ssl-handshake fails with scandinavian chars in client certificate - Weblogic

This is a discussion on ssl-handshake fails with scandinavian chars in client certificate - Weblogic ; Hello, We've run into a problem with 2-way-ssl and certificates that have scandinavian characters in the subject. The problem cert is used as client-certificate for authentication and it goes like this: 1. Client surfs with http in our site, until ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: ssl-handshake fails with scandinavian chars in client certificate

  1. ssl-handshake fails with scandinavian chars in client certificate


    Hello,

    We've run into a problem with 2-way-ssl and certificates that have scandinavian
    characters in the subject. The problem cert is used as client-certificate for
    authentication and it goes like this:

    1. Client surfs with http in our site, until clicks https-link that will immediately
    start the ssl-handshake
    2. Server presents it's trusted cert-list fine
    3. PIN is being asked fine
    4. Next the request processing stops on the exception below and nothing will happen
    on the client side.

    Certs without these -chars work fine, so our guess is that they cause it,
    but the certs ought to be according to specs: name-fields encoding is UTF-8 according
    to RFC 2459 from year 1999. A failing example-cert is also below.

    Would this be a problem with the certificate rather than BEA-implementation?

    Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2 (and with
    sp2 + CASE_ID_NUM: 501454 hotfix).

    Best Regards,

    Igor Styrman




    PM EEST> <> <> <000000> SSLSocket>
    PM EEST> <> <> <000000> 6487148>
    PM EEST> <> <> <000000> be Muxing>
    PM EEST> <> <> <000000> 11153746>



    <21647856 readRecord()>
    <21647856 SSL Version 2 with no padding>
    <21647856 SSL3/TLS MAC>
    <21647856 received SSL_20_RECORD>









    Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
    ST=Western Cape, C=ZA>
    Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
    ST=Western Cape, C=ZA>


    CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western
    Cape, C=ZA>
    Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
    ST=Western Cape, C=ZA>
    Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
    Town, ST=Western Cape, C=ZA>

    C=IE>



    O=Baltimore, C=IE>






    <21647856 readRecord()>
    <21647856 SSL3/TLS MAC>
    <21647856 received HANDSHAKE>

    PM EEST> <> 'weblogic.kernel.Default'> <> <> java.lang.NullPointerException: Could not set value for ASN.1 string object..
    java.lang.NullPointerException: Could not set value for ASN.1 string object.
    at com.certicom.security.asn1.ASN1String.setValue(Unk nown Source)
    at com.certicom.security.asn1.ASN1String.setBufferTo( Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ring(Unknown Source)
    at com.certicom.security.asn1.ASN1String.decode(Unkno wn Source)
    at com.certicom.security.pkix.AttributeTypeAndValue.d ecodeContents(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown Source)
    at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    at com.certicom.security.asn1.ASN1SetOf.decodeContent s(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSe tOf(Unknown Source)
    at com.certicom.security.asn1.ASN1SetOf.decode(Unknow n Source)
    at com.certicom.security.asn1.ASN1SequenceOf.decodeCo ntents(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown Source)
    at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    at com.certicom.security.pkix.Name.decodeContents(Unk nown Source)
    at com.certicom.security.asn1.ASN1Choice.decode(Unkno wn Source)
    at com.certicom.security.pkix.TBSCertificate.decodeCo ntents(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown Source)
    at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    at com.certicom.security.pkix.Certificate.decodeConte nts(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown Source)
    at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown Source)
    at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
    at com.certicom.security.cert.internal.x509.X509V3Cer tImpl.(Unknown Source)
    at com.certicom.tls.record.handshake.MessageCertifica te.(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeMessage .create(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessages(Unknown
    Source)
    at com.certicom.tls.record.ReadHandler.interpretConte nt(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unk nown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHands hakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.c ompleteHandshake(Unknown
    Source)
    at com.certicom.net.ssl.CerticomContextWrapper.forceH andshakeOnAcceptedSocket(Unknown
    Source)
    at weblogic.t3.srvr.SSLListenThread$1.execute(SSLList enThread.java:514)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)


