Name: jl125535 Date: 11/14/2001


java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

Consider the following scenario in the SSL handshake process:

- The client sends a certificate request
- The server does not include the list of acceptable certificate authorities
  in the response

What should the client do?
- In the current implementation, the client does not send any certificate to
  the server and generates a "no certificate" alert. The result is that
  client authentication fails.
- But rfc2246 implies that it is optional for the server to provide the list
of trusted CA distinguished names in response to the client certificate
request. Here is the excerpt from the rfc2246 (Sectinn 7.4.4, Certificate
Request)

      "A list of the distinguished names of acceptable certificate
      authorities. These distinguished names may specify a desired
      distinguished name for a root CA or for a subordinate CA;
      thus, this message can be used both to describe known roots
      and a desired authorization space."

So we need to determine whether the server MUST provide the list
of distinguished names describing acceptable CAs.

And here is the exception that occurs

javax.net.ssl.SSLException: Received fatal alert: no_certificate
        at java.lang.Throwable.fillInStackTrace(Native Method)
        at java.lang.Throwable.fillInStackTrace(Compiled Code)
        at java.lang.Throwable.<init>(Compiled Code)
        at java.lang.Exception.<init>(Compiled Code)
        at java.io.IOException.<init>(Compiled Code)
        at javax.net.ssl.SSLException.<init>([DashoPro-V1.2-120198])
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.b([DashoPro-V1.2-120198])
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled Code)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Compiled Code)
        at java.io.OutputStream.write(Compiled Code)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120
198])


If I use JSSE implementation on both client and server side, it works. But
the problem is when I run my client (implemented on top of JSSE) against any
third party server then I get "no_certificate" error. By looking at the debug
traces, it seems that during the SSL handshake process, the client
authenticates the server affirmatively. But when server in turn, requests
the client certificate, the client issues "no_certificate" warning. This I
guess, is due to the fact that the server in its client certificate request
didn't specified the acceptable certificate authorities Distinguished
Name(DN). But as per the TLS RFC 2246, it is optional for the server to send
acceptable certificate authorities DN in its client certificate request.
(Review ID: 134798)
======================================================================