Re: Trouble with CLIENT-CERT authentication method
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote: So, with clientAuth=false, how do you get a client certificate to use for authentication? Or, does the presence of the CLIENT-CERT in web.xml trigger an SSL-renegotiation where the client cert /is/ requested from the client. The presence of CLIENT-CERT: login-config auth-methodCLIENT-CERT/auth-method /login-config in web.xml triggers the renegotiation and the client cert is requested from the client. As Mark pointed out, this exposes the TLS bug CVE-2009-355 so be warned! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/18/10, Christopher Schultz ch...@christopherschultz.net wrote: Stupid question: don't you want clientAuth=true? In this particular case, no. I don't want to force client certificate authentication for all SSL connections coming to port 8443. Instead, I am looking to do client certificate authentication on a per-webapp basis. As Mark pointed out, however, this opens up a potential man-in-the-middle attack so I'm still investigating other ways to accomplish this. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote: On 2/19/2010 1:48 AM, Jason Brittain wrote: Nope. clientAuth=false means that the webapp's web.xml specifies which resources require the client certificate. Gotcha: I thought that false would cause the connector to ignore all client cert info, while want would collect it but not process it, while true would perform the checks for you. Instead, false and want are essentially the same (right?) and true does the checks for you. If you have want or false, plus a web-resource-collection that demands CLIENT-AUTH, then it will be used for identification purposes, but not actually checked against a valid certificate chain. Do I have that right? The behavior I see is this: false does not request the client certificate at all. want requests it, but allows the connection to go through if no client certificate is presented. true requires a client certificate and kills the connection if no client certificate (or an unacceptable one) is presented. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/17/10, Mark Thomas ma...@apache.org wrote: CVE-2009-3555? Now that this is working, I'd like to ask what other options exist for using client certificate authentication on a per-webapp basis. Requiring my customers to enable a feature (allowUnsafeLegacyRenegotiation) that exposes them to a potential man-in-the-middle attack doesn't seem like a good idea! (Heck, it even says Unsafe in the property name!) I saw mention of overriding the SSL implementation with sslImplementation=classname... does that still work in 6.x? Is that a good option? And what about an Authentication Valve, is that the right direction? Thanks! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble with CLIENT-CERT authentication method
Greetings fellow Tomcat-ers: I'm trying enable client certificate authentication on a per-webapp basis using Tomcat 6.0.24. According to the various sources of documentation I've found, this should be possible by enabling the SSL Connector (which I've done), getting client certificate authentication working for the Connector (this works for me), then setting clientAuth=false on the Connector and placing the following in the webapp's web.xml: login-config auth-methodCLIENT-CERT/auth-method /login-config I've tried various combinations of security constraints, roles, realms, etc. but can never get the CLIENT-CERT authentication to work for my webapp. As I mentioned above, all is fine if I set clientAuth=true but I don't want to impose client certificate authentication across the whole site. Searching the archives, I ran across bug 46950 (https://issues.apache.org/bugzilla/show_bug.cgi?id=46950) which looks to describe my very problem. However, the bug is marked fixed as of 6.0.21 (I'm using 6.0.24) and I am not seeing the correct behavior. Furthermore, the issue was reported against the APR Connector and I'm using the default flavor (which, according to the one of the answering developers, works for him). Can anyone tell me what's going on here? Thank you! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/17/10, Mark Thomas ma...@apache.org wrote: On 17/02/2010 23:48, Kevin Mills wrote: Can anyone tell me what's going on here? CVE-2009-3555? http://tomcat.apache.org/tomcat-6.0-doc/config/http.html search for allowUnsafeLegacyRenegotiation Thanks for your reply - I did see that option and forgot to mention that I tried it to no avail. Seeing as this renegotiation is a Bad Thing, what is the recommended way to do this? Another thread I followed talked about setting the Connector to allow any certificates and writing an Authentication Valve... is that the right direction? Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/17/10, Mark Thomas ma...@apache.org wrote: Then you probably haven't got your config quite right. There are plenty of things to go wrong with this but this definitely works - I was using it just the other day. We'll need to see: - connector element from server.xml - web.xml - tomcat-users.xml (assuming that is what you are using) for starters. Sure thing - here is my Connector element: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=50 scheme=https secure=true keystoreFile=.../tomcat.keystore keystorePass=... clientAuth=false sslProtocol=TLS allowUnsafeLegacyRenegotiation=true / My web.xml (based on what I saw in your reply to bug 46950): ?xml version=1.0 encoding=UTF-8? web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version=2.5 distributable/ servlet descriptionTest servlet/description display-nameMy Servlet/display-name servlet-nameMyServlet/servlet-name servlet-classMyServlet/servlet-class /servlet servlet-mapping servlet-nameMyServlet/servlet-name url-pattern/myServlet/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameMyApp/web-resource-name url-pattern/index.jsp/url-pattern /web-resource-collection auth-constraint role-nameX509/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config /web-app And my tomcat-users.xml: tomcat-users role rolename=manager/ user username=tomcat password=... roles=manager/ role rolename=X509/ user username=EMAILADDRESS=...,CN=...,OU=...,OU=...,OU=...,O=...,L=...,ST=...,C=... password=null roles=X509 / /tomcat-users Also a better description of the problem than doesn't work would help. :-) Doesn't work, meaning I don't get prompted for my certificate. I see my servlet's output without any sort of authentication. Thank you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/17/10, Mark Thomas ma...@apache.org wrote: snip/ :-) Doesn't work, meaning I don't get prompted for my certificate. I see my servlet's output without any sort of authentication. What URL are you requesting? Only index.jsp will prompt for a cert. Your servlet will just require SSL to be used. Ohhh... my mistake! Yes, index.jsp does prompt me for a certificate! So how would I make the servlet also require one? I was under the (mistaken?) impression that the /* url-pattern would cover the servlet. Thanks very much! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with CLIENT-CERT authentication method
On 2/17/10, Mark Thomas ma...@apache.org wrote: The rules on how security constraints combine are in the Servlet spec. It can take a bit of time to get your head around it. To require a cert for your servlet too, one option would be: security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameX509/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config which requires it for everything. That seems to do the trick! Thanks very much - I really appreciate your immediate responses! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org