    -----BEGIN CERTIFICATE-----
    MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
    MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQ QDEw9GdWppdHN1
    IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMj E4WjB3MQswCQYD
    VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSM O2bG3DtmzDpGlu
    ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSM O2bG3DtmzDpGlu
    ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY 0AMIGJAoGBAO44
    Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0 Ef
    C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
    YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
    HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFg QUtS4z8K26uW2d
    IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKw YKKwYBBAGCNxQC
    A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS 5ob2xtb2xhaW5l
    bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi 8vMjEyLjI0Ni4y
    MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89Rn VqaXRzdSUyMFNl
    cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdG lvbmxpc3QwHQYD
    VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQ EBBQUAA4IBAQAZ
    KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF +fcK+q0T
    3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUUL cmQGQFAd69R0Ur
    JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1 uh8hgtStujmqsI
    0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHt h7qoV3BtUKv4+z
    SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2 wJzwNigt4zWiNg
    tvrGCMOrvrb5QTxVtLNr
    -----END CERTIFICATE-----


  2. Re: ssl-handshake fails with scandinavian chars in client certificate


    Sounds like a bug in certicom code. It should support UTF8String.
    I'd file a support case.
    You might be able to use BMPString instead as a workaround.

    Pavel.

    "Igor Styrman" wrote:
    >
    >Hello,
    >
    >We've run into a problem with 2-way-ssl and certificates that have scandinavian
    >characters in the subject. The problem cert is used as client-certificate
    >for
    >authentication and it goes like this:
    >
    >1. Client surfs with http in our site, until clicks https-link that will
    >immediately
    >start the ssl-handshake
    >2. Server presents it's trusted cert-list fine
    >3. PIN is being asked fine
    >4. Next the request processing stops on the exception below and nothing
    >will happen
    >on the client side.
    >
    >Certs without these -chars work fine, so our guess is that they
    >cause it,
    >but the certs ought to be according to specs: name-fields encoding is
    >UTF-8 according
    >to RFC 2459 from year 1999. A failing example-cert is also below.
    >
    >Would this be a problem with the certificate rather than BEA-implementation?
    >
    >Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2
    >(and with
    >sp2 + CASE_ID_NUM: 501454 hotfix).
    >
    >Best Regards,
    >
    >Igor Styrman
    >
    >
    >
    >
    > PM EEST> <> <> <000000> >JSSE
    >SSLSocket>
    > PM EEST> <> <> <000000> >6487148>
    > PM EEST> <> <> <000000> >will
    >be Muxing>
    > PM EEST> <> <> <000000> >11153746>
    >
    >
    >
    ><21647856 readRecord()>
    ><21647856 SSL Version 2 with no padding>
    ><21647856 SSL3/TLS MAC>
    ><21647856 received SSL_20_RECORD>
    >
    >
    >
    > >O="VeriSign,
    >Inc.", C=US>
    >
    >
    >
    > >C=FI>
    > >O="VeriSign,
    >Inc.", C=US>
    > >Personal
    >Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
    >Town,
    >ST=Western Cape, C=ZA>
    > >Personal
    >Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
    >L=Cape Town,
    >ST=Western Cape, C=ZA>
    > >O="VeriSign,
    >Inc.", C=US>
    >
    >
    > >Server
    >CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
    >Town, ST=Western
    >Cape, C=ZA>
    > >Personal
    >Premium CA, OU=Certification Services Division, O=Thawte Consulting,
    >L=Cape Town,
    >ST=Western Cape, C=ZA>
    > >Premium
    >Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
    >L=Cape
    >Town, ST=Western Cape, C=ZA>
    >
    > >C=IE>
    >
    >
    >
    >
    >
    > >O=Baltimore, C=IE>
    > >O="VeriSign,
    >Inc.", C=US>
    >
    >
    >
    >
    >
    ><21647856 readRecord()>
    ><21647856 SSL3/TLS MAC>
    ><21647856 received HANDSHAKE>
    >
    > PM EEST> <> >for queue:
    >'weblogic.kernel.Default'> <> <> >failed
    > java.lang.NullPointerException: Could not set value for ASN.1 string
    >object..
