Server Client Auth request Subject Distinguished Name but client filter with Issuer Distinguished Name

孤者浪人 提交于 2019-12-25 09:12:36

问题


Currently I have a problem with enable the mutual SSL on server and client.

On the server side, I config the tomcat with enable ClientAuth and config the client's certificate to the truststore.

So during ssl handshake, I can see the server's certificate request:

 [java] *** CertificateRequest
   [java] Cert Types: RSA, DSS, ECDSA
   [java] Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
   [java] Cert Authorities:
   [java] <CN=https-test.domain.com, O=Domain.com, L= XX, ST=XX, C=US>

We can see the server is requestoing certificate with the Subject Distinguish Name. But at client side, when client filter the keys, it is treat the DN as Issuer DN, see code here: http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/ssl/SunX509KeyManagerImpl.java#378

So this will lead to a problem :

[java] Warning: no suitable certificate found - continuing without client authentication
   [java] *** Certificate chain
   [java] <Empty>
   [java] ***

So the handshake just failed.

Here is some of the certificate information:

Issuer: DC=com, DC=domain, CN=Domain. com Security
Subject: C=US, ST=XX, L=XX, O=Domain.com, CN=https-test.domain.com

My question here is Why the Server request client certificate with the Subject DN, but client will filter with IssuerDN?

To let them connection successfully, i need to config my server's truststore with client's parent certificate with will have the Subject DN the same as Issuer: DC=com, DC=domain, CN=Domain. com Security

Any Idea on this ? I might have some misunderstanding on this, but still want to know why.

来源:https://stackoverflow.com/questions/45702526/server-client-auth-request-subject-distinguished-name-but-client-filter-with-iss

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!