[Jxplorer-users] Please help... Trying to get mutual SSL authentication to work

Discussion:

Chris Selwyn

2010-08-05 19:33:28 UTC

I am using JXplorer 3.2.1

I have been trying to get a connection to an LDAP server working that
requires mutual SSL authentication.

I have set the Level to "SSL + Anonymous".
Using truss on Solaris, I can see JXplorer loading the cacerts file but
I cannot see it loading the clientcerts file.
When I try the connect, I get a "Received fatal alert: bad_certificate".
I have looked at the log that is generated when I set
"javax.net.debug=all" and I can see that the client is not sending a
certificate chain in response to the ServerHelloDone.
It appears to be ignoring the option.ssl.clientcerts completely.

Is there something that I am missing to cause the clientcerts file to
get loaded and hence a client certificate to be sent?

Chris Selwyn

Chris Selwyn

2010-08-05 21:36:41 UTC

Permalink

I think I worked it out...

I think I need to use Level = "SSL + SASL + Keystore password"... correct?

Chris

Post by Chris Selwyn
I am using JXplorer 3.2.1
I have been trying to get a connection to an LDAP server working that
requires mutual SSL authentication.
I have set the Level to "SSL + Anonymous".
Using truss on Solaris, I can see JXplorer loading the cacerts file but
I cannot see it loading the clientcerts file.
When I try the connect, I get a "Received fatal alert: bad_certificate".
I have looked at the log that is generated when I set
"javax.net.debug=all" and I can see that the client is not sending a
certificate chain in response to the ServerHelloDone.
It appears to be ignoring the option.ssl.clientcerts completely.
Is there something that I am missing to cause the clientcerts file to
get loaded and hence a client certificate to be sent?
Chris Selwyn
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Jxplorer-users mailing list
https://lists.sourceforge.net/lists/listinfo/jxplorer-users

Chris Selwyn

2010-08-06 15:49:32 UTC

Permalink

Unfortunately, the answer appears to be "no".

As far as I can tell the only way the JXplorer uses the client keystore
when SSL+SASL is selected.

It doesn't seem to be allow the client keystore to be used in the "SSL +
anonymous" case... Is this true?
The directory that I am connecting to uses mutual authentication at the
SSL level but does not use SASL to identify to the directory who is
connecting... connection at the directory level is done anonymously.

Can someone please conform whether or not my findings are true and
whether or not it is possible to get JXplorer to allow the client
keystore to be used in the "SSL + anonymous" case.

Chris

Post by Chris Selwyn
I think I worked it out...
I think I need to use Level = "SSL + SASL + Keystore password"... correct?
Chris

------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Jxplorer-users mailing list
https://lists.sourceforge.net/lists/listinfo/jxplorer-users

Jesus Ostos

2010-08-06 21:14:39 UTC

Permalink

Hi Chris, how are you?
I am sorry by my delay...I am testing that you told me.
Please, let test again in order to see if I can solve the issue.
I will let you know.
Thanks a lot and have a good weekend...
Jesus Ostos.

-----Mensaje original-----
De: Chris Selwyn [mailto:***@selwyn-family.me.uk]
Enviado el: Friday, August 06, 2010 11:20 AM
Para: jxplorer-***@lists.sourceforge.net
Asunto: Re: [Jxplorer-users] Please help... Trying to get mutual SSL
authentication to work

Unfortunately, the answer appears to be "no".

As far as I can tell the only way the JXplorer uses the client keystore
when SSL+SASL is selected.

It doesn't seem to be allow the client keystore to be used in the "SSL +
anonymous" case... Is this true?
The directory that I am connecting to uses mutual authentication at the
SSL level but does not use SASL to identify to the directory who is
connecting... connection at the directory level is done anonymously.

Can someone please conform whether or not my findings are true and
whether or not it is possible to get JXplorer to allow the client
keystore to be used in the "SSL + anonymous" case.

Chris

Post by Chris Selwyn
I think I worked it out...
I think I need to use Level = "SSL + SASL + Keystore password"... correct?
Chris

----------------------------------------------------------------------------
--

Post by Chris Selwyn

Post by Chris Selwyn
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Jxplorer-users mailing list
https://lists.sourceforge.net/lists/listinfo/jxplorer-users

----------------------------------------------------------------------------
--

Jesus Ostos

2010-08-06 21:16:12 UTC

Permalink

Post by Chris Selwyn
I think I worked it out...
I think I need to use Level = "SSL + SASL + Keystore password"... correct?
Chris

----------------------------------------------------------------------------
--

Post by Chris Selwyn

----------------------------------------------------------------------------
--