    >java.lang.NullPointerException: Could not set value for ASN.1 string
    >object.
    > at com.certicom.security.asn1.ASN1String.setValue(Unk nown Source)
    > at com.certicom.security.asn1.ASN1String.setBufferTo( Unknown Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ring(Unknown Source)
    > at com.certicom.security.asn1.ASN1String.decode(Unkno wn Source)
    > at com.certicom.security.pkix.AttributeTypeAndValue.d ecodeContents(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >Source)
    > at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    > at com.certicom.security.asn1.ASN1SetOf.decodeContent s(Unknown Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSe tOf(Unknown Source)
    > at com.certicom.security.asn1.ASN1SetOf.decode(Unknow n Source)
    > at com.certicom.security.asn1.ASN1SequenceOf.decodeCo ntents(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >Source)
    > at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    > at com.certicom.security.pkix.Name.decodeContents(Unk nown Source)
    > at com.certicom.security.asn1.ASN1Choice.decode(Unkno wn Source)
    > at com.certicom.security.pkix.TBSCertificate.decodeCo ntents(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >Source)
    > at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    > at com.certicom.security.pkix.Certificate.decodeConte nts(Unknown Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >Source)
    > at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >Source)
    > at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    > at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
    > at com.certicom.security.cert.internal.x509.X509V3Cer tImpl.(Unknown
    >Source)
    > at com.certicom.tls.record.handshake.MessageCertifica te.(Unknown
    >Source)
    > at com.certicom.tls.record.handshake.HandshakeMessage .create(Unknown
    >Source)
    > at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessages(Unknown
    >Source)
    > at com.certicom.tls.record.ReadHandler.interpretConte nt(Unknown Source)
    > at com.certicom.tls.record.ReadHandler.readRecord(Unk nown Source)
    > at com.certicom.tls.record.ReadHandler.readUntilHands hakeComplete(Unknown
    >Source)
    > at com.certicom.tls.interfaceimpl.TLSConnectionImpl.c ompleteHandshake(Unknown
    >Source)
    > at com.certicom.net.ssl.CerticomContextWrapper.forceH andshakeOnAcceptedSocket(Unknown
    >Source)
    > at weblogic.t3.srvr.SSLListenThread$1.execute(SSLList enThread.java:514)
    > at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)
    > at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)
    >
    >
    >-----BEGIN CERTIFICATE-----
    >MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
    >MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQ QDEw9GdWppdHN1
    >IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMj E4WjB3MQswCQYD
    >VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSM O2bG3DtmzDpGlu
    >ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSM O2bG3DtmzDpGlu
    >ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY 0AMIGJAoGBAO44
    >Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0 Ef
    >C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
    >YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
    >HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFg QUtS4z8K26uW2d
    >IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKw YKKwYBBAGCNxQC
    >A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS 5ob2xtb2xhaW5l
    >bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi 8vMjEyLjI0Ni4y
    >MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89Rn VqaXRzdSUyMFNl
    >cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdG lvbmxpc3QwHQYD
    >VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQ EBBQUAA4IBAQAZ
    >KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF +fcK+q0T
    >3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUUL cmQGQFAd69R0Ur
    >JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1 uh8hgtStujmqsI
    >0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHt h7qoV3BtUKv4+z
    >SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2 wJzwNigt4zWiNg
    >tvrGCMOrvrb5QTxVtLNr
    >-----END CERTIFICATE-----
    >



  3. Re: ssl-handshake fails with scandinavian chars in client certificate


    Thanks again, Pavel!

    I'm filing a support case about this. You talked about a workaround (BMPString).
    Could you be more spesific? I haven't talked about this issue with Igor yet.

