I'm writing a project that could get Ldap certificate from a remote server. It works fine for the general mode when the server does not require mutual certification. But when I try a server that requires mutual certification, it fails. Here is the code:
String serverSpec = null;
boolean enableAnonSuites = false;
boolean isTracing = false;
// Try and parse command line arguments.
try {
serverSpec = "ldap://10.47.16.60:389";
}
catch (Exception e) {
trace(true,e.toString());
usage();
return;
}
try {
// Create a SocketFactory that will be given to LDAP for
// building SSL sockets
MySocketFactory msf = new MySocketFactory(isTracing,
enableAnonSuites);
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use the name of the server that is found in its certificate
env.put(Context.PROVIDER_URL,
serverSpec
);
// Create initial context
trace(isTracing,"Creating new Ldapcontext");
LdapContext ctx = new InitialLdapContext(env, null);
// Start
trace(isTracing,"Performing StartTlsRequest");
StartTlsResponse tls = null;
try {
tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
}
catch (NamingException e) {
trace(true,"Unable to establish SSL connection:\n"
+e);
return;
}
// The default JSSE implementation will compare the hostname of
// the server with the hostname in the server's certificate, and
// will not proceed unless they match. To override this behaviour,
// you have to provide your own HostNameVerifier object. The
// example below simply bypasses the check
tls.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session)
{
return true;
}
});
// Negotiate SSL on the connection using our own SocketFactory
trace(isTracing,"Negotiating SSL");
SSLSession sess = null;
sess = tls.negotiate(msf);
X509Certificate[] cert = sess.getPeerCertificateChain();
The exception information is as follows: "javax.net.ssl.SSLException: Received fatal alert: internal error", and it happens at the "negotiate" method. And I analyzed the wireshark trace information and am sure this is because the server requires mutual certification. Right now, I'm wondering if there are certain class that is in the com.sun.jndi.ldap package that could be useful for this problem. Could anyone help?