问题
Currently I have a problem with enable the mutual SSL on server and client.
On the server side, I config the tomcat with enable ClientAuth and config the client's certificate to the truststore.
So during ssl handshake, I can see the server's certificate request:
[java] *** CertificateRequest
[java] Cert Types: RSA, DSS, ECDSA
[java] Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
[java] Cert Authorities:
[java] <CN=https-test.domain.com, O=Domain.com, L= XX, ST=XX, C=US>
We can see the server is requestoing certificate with the Subject Distinguish Name. But at client side, when client filter the keys, it is treat the DN as Issuer DN, see code here: http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/ssl/SunX509KeyManagerImpl.java#378
So this will lead to a problem :
[java] Warning: no suitable certificate found - continuing without client authentication
[java] *** Certificate chain
[java] <Empty>
[java] ***
So the handshake just failed.
Here is some of the certificate information:
Issuer: DC=com, DC=domain, CN=Domain. com Security
Subject: C=US, ST=XX, L=XX, O=Domain.com, CN=https-test.domain.com
My question here is Why the Server request client certificate with the Subject DN, but client will filter with IssuerDN?
To let them connection successfully, i need to config my server's truststore with client's parent certificate with will have the Subject DN the same as Issuer: DC=com, DC=domain, CN=Domain. com Security
Any Idea on this ? I might have some misunderstanding on this, but still want to know why.
来源:https://stackoverflow.com/questions/45702526/server-client-auth-request-subject-distinguished-name-but-client-filter-with-iss