Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In SSL handshake can we make the client send a certificate if the server sends CertificateRequest with empty 'Cert Authorities' list

Tags:

java

authentication

ssl

I am currently working on a SSL client in Java and need to establish a https connection with a third party server which requires client authentication. The server guys have given me a trusted root CA cert that is used to sign both client as well as server certificates. I have put this cert in the truststore on my side. The server folks also have this root CA cert which they use to verify client certificates.

When I try to establish a SSL connection the server I see that the handshake goes through fine when server sends it's cert and my client is able to verify it successfully. But as part of the 'Certificate Request' message, the server DOES NOT return any root CA cert in the 'Cert Authorities' parameter. Due to this my client does not send the client cert back to the server and the handshake fails.

I am writing standard Java code with WSDL stubs. I am leveraging the wsdl stubs generated by wsdl2Java ant task.

So My question is: Can I make my java client send a pre-set client certificate back to the server even when the server sends an empty 'Cert Authorities' list when it requests the client authentication. (I read the TLS RFC and I see that its legal for a server to send an empty list like this in which case the client may send back any certificate it sees fit. I am trying to achieve exactly the same behavior).

like image 676
mandar bapaye Avatar asked Jan 27 '26 04:01

mandar bapaye

1 Answers

Sorry for replying to this age old post, but I couldn't resist.

I have seen this kind of handshakes work just fine:

according to javax.net.debug=all

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: our_client_cert_alias
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=

But it might depend on your HTTP client library and how it handles SSL/TLS (re)negotiation. This was using Java 8 and http://spray.io/documentation/1.2.4/spray-client/

like image 53
JohannesB Avatar answered Jan 28 '26 21:01

JohannesB
Sign in to Comment

Related questions

How to fix "Unable to create javax script engine for javascript" in netbeans?
Camel REST Bean Chaining
Tomcat 7 does not scan annotations when using Jersey 2
Create "Hello World" using Java on Codenvy [closed]
Spring Security - Change all instances of RedirectStrategy
Java program to generate a unique and random six alpha numeric code
Do we need synchronization when setting the value of an element in an ArrayList
Break a long string into lines with proper word wrapping
Is this the cleanest way to repeat method call in Java?
What is the cause for classpath mismatch between compile-time and run-time in a multi-threaded application?
Creating an installer for a Java app
Bug in HashMap / ArrayList or wrong code? [duplicate]
Spring Boot Remove Whitelabel Error Page for web application
Algorithm to verify if a two-dimensional array has two equals rows
How generic interface methods are implemented [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!