https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
Petr Brouzda <petr.brou...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #6 from Petr Brouzda <petr.brou...@gmail.com> ---
I've created a 100 % repeatable testcase.
In attached file (https://bz.apache.org/bugzilla/attachment.cgi?id=33232) you
can find:
1) configuration for Tomcat and a simple web application from David Balazic's
test case
2) direct SSL test from curl - works OK everytime
3) SSL test via stunnel - first request works OK, any subsequent requests
fails, because Tomcat provide no certificate information.
Tested on centos6 (x64) with Tomcat 8.0.28, APR based Apache Tomcat Native
library 1.1.33 using APR version 1.3.9.
Steps to reproduce the problem:
A) Prerequisities
sudo yum install stunnel curl
B) Run Tomcat
1) Install Tomcat 8.0.28 (I've used the
/home/user/tomcat-test/apache-tomcat-8.0.28/ directory).
2) Build and configure Native APR .
3) Copy contents of apache-tomcat-8.0.28/ directory from .tar.gz to your Tomcat
directory.
4) Check paths to certificates in conf/server.xml.
5) Start Tomcat. It should listen on port 8443, SSL with required client
certificate. You can find client certificate in client-curl/client.pem.
6) There is a simple app: https://127.0.0.1:8443/test/a.jsp which prints user's
certificate information.
C) Test the connection from curl
1) There is test.sh in test-curl/
2) Make it executable and run it.
3) It should connect to 8443 and run the test app. test.out = result from app.
test.log = SSL log.
4) test.out should be like:
User client cert data:
CN=TEST CLIENT, O=Internet Widgits Pty Ltd, ST=CZ, C=CZ
<br>
Time: Fri Oct 30 12:39:21 CET 2015
D) Run the stunnel test
1) There is run-stunnel.sh in client-stunnel/
2) Check the paths in this file (if you saved it elseqwhere) and run is as root
(sudo ./run-stunnel.sh )
3) Stunnel creates listening port 8442, which accepts plain HTTP and forwards
it to HTTPS 8443 with client certificate. Stunnel will run on console. Keep it
running.
4) Open another console and run test.sh in the same directory. It will send the
plain http request to 8442; request will be enveloped to https by stunnel and
forwarded to 8443. Result will be printed on console:
[user@localhost client-stunnel]$ ./test.sh
User client cert data:
CN=TEST CLIENT, O=Internet Widgits Pty Ltd, ST=CZ, C=CZ
<br>
Time: Fri Oct 30 13:08:08 CET 2015
5) Run it once more. It will fail - no certificate is returned by Tomcat's
request.getAttribute("javax.servlet.request.X509Certificate").
[user@localhost client-stunnel]$ ./test.sh
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.28 - Erro...
Any subsequent requests from the same stunnel connection will reuse SSL session
and will produce the same error.
If you stop and start stunnel again, the first request will be OK (certificate
passed to application) and subsequent requests will fail again.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
