[jdev] SSL clients complaining

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Apr 15 17:58:12 CDT 2005

> Is there a way to get the client to stop complaining when it connects in,
> or did I generate the SSL cert incorrectly? Is this normal behaviour?

The following conditions must be met in order to avoid client complaints:

1) The certificate is signed by a known signer.
2) The current system time is within the allowed range of the certificate.
3) The certificate represents the target being contacted (in other words, the 
domain name is in the certificate).

If you're using a self-signed certificate, then the signer (yourself) is 
likely to be not known by the client.  You can usually resolve this by 
importing the certificate into the client so that it becomes a known signer.

No matter how you generate your certificate, you should ensure the time range 
is valid.  If you specify an end date that has passed, then you'll need to 
make a new cert.

Finally, a valid certificate isn't very interesting if it isn't representing 
what the client is contacting, so you need to ensure that the domain of your 
server is in the cert.  If you've got "localhost.localdomain" (or something 
equally useless) in there then it's not going to work.

Of course, not all clients perform these checks.  Psi is the only one I'm 
aware of that does this right.  If anyone knows of any others, feel free to 
mention them.

(Note: Last I checked, Exodus has the particularly weird behavior of doing 
steps #2 and #3, but not step #1.  This is as effective as doing none of 
them, so I don't count it.)


More information about the JDev mailing list