authentication is enabled on the server,
> sock.startHandshake() throws an exception and there seems to be no way to
> get access to the certificate which has already been transferred during
> the handshake's ServerHello message.

Of course, this should read "Certificate" instead of "ServerHello".

Regards,
Thilo

Thilo-Alexander Ginkel wrote:

> Unfortunately, as soon as client authentication is enabled on the server,
> sock.startHandshake() throws an exception and there seems to be no way to
> get access to the certificate which has already been transferred during
> the handshake's ServerHello message.
>
> Is there any way to get access to this information without re-implementing
> the whole SSL protocol (or at least the required sub-set)?

Problem solved: The TrustManager's checkServerTrusted method is called even
if the handshake fails.

Regards,
Thilo