[Bug 64141] New: APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Thu, 13 Feb 2020 10:25:27 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

            Bug ID: 64141
           Summary: APR SSL: Required certificate verification uses
                    -Djavax.net.ssl.trustStore instead of
                    caCertificateFile
           Product: Tomcat 8
           Version: 8.5.51
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: martin.weg...@ebp.de
  Target Milestone: ----

I have the followong server.xml configuration to enforce a client certificate
verification:

>    <Connector port="27247" server="Apache" 
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>               connectionTimeout="20000"
>               compression="force"
>               maxThreads="400"
>               scheme="https" secure="true" SSLEnabled="true">
>      <SSLHostConfig caCertificateFile="D:\Program Files\Apache Software 
> Foundation\Tomcat8_BackEnd_Test\cert\ca.pem"
>                     disableCompression ="true" disableSessionTickets="true"
>                     certificateVerification="require" protocols="TLSv1.2">
>        <Certificate certificateFile="D:\Program Files\Apache Software 
> Foundation\Tomcat8_BackEnd_Test\cert\server.pem"
>                     certificateKeyFile="D:\Program Files\Apache Software 
> Foundation\Tomcat8_BackEnd_Test\cert\server.key"
>                     certificateKeyPassword="mysecret" />
>      </SSLHostConfig>
>    </Connector>

The Tomcat Java options contain:

>-Djavax.net.ssl.trustStore=D:\Program Files\Apache Software 
>Foundation\Tomcat8_BackEnd_Test\cert\truststore.jks
>-Djavax.net.ssl.trustStorePassword=mysecret
>-Djavax.net.ssl.trustStoreType=JKS
>-Djavax.net.ssl.keyStore=D:\Program Files\Apache Software 
>Foundation\Tomcat8_BackEnd_Test\cert\client.pfx
>-Djavax.net.ssl.keyStorePassword=mysecret
>-Djavax.net.ssl.keyStoreType=PKCS12

Suppose the ca.pem contains a CA named A, so I would expect that the client
certificate chain must be approved by A.
But here all client certificate chains are accepted which are covered by the
truststore.jks in the Tomcat Java options.

In my opinion only the caCertificateFile from the server.xml should be used as
the trust anchor.

I have not tested if caCertificateFile and -Djavax.net.ssl.trustStore are used
together (mixed) or if -Djavax.net.ssl.trustStore simply overwrites
caCertificateFile.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to