Key Manager Not Sending Client Certificate

Q

Why the Key Manager is not sending the client certificate to the SSL server? I have provided a keystore file with the client certificate inside.

✍: FYIcenter

A

JSSE documentation does not provide any details on how the Key Manager selects a certificate and sends it the SSL server. But rxg provided a good explanation on the how the Key Manager works in this stackoverflow article: How is the SSL client certificate chosen when there are multiple matching certificates.

Basically, the Key Manager selects the first certificate that meets requirements given by the SSL server as described below:

  • It takes all certificates that are associated private keys as available client certificates.
  • It scans the CertificateRequest message received from the SSL server for supported public key algorithms, supported digital signature algorithms and supported Certificate Authorities (CA).
  • It reduces available client certificates by removing anyone that is not using public key algorithms supported by the SSL server.
  • It reduces available client certificates by removing anyone that is not using digital signature algorithms supported by the SSL server.
  • It reduces available client certificates by removing anyone that is signed by Certificate Authorities supported by the SSL server.
  • It sends the first certificate to the server from the remaining list of available client certificates.

Of course, if the list of available client certificates is empty, no certificate will be sent to the SSL server. In this case, the server will get the "SSLHandshakeException: null cert chain" exception.

You can play with SslServerCmd.java and SslClientCertificateCmd.java given in previous tutorials to see the ValidatorException error:

1. Open a command window and run SslServerCmd.java on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java SslServerCmd SslServerCmd 8080 Yes

USAGE: java SslServerCmd [port [clientAuth]]
Listening: port=8080, clientAuth=No

2. Open another command window and run SslClientCmd.java on your local host:

\fyicenter>\local\jdk-1.8.0\bin\java 
   -Djavax.net.ssl.trustStore=server_crt.jks 
   SslClientCertificateCmd localhost 8080 /index.html
   
Exception in thread "main" java.net.SocketException: 
   Software caused connectionabort: recv failed
   at java.net.SocketInputStream.socketRead0(Native Method)
   at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
...

3. Look at the SslServerCmd.java execution window, you will see the following error:

USAGE: java SslServerCmd [port [clientAuth]]
Listening: port=8080, clientAuth=Yes

Exception in thread "main" javax.net.ssl.SSLHandshakeException: null cert chain
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
...

In this case, the client certificate in client.jks file is removed from the available client certificate list, because it is self-signed certificate and not signed by any default Certificate Authorities.

 

Make Client Certificate Trusted by SSL Server

Client Certificate Authentication Example

Examples for jsse.jar - Java Secure Socket Extension

⇑⇑ FAQ for jsse.jar - Java Secure Socket Extension

2018-06-12, 1755🔥, 0💬