Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
On 12/02/2019 22:26, Christopher Schultz wrote: > Mark, > > On 2/12/19 13:27, Mark Thomas wrote: >> Try again. Prompted for certificate. Select valid cert. Connection >> refused. Ah. the trust store again. Switch back to the OpenSSL >> config. > > This is a real point of confusion for users... the difference between > configuring for OpenSSL versus JSSE (especially when using OpenSSL via > JSSE). > > Is there any technical reason why we can't accept either type of > certificate for either type of connector? I can't think of a reason > why we couldn't convert from one to the other if necessary. > > Sure, it's a bunch of plumbing code that we have to babysit, but the > configuration will be *so* much nicer, regardless of the user's > preference (e.g. PEM-encoded DER files, just like $diety intended, or > the hellspawn that is certificate keystores). Some of that is already in place but there are gaps. Likewise we have merged some of the configuration options but could probably do more. A good starting point would be a wiki page or similar that documented the current state and then we could start to fill in the gaps. Just thinking out loud, a nice way to test this would be with a single set of key/cert files and multiple connectors on different ports that each used a different combination. Testing would then be a case of start Tomcat and check the homepage on a handful of different ports (which could easily be made into a unit test). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/12/19 13:27, Mark Thomas wrote: > Try again. Prompted for certificate. Select valid cert. Connection > refused. Ah. the trust store again. Switch back to the OpenSSL > config. This is a real point of confusion for users... the difference between configuring for OpenSSL versus JSSE (especially when using OpenSSL via JSSE). Is there any technical reason why we can't accept either type of certificate for either type of connector? I can't think of a reason why we couldn't convert from one to the other if necessary. Sure, it's a bunch of plumbing code that we have to babysit, but the configuration will be *so* much nicer, regardless of the user's preference (e.g. PEM-encoded DER files, just like $diety intended, or the hellspawn that is certificate keystores). - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxjSBgACgkQHPApP6U8 pFi4gA/+NjUUGQaEpE1XDrbE/mC47tZUhGQD1iZakwIgqtE159lAiK8ddZcDC073 xc2oWYRRKuqyzKQ/d7NowfU1FuZc/78dME/M0OJ0PQ/HFx1MKSx3qZnl6jWsIUV8 nayBPG4fKbJfDy7L+brUk/jdxTwE+5NRB2jdE4DcG5uqH4b2OQI2W3aZcNL3wqRW LbvwyPtRVpm63G3ct8eB81kSlkRo/664bgQNzA+ZV1AiVu17cArKlHS7eyQJHf5A Btn8WunosrG1haOGGjCM1yEN/aClbmrgoy3sWