>>And about your last posting to java forum: I'm exactly always get the next
>>error:
>>19735:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
>>retur
>>n a certificate:s3_srvr.c:1666:
>>and not anything like you mentioned in your posting.
>>
>>Maybe I'll try to regenerate all my certificates and see what's happened
>>then..

Yes, please try this. How did you originally generate these
keystores? Was it with keytool?

The problem that you're seeing is one of String convertions in
the Email addresses.

In your keystore, the certificate issuer is:

Issuer: EMAILADDRESS=###@###.###, CN=test ca for Defence project, OU=xTech,
O=xTech, L=Novosibirsk, ST=none, C=RU

The EMAILADDRESS is created/stored as a IA5String, but when it's used
by the JSSE keymanager, it's being converted to a UTF8 format String.
The keymanager match fails due to the String format mismatch, and no
certificate(s) are sent back. I don't know why/if it worked before, but
there was a large organization done in other parts of the code so
it would be hard to track.

One workaround is to generate UTF8 format email addresses.

Anyway, I'm going to file a bug, I am hoping we can get it in for
merlin, but I can't guarantee it as we're so late in the development
cycle. We have a couple of options, but we need to understand the
implications before we put it in.

Thanks for bringing this to our attention, as you can guess,
it's been quite busy around here getting jsse into merlin.

See the attachment.

Two possible fixes.

issuer= issuers[j].getName()
certs[i].equals(issuer)

or

remove the getName() and directly compare Principals, but
jeff probably had a reason for not doing this.

###@###.### 2001-11-16