    Regards,
    Ari

    "Pavel" wrote:
    >
    >Sounds like a bug in certicom code. It should support UTF8String.
    >I'd file a support case.
    >You might be able to use BMPString instead as a workaround.
    >
    >Pavel.
    >
    >"Igor Styrman" wrote:
    >>
    >>Hello,
    >>
    >>We've run into a problem with 2-way-ssl and certificates that have scandinavian
    >>characters in the subject. The problem cert is used as client-certificate
    >>for
    >>authentication and it goes like this:
    >>
    >>1. Client surfs with http in our site, until clicks https-link that

    >will
    >>immediately
    >>start the ssl-handshake
    >>2. Server presents it's trusted cert-list fine
    >>3. PIN is being asked fine
    >>4. Next the request processing stops on the exception below and nothing
    >>will happen
    >>on the client side.
    >>
    >>Certs without these -chars work fine, so our guess is that they

    >
    >>cause it,
    >>but the certs ought to be according to specs: name-fields encoding is
    >>UTF-8 according
    >>to RFC 2459 from year 1999. A failing example-cert is also below.
    >>
    >>Would this be a problem with the certificate rather than BEA-implementation?
    >>
    >>Same behavior on Windows and Solaris Weblogic 8.11 as such and with

    >SP2
    >>(and with
    >>sp2 + CASE_ID_NUM: 501454 hotfix).
    >>
    >>Best Regards,
    >>
    >>Igor Styrman
    >>
    >>
    >>
    >>
    >> PM EEST> <> <> <000000> >>JSSE
    >>SSLSocket>
    >> PM EEST> <> <> <000000> >>6487148>
    >> PM EEST> <> <> <000000> >>will
    >>be Muxing>
    >> PM EEST> <> <> <000000> >>11153746>
    >>
    >>
    >>
    >><21647856 readRecord()>
    >><21647856 SSL Version 2 with no padding>
    >><21647856 SSL3/TLS MAC>
    >><21647856 received SSL_20_RECORD>
    >>
    >>
    >>
    >> >>O="VeriSign,
    >>Inc.", C=US>
    >>
    >>
    >>
    >> >>C=FI>
    >> >>O="VeriSign,
    >>Inc.", C=US>
    >> >>Personal
    >>Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape
    >>Town,
    >>ST=Western Cape, C=ZA>
    >> >>Personal
    >>Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
    >>L=Cape Town,
    >>ST=Western Cape, C=ZA>
    >> >>O="VeriSign,
    >>Inc.", C=US>
    >>
    >>
    >> >>Server
    >>CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
    >>Town, ST=Western
    >>Cape, C=ZA>
    >> >>Personal
    >>Premium CA, OU=Certification Services Division, O=Thawte Consulting,
    >>L=Cape Town,
    >>ST=Western Cape, C=ZA>
    >> >>Premium
    >>Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
    >>L=Cape
    >>Town, ST=Western Cape, C=ZA>
    >>
    >>
    >O=Baltimore,
    >>C=IE>
    >>
    >>
    >>
    >>Inc.", O=GTE Corporation, C=US>
    >>
    >>
    >> >>O=Baltimore, C=IE>
    >> >>O="VeriSign,
    >>Inc.", C=US>
    >>
    >>
    >>
    >>
    >>
    >><21647856 readRecord()>
    >><21647856 SSL3/TLS MAC>
    >><21647856 received HANDSHAKE>
    >>
    >> PM EEST> <> >>for queue:
    >>'weblogic.kernel.Default'> <> <> >>failed
    >> java.lang.NullPointerException: Could not set value for ASN.1 string
    >>object..
    >>java.lang.NullPointerException: Could not set value for ASN.1 string
    >>object.
    >> at com.certicom.security.asn1.ASN1String.setValue(Unk nown Source)
    >> at com.certicom.security.asn1.ASN1String.setBufferTo( Unknown Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ring(Unknown Source)
    >> at com.certicom.security.asn1.ASN1String.decode(Unkno wn Source)
    >> at com.certicom.security.pkix.AttributeTypeAndValue.d ecodeContents(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>Source)
    >> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >> at com.certicom.security.asn1.ASN1SetOf.decodeContent s(Unknown Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSe tOf(Unknown Source)
    >> at com.certicom.security.asn1.ASN1SetOf.decode(Unknow n Source)
    >> at com.certicom.security.asn1.ASN1SequenceOf.decodeCo ntents(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>Source)
    >> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >> at com.certicom.security.pkix.Name.decodeContents(Unk nown Source)
    >> at com.certicom.security.asn1.ASN1Choice.decode(Unkno wn Source)
    >> at com.certicom.security.pkix.TBSCertificate.decodeCo ntents(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>Source)
    >> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >> at com.certicom.security.pkix.Certificate.decodeConte nts(Unknown Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>Source)
    >> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>Source)
    >> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >> at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
    >> at com.certicom.security.cert.internal.x509.X509V3Cer tImpl.(Unknown
    >>Source)
    >> at com.certicom.tls.record.handshake.MessageCertifica te.(Unknown
    >>Source)
    >> at com.certicom.tls.record.handshake.HandshakeMessage .create(Unknown
    >>Source)
    >> at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessages(Unknown
    >>Source)
    >> at com.certicom.tls.record.ReadHandler.interpretConte nt(Unknown Source)
    >> at com.certicom.tls.record.ReadHandler.readRecord(Unk nown Source)
    >> at com.certicom.tls.record.ReadHandler.readUntilHands hakeComplete(Unknown
    >>Source)
    >> at com.certicom.tls.interfaceimpl.TLSConnectionImpl.c ompleteHandshake(Unknown
    >>Source)
    >> at com.certicom.net.ssl.CerticomContextWrapper.forceH andshakeOnAcceptedSocket(Unknown
    >>Source)
    >> at weblogic.t3.srvr.SSLListenThread$1.execute(SSLList enThread.java:514)
    >> at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)
    >> at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)
    >>
    >>
    >>-----BEGIN CERTIFICATE-----
    >>MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
    >>MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQ QDEw9GdWppdHN1
    >>IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMj E4WjB3MQswCQYD
    >>VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSM O2bG3DtmzDpGlu
    >>ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSM O2bG3DtmzDpGlu
    >>ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY 0AMIGJAoGBAO44
    >>Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0 Ef
    >>C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
    >>YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
    >>HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFg QUtS4z8K26uW2d
    >>IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKw YKKwYBBAGCNxQC
    >>A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS 5ob2xtb2xhaW5l
    >>bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi 8vMjEyLjI0Ni4y
    >>MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89Rn VqaXRzdSUyMFNl
    >>cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdG lvbmxpc3QwHQYD
    >>VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQ EBBQUAA4IBAQAZ
    >>KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF +fcK+q0T
    >>3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUUL cmQGQFAd69R0Ur
    >>JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1 uh8hgtStujmqsI
    >>0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHt h7qoV3BtUKv4+z
    >>SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2 wJzwNigt4zWiNg
    >>tvrGCMOrvrb5QTxVtLNr
    >>-----END CERTIFICATE-----
    >>

    >



  4. Re: ssl-handshake fails with scandinavian chars in client certificate


    BMPString is another asn1 type that can be used for certificate attributes with
    non-ascii characters. The workaround is simply to use the BMPString instead of
    UTF8String for that subject name attribute in the certificate request. This off-course
    assumes that you can replace the certificate, and have control over what asn1
    type is used for the subject name attributes in the certificate request (via a
    tool options, or by generating the request yourself), so it is probably not applicable.

    Pavel.

    "Ari Risnen" wrote:
    >
    >Thanks again, Pavel!
    >
    >I'm filing a support case about this. You talked about a workaround (BMPString).
    >Could you be more spesific? I haven't talked about this issue with Igor
    >yet.
    >
    >Regards,
    >Ari
    >
    >"Pavel" wrote:
    >>
    >>Sounds like a bug in certicom code. It should support UTF8String.
    >>I'd file a support case.
    >>You might be able to use BMPString instead as a workaround.
    >>
    >>Pavel.
    >>
    >>"Igor Styrman" wrote:
    >>>
    >>>Hello,
    >>>
    >>>We've run into a problem with 2-way-ssl and certificates that have

    >scandinavian
    >>>characters in the subject. The problem cert is used as client-certificate
    >>>for
    >>>authentication and it goes like this:
    >>>
    >>>1. Client surfs with http in our site, until clicks https-link that

    >>will
    >>>immediately
    >>>start the ssl-handshake
    >>>2. Server presents it's trusted cert-list fine
    >>>3. PIN is being asked fine
    >>>4. Next the request processing stops on the exception below and nothing
    >>>will happen
    >>>on the client side.
    >>>
    >>>Certs without these -chars work fine, so our guess is that they

    >>
    >>>cause it,
    >>>but the certs ought to be according to specs: name-fields encoding

    >is
    >>>UTF-8 according
    >>>to RFC 2459 from year 1999. A failing example-cert is also below.
    >>>
    >>>Would this be a problem with the certificate rather than BEA-implementation?
    >>>
    >>>Same behavior on Windows and Solaris Weblogic 8.11 as such and with

    >>SP2
    >>>(and with
    >>>sp2 + CASE_ID_NUM: 501454 hotfix).
    >>>
    >>>Best Regards,
    >>>
    >>>Igor Styrman
    >>>
    >>>
    >>>
    >>>
    >>> PM EEST> <> <> <000000> >>>JSSE
    >>>SSLSocket>
    >>> PM EEST> <> <> <000000> >>>6487148>
    >>> PM EEST> <> <> <000000> >>>will
    >>>be Muxing>
    >>> PM EEST> <> <> <000000> >>>11153746>
    >>>
    >>>
    >>>
    >>><21647856 readRecord()>
    >>><21647856 SSL Version 2 with no padding>
    >>><21647856 SSL3/TLS MAC>
    >>><21647856 received SSL_20_RECORD>
    >>>
    >>>
    >>>
    >>> >>>O="VeriSign,
    >>>Inc.", C=US>
    >>>
    >>>
    >>>
    >>> >>>C=FI>
    >>> >>>O="VeriSign,
    >>>Inc.", C=US>
    >>> >>>Personal
    >>>Basic CA, OU=Certification Services Division, O=Thawte Consulting,

    >L=Cape
    >>>Town,
    >>>ST=Western Cape, C=ZA>
    >>> >>>Personal
    >>>Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
    >>>L=Cape Town,
    >>>ST=Western Cape, C=ZA>
    >>> >>>O="VeriSign,
    >>>Inc.", C=US>
    >>>
    >>>
    >>> >>>Server
    >>>CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
    >>>Town, ST=Western
    >>>Cape, C=ZA>
    >>> >>>Personal
    >>>Premium CA, OU=Certification Services Division, O=Thawte Consulting,
    >>>L=Cape Town,
    >>>ST=Western Cape, C=ZA>
    >>> >>>Premium
    >>>Server CA, OU=Certification Services Division, O=Thawte Consulting

    >cc,
    >>>L=Cape
    >>>Town, ST=Western Cape, C=ZA>
    >>>
    >>>
    >>O=Baltimore,
    >>>C=IE>
    >>>
    >>>
    >>>
    >>>Inc.", O=GTE Corporation, C=US>
    >>>

    >C=FI>
    >>>
    >>> >>>O=Baltimore, C=IE>
    >>> >>>O="VeriSign,
    >>>Inc.", C=US>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>><21647856 readRecord()>
    >>><21647856 SSL3/TLS MAC>
    >>><21647856 received HANDSHAKE>
    >>>
    >>> PM EEST> <> >>>for queue:
    >>>'weblogic.kernel.Default'> <> <> >>>failed
    >>> java.lang.NullPointerException: Could not set value for ASN.1 string
    >>>object..
    >>>java.lang.NullPointerException: Could not set value for ASN.1 string
    >>>object.
    >>> at com.certicom.security.asn1.ASN1String.setValue(Unk nown Source)
    >>> at com.certicom.security.asn1.ASN1String.setBufferTo( Unknown Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ring(Unknown

    >Source)
    >>> at com.certicom.security.asn1.ASN1String.decode(Unkno wn Source)
    >>> at com.certicom.security.pkix.AttributeTypeAndValue.d ecodeContents(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >>> at com.certicom.security.asn1.ASN1SetOf.decodeContent s(Unknown Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSe tOf(Unknown Source)
    >>> at com.certicom.security.asn1.ASN1SetOf.decode(Unknow n Source)
    >>> at com.certicom.security.asn1.ASN1SequenceOf.decodeCo ntents(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >>> at com.certicom.security.pkix.Name.decodeContents(Unk nown Source)
    >>> at com.certicom.security.asn1.ASN1Choice.decode(Unkno wn Source)
    >>> at com.certicom.security.pkix.TBSCertificate.decodeCo ntents(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >>> at com.certicom.security.pkix.Certificate.decodeConte nts(Unknown Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSt ructured(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.DERInputStream.decodeSe quence(Unknown
    >>>Source)
    >>> at com.certicom.security.asn1.ASN1Sequence.decode(Unk nown Source)
    >>> at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
    >>> at com.certicom.security.cert.internal.x509.X509V3Cer tImpl.(Unknown
    >>>Source)
    >>> at com.certicom.tls.record.handshake.MessageCertifica te.(Unknown
    >>>Source)
    >>> at com.certicom.tls.record.handshake.HandshakeMessage .create(Unknown
    >>>Source)
    >>> at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessages(Unknown
    >>>Source)
    >>> at com.certicom.tls.record.ReadHandler.interpretConte nt(Unknown Source)
    >>> at com.certicom.tls.record.ReadHandler.readRecord(Unk nown Source)
    >>> at com.certicom.tls.record.ReadHandler.readUntilHands hakeComplete(Unknown
    >>>Source)
    >>> at com.certicom.tls.interfaceimpl.TLSConnectionImpl.c ompleteHandshake(Unknown
    >>>Source)
    >>> at com.certicom.net.ssl.CerticomContextWrapper.forceH andshakeOnAcceptedSocket(Unknown
    >>>Source)
    >>> at weblogic.t3.srvr.SSLListenThread$1.execute(SSLList enThread.java:514)
    >>> at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:197)
    >>> at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:170)
    >>>
    >>>
    >>>-----BEGIN CERTIFICATE-----
    >>>MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
    >>>MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQ QDEw9GdWppdHN1
    >>>IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMj E4WjB3MQswCQYD
    >>>VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSM O2bG3DtmzDpGlu
    >>>ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSM O2bG3DtmzDpGlu
    >>>ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY 0AMIGJAoGBAO44
    >>>Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0 Ef
    >>>C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
    >>>YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
    >>>HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFg QUtS4z8K26uW2d
    >>>IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKw YKKwYBBAGCNxQC
    >>>A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS 5ob2xtb2xhaW5l
    >>>bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi 8vMjEyLjI0Ni4y
    >>>MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89Rn VqaXRzdSUyMFNl
    >>>cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdG lvbmxpc3QwHQYD
    >>>VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQ EBBQUAA4IBAQAZ
    >>>KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF +fcK+q0T
    >>>3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUUL cmQGQFAd69R0Ur
    >>>JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1 uh8hgtStujmqsI
    >>>0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHt h7qoV3BtUKv4+z
    >>>SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2 wJzwNigt4zWiNg
    >>>tvrGCMOrvrb5QTxVtLNr
    >>>-----END CERTIFICATE-----
    >>>

    >>

    >



  5. Re: ssl-handshake fails with scandinavian chars in client certificate


    As you guessed, replacing the certificates is not applicable at the moment. We'd
    have to replace a lot of smart cards that are delivered to the end users already.

    Anyway, I filed a support case and hopefully we'll get the solution soon.

    Regards,
    Ari

    "Pavel" wrote:
    >
    >BMPString is another asn1 type that can be used for certificate attributes
    >with
    >non-ascii characters. The workaround is simply to use the BMPString instead
    >of
    >UTF8String for that subject name attribute in the certificate request.
    >This off-course
    >assumes that you can replace the certificate, and have control over what
    >asn1
    >type is used for the subject name attributes in the certificate request
    >(via a
    >tool options, or by generating the request yourself), so it is probably
    >not applicable.
    >
    >Pavel.