Author: rjung
Date: Sun Aug 13 11:47:24 2017
New Revision: 1804903
URL: http://svn.apache.org/viewvc?rev=1804903&view=rev
Log:
Improve TLS handshake.
When using JSSE TLS configuration with the OpenSSL
implementation and client certificates: include
client CA subjects in the TLS handshake so that
the client can choose an appropriate client
certificate to present.
This fix needs at least version 1.2.13 of the
Tomcat Native Library to work.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1804903&r1=1804902&r2=1804903&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Sun Aug 13 11:47:24
2017
@@ -562,4 +562,12 @@ public final class SSLContext {
* @return {@code true} if success, {@code false} otherwise.
*/
public static native boolean addChainCertificateRaw(long ctx, byte[] cert);
+
+ /**
+ * Add a CA certificate we accept as issuer for peer certs
+ * @param ctx Server or Client context to use.
+ * @param subject Byte array with the certificate in DER encoding.
+ * @return {@code true} if success, {@code false} otherwise.
+ */
+ public static native boolean addClientCACertificateRaw(long ctx, byte[]
cert);
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties?rev=1804903&r1=1804902&r2=1804903&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
Sun Aug 13 11:47:24 2017
@@ -18,6 +18,7 @@ openssl.errorSSLCtxInit=Error initializi
openssl.doubleInit=SSL context already initialized, ignoring
openssl.certificateVerificationFailed=Certificate verification failed
openssl.keyManagerMissing=No key manager found
+openssl.incompleteClientCASupport=Incomplete support for client CAs, please
update your tcnative version
openssl.trustManagerMissing=No trust manager found
engine.engineClosed=Engine is closed
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1804903&r1=1804902&r2=1804903&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sun Aug 13 11:47:24 2017
@@ -252,10 +252,6 @@ public class OpenSSLContext implements o
// Set certificate chain file
SSLContext.setCertificateChainFile(ctx,
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
- // Support Client Certificates
- SSLContext.setCACertificate(ctx,
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
// Set revocation
SSLContext.setCARevocation(ctx,
SSLHostConfig.adjustRelativePath(
@@ -301,6 +297,7 @@ public class OpenSSLContext implements o
SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
if (tms != null) {
+ // Client certificate verification based on custom trust
managers
final X509TrustManager manager = chooseTrustManager(tms);
SSLContext.setCertVerifyCallback(ctx, new
CertificateVerifier() {
@Override
@@ -315,6 +312,24 @@ public class OpenSSLContext implements o
return false;
}
});
+ // Pass along the DER encoded certificates of the accepted
client
+ // certificate issuers, so that their subjects can be presented
+ // by the server during the handshake to allow the client
choosing
+ // an acceptable certificate
+ for (X509Certificate caCert : manager.getAcceptedIssuers()) {
+ // try/catch can be removed once tcnative 1.2.13 was
released
+ // and the required version was updated to it.
+ try {
+ SSLContext.addClientCACertificateRaw(ctx,
caCert.getEncoded());
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("openssl.incompleteClientCASupport"), e);
+ }
+ }
+ } else {
+ // Client certificate verification based on trusted CA files
and dirs
+ SSLContext.setCACertificate(ctx,
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
}
if (negotiableProtocols != null && negotiableProtocols.size() > 0)
{
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1804903&r1=1804902&r2=1804903&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sun Aug 13 11:47:24 2017
@@ -58,6 +58,13 @@
<subsection name="Coyote">
<changelog>
<fix>
+ When using JSSE TLS configuration with the OpenSSL implementation and
+ client certificates: include client CA subjects in the TLS handshake
+ so that the client can choose an appropriate client certificate to
+ present. This fix needs at least version 1.2.13 of the Tomcat Native
+ Library. (rjung)
+ </fix>
+ <fix>
If an invalid option is specified for the
<code>certificateVerification</code> attribute of an
<code>SSLHostConfig</code> element, treat it as <code>required</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
