Re: Client certificate gone after 1 minute timeout (SSL, APR)
Hi, Albert.
I do not know how to help you, but you can help me with SSL + Tomcat.
I saw You made an two-sided SSL with default tomcat connector, and I'd like
to ask you about this:
What steps have you done to make it work?
If you can, please help.
Thanks..
On Mon, Feb 22, 2010 at 2:16 PM, Albert Tumanov altum...@gmail.com wrote:
Dear colleagues,
I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
Namely, the setup works perfectly (i.e. the client certificate is sent
and the servlet application can get it).
But if I allow the SSL connection to time out (it happens 1 minute
after the last request), the servlet application does not get the
client certificate anymore.
The workaround is to clear Firefox cache (Tools - Clear Recent History
- 1 hour, Active logins).
After this, the application will work again until the next timeout.
This problem does NOT occur if I use pure Java SSL config (no APR) or
when I use browser other that Firefox.
From that you can imply that this might be a Firefox problem, but I'm
not so sure.
Firefox works perfectly with all other HTTPS sites and also pure Java
SSL config works with Firefox.
So obviously this problem occurs because Tomcat libnative fails to
handle some peculiarities of Firefox SSL packets.
Here is my exact setup:
- Debian 5 (Lenny)
- libapr1 1.2.12-5+lenny1
- openssl 0.9.8g-15+lenny6
- Tomcat 6.0.24 with tomcat-native-1.1.19
- server authentication certificates (newcert.pem, newkey-no-password.pem)
- client authentication certificates (cas.crt and a personal
certificate signed by that)
- a simple servlet ssltest to get the client cert:
writer.println(Arrays.deepToString((X509Certificate[])
request.getAttribute(javax.servlet.request.X509Certificate)));
- Firefox 3.6
The only change in server.xml is the connector conf:
Connector port=8443 SSLEnabled=true
maxThreads=150 scheme=https secure=true
SSLCertificateFile=${user.home}/newcert.pem
SSLCertificateKeyFile=${user.home}/newkey-no-password.pem
SSLVerifyClient=require
SSLVerifyDepth=2
SSLCACertificateFile=${user.home}/cas.crt
/
Now steps to reproduce:
1) go to https://localhost:8443/ssltest, it will show the client
certificate
2) wait 1 minute
3) refresh browser - the application will not get the client certificate
(request.getAttribute(javax.servlet.request.X509Certificate) returns
null)
I have traced the SSL packets using ssltap -sxlp 8444 localhost:8443
It shows that 1 minute after the last request, there will be Read EOF
on Server socket.
After that, the problem starts occuring.
I have compared ssltap traces for Firefox and Safari.
They look pretty similar.
The only significant difference is that Safari seems to terminate the
connection by sending SSL alert packet.
In case of Firefox, it is the Tomcat server who sends the first SSL
alert packet.
I hope somebody can shed a light on that issue :)
Best Regards,
Albert
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
SSL % tomcat 6.0
Hi, I have a small troubles with SSL certificates integration for tomcat 6.0. Of course I've read the FAQ and SSL tutorial but my situation is not described in that help sheets in details... I enabled SSL on tomcat and can log in onto default page with default certificate, but I have to make the following: 1) enable SSL on server (tomcat); 2) sign certificate by my company (not to pay for signing on CA for now); 3) generate certificate for every client and sent them by e-mail etc.. 4) on client connect to my server accept client certificate... I've made this: added into server.conf Connector port=8443 minSpareThreads=5 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=/var/certificates/serverstore keystorePass=123321 keystoreType=JKS keyAlias=tomcat clientAuth=true sslProtocol=TLS truststoreFile=/var/certificates/clienttruststore truststorePass=123321 truststoreType=JKS/ and do the following (java): a) Process p = Runtime.getRuntime().exec(keytool -genkey -keyalg RSA -dname \ CN= + commoname + , OU= + orzunit + , O= + organization + , L= + loc + , S= + state + , C= + scontry + \ -alias + aliasname + -keypass + keypass + -keystore + keystore + -storetype PKCS12 -storepass + keystorepass + -validity + validity); b) Process p = Runtime.getRuntime().exec(keytool -export -alias + aliasname + -keyalg RSA -keystore + kystore + -storetype PKCS12 -storepass + kystorepass + -file + file); c) Process p = Runtime.getRuntime().exec(keytool -import -noprompt -alias + aliasname + -keyalg RSA -keystore + kystore + -storetype JKS -storepass + kystorepass + -file + file); But after adding client certificate, I have to restart tomcat... but it is impossible! If Someone knows how to generate and add certificates into keystore for tomcat and use them without restart it will be great to reply to me:) Thanks..
Re: SSL % tomcat 6.0
Sorry, but I can't use apache httpd separately... only tomcat.. :( someone said me: ok, I think the solution is this create a CA ... then, import the CA public key into key-store sign each client certificate with CA private key .. I believe this will mean that when Tomcat requests client certificate, it can be checked against the CA public key in keystore ... have a look at this .. what do you think about it? and if it helps... how to do it Thanks! On Tue, Feb 16, 2010 at 1:40 PM, Mikolaj Rydzewski m...@ceti.pl wrote: Andrey D wrote: I have a small troubles with SSL certificates integration for tomcat 6.0. Of course I've read the FAQ and SSL tutorial but my situation is not described in that help sheets in details... Well, maybe it does not address your problem directly. I found it's much easier to work with following configuration: apache httpd (+ SSL) - mod_proxy_ajp - tomcat AJP connector is aware of SSL being used by apache. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
