Hello,

I am currently looking for a method to obtain the X.509 certificate of a
SSL server which has client authentication enabled. Unfortunately, I do
not have access to the correct client certificate at the time I need to
retrieve the server certificate. My current Java implementation works well
when client authentication is disabled:

-- 8< --
[...]
SSLContext       ctx  = UserSSLContextFactory.getDefault().getContext("TLS");
SSLSocketFactory sf   = ctx.getSocketFactory();
SSLSocket        sock = (SSLSocket) sf.createSocket(host, port);

sock.setUseClientMode(true);
sock.setEnableSessionCreation(true);

SSLSession       sess = sock.getSession();

javax.security.cert.X509Certificate[] chain = null;

try {
    sock.startHandshake();
    chain = sess.getPeerCertificateChain();
} catch (IOException e) { };
[...]
-- 8< --

Unfortunately, as soon as client authentication is enabled on the server,
sock.startHandshake() throws an exception and there seems to be no way to
get access to the certificate which has already been transferred during
the handshake's ServerHello message.

Is there any way to get access to this information without re-implementing
the whole SSL protocol (or at least the required sub-set)?

Eric Rescorla's PureTLS [1] seems to have the same behavior, but at least
comes with full source code, so I could modify it to fit my needs.

Are there any third-party libraries which have built-in support for this
scenario?

Thanks,
Thilo

[1] http://www.rtfm.com/puretls/