1 Reply Latest reply on Apr 14, 2004 5:56 PM by 3004

    Two-Way SSL: Problem serving images

    3004

      I'm using Weblogic Platform 8.1. The server is configured for Two-Way SSL and
      to request/enforce client certificates.

      When I access the sample portal app from the browser, I'm prompted for a client
      certificate. (If I don't give a cert, the portal page does not appear as expected.)
      The server appears to accept it even though I see some errors in the console screen.
      The portal page comes up, but usually with two (random) images missing. If I
      hit 'go' again in the Web browser, the images get loaded and the portal page looks
      correct.

      Does anyone have any idea why not all the data would be sent to the client on
      the first request?
      Also, if there are errors with the client certificates why am I see the portal
      page at all?
      What do these errors mean? Is there a place I can go to look up these errors?

      Thank you in advance...


      Following are the errors I see in the server console during the SSL handshake:

      <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <Trust failure (84): CER
      T_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED>
      <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <NO_CERTIFICATE received
      b
      y peer, not trusted, sending HANDSHAKE_FAILURE to peer>
      <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.t
      ls.record.alert.Alert@1a32433 Severity: 2 Type: 40
      java.lang.Throwable: Stack trace
      at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
      at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
      at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
      at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknow
      n Source)
      at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknow
      n Source)
      at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Un
      known Source)
      at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedS
      ocket(Unknown Source)
      at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
      at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
      at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
      >






      <Apr 14, 2004 10:09:00 AM PDT> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.t
      ls.record.alert.Alert@186e4db Severity: 1 Type: 41
      java.lang.Throwable: Stack trace
      at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
      at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
      at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknow
      n Source)
      at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
      at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknow
      n Source)
      at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Un
      known Source)
      at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedS
      ocket(Unknown Source)
      at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
      at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
      at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
      >
      <Apr 14, 2004 10:09:00 AM PDT> <Debug> <TLS> <000000> <Alert received from peer,

        • 1. Re: Two-Way SSL: Problem serving images
          3004
          The SSL errors are saying that a Certificate was expected to be presented by
          the client but it
          was not presented, since you specified the client must present certificates,
          the SSL handshake
          is then terminated and an SSL Alert is sent to the client that indicates the
          handshake failed.

          I don't know why the portal page is showing up for you though, at that point
          there is no
          communication occuring over SSL. Can the portal page be accessed over the
          normal non-ssl
          port? Ie: there may be additional portal level configuration that needs to
          be done to lock that
          down (you may want to post this to the weblogic.developer.interest.portal
          newsgroup).

          Tony

          "Olithia Strom" <olithia@spawar.navy.mil> wrote in message
          news:407d70f1$1@newsgroups.bea.com...
          >
          I'm using Weblogic Platform 8.1. The server is configured for Two-Way SSL
          and
          to request/enforce client certificates.

          When I access the sample portal app from the browser, I'm prompted for a
          client
          certificate. (If I don't give a cert, the portal page does not appear as
          expected.)
          The server appears to accept it even though I see some errors in the
          console screen.
          The portal page comes up, but usually with two (random) images missing.
          If I
          hit 'go' again in the Web browser, the images get loaded and the portal
          page looks
          correct.

          Does anyone have any idea why not all the data would be sent to the client
          on
          the first request?
          Also, if there are errors with the client certificates why am I see the
          portal
          page at all?
          What do these errors mean? Is there a place I can go to look up these
          errors?
          >
          Thank you in advance...


          Following are the errors I see in the server console during the SSL
          handshake:
          >
          <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <Trust failure (84):
          CER
          T_CHAIN_INCOMPLETE CERT_CHAIN_UNTRUSTED>
          <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <NO_CERTIFICATE
          received
          b
          y peer, not trusted, sending HANDSHAKE_FAILURE to peer>
          <Apr 14, 2004 10:04:36 AM PDT> <Debug> <TLS> <000000> <NEW ALERT:
          com.certicom.t
          ls.record.alert.Alert@1a32433 Severity: 2 Type: 40
          java.lang.Throwable: Stack trace
          at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
          at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
          at com.certicom.tls.record.alert.AlertHandler.handle(Unknown
          Source)
          at
          com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknow
          n Source)
          at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
          Source)
          at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
          at
          com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknow
          n Source)
          at
          com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Un
          known Source)
          at
          com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedS
          ocket(Unknown Source)
          at
          weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
          at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
          at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
          >






          <Apr 14, 2004 10:09:00 AM PDT> <Debug> <TLS> <000000> <NEW ALERT:
          com.certicom.t
          ls.record.alert.Alert@186e4db Severity: 1 Type: 41
          java.lang.Throwable: Stack trace
          at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
          at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
          at
          com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknow
          n Source)
          at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
          Source)
          at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
          at
          com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknow
          n Source)
          at
          com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Un
          known Source)
          at
          com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedS
          ocket(Unknown Source)
          at
          weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
          at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
          at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
          >
          <Apr 14, 2004 10:09:00 AM PDT> <Debug> <TLS> <000000> <Alert received from
          peer,
          >