I'm having trouble understanding why Weblogic/Java are not sending the Client certificate requested by the server(IIS server) during SSL Handshake via the CertificateRequest message.
I have already checked and tried all the other questions/answer in SO such as : Java not providing client certificate for mutual SSL? and similar.
I have created a custom keystore called Identity.jks with only one Certificate entry and I've follwed the WL guides (and everything else I could find on the Internet) to do the right settings.
Here are the debug logs for the SSL handshake:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA
Cert Authorities:
<Empty>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
As you can see the server sends a CertificateRequest
message but for some reasons the Cert Authorities
is Empty
. The client (Weblogic) in this case doesn't send the certificate. As you can see there is a warning message by the developers saying:
no suitable certificate found - continuing without client authentication
When I use SoapUI
instead of Weblogic to communicate with the server the handshake succeeds. SoapUI sends the certificate contained in the Identity.jks
keystore.
Can it be that SoapUI
is less restrictive and sends the only certificate present in the keystore anyway while Weblogic is expecting from the server to find something in the Cert Authorities:
<Empty>
?
Since I've setup weblogic to use only that key with that alias I expect it to send it...
Anyone knows what are the criteria that Weblogic uses to find a matching client certificate?
Is my interpretation of the logs correct?
Any idea/help is welcome.