Re: Client cert auth on demand

Sat, 29 Feb 2020 08:13:45 -0800 

Am 2020-02-29 um 15:12 schrieb Mark Thomas:

On 29/02/2020 13:05, Thomas Meyer wrote:

Am 29. Februar 2020 13:10:13 MEZ schrieb Mark Thomas <ma...@apache.org>:

On 29/02/2020 11:23, Michael Osipov wrote:

Am 2020-02-29 um 12:13 schrieb Mark Thomas:

On 29/02/2020 11:07, Michael Osipov wrote:

Am 2020-02-29 um 12:05 schrieb Mark Thomas:

On 29/02/2020 10:40, Michael Osipov wrote:


<snip/>


Tomcat does not support renegotiation of TLS contexts based
on URLs like HTTPd.


Yes it does.

If you specify CLIENT-CERT auth for a sub-set of URLs Tomcat will
trigger a renegotiation when one of those URLs is requested.

You don't have the same fine-grained control you have in httpd but

you

can replicate the typical use cases.


Really? If I say require client cert auth on the connector, it will

be

enforced even on those contexts which do not require

authentication?!


If you required auth on the connector it always applies.

However, if you don't require it at the connector level you can

require

it for a subset of URLs with security constraints and Tomcat will
trigger any required renegotiations.


Mark,

this makes me wonder whether Tomcat properly implements RFC 7540,
section 9.2.1 and RFC 8740, section 3. From my understanding the
configuration you have described MUST fail here.


Those aspects of those specs are implemented correctly. Authentication
will fail for both HTTP/2 and TLS 1.3 if a web application level
security constraint tries to trigger renegotiation.

For HTTP/2 and/or TLS 1/3 you can only configure client certificate
authentication on the Connector.


Hi,

Oh, I didn't know that. Why exactly is that? Becaus of the multiplexing on http2 or 
something in tls1.3, or asked the oth way around, will it fail only for http2 
&& tls1.3 or for http2 || tls1.3


For HTTP/2, yes because of the multiplexing. HTTP/2 explicitly prohibits
renegotiation.

For TLS 1.3 there is post handshake authentication but the JSSE
implementation doesn't support that.

However...

If NIO/NIO2 is used with OpenSSL or if the APR/Native Connector is used
then post-handshake authentication is supported for TLS 1.3 and
CLIENT-CERT auth triggered by security constraints works as expected.


But I hope this only applies to HTTP/1.1, does it?

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

























					Reply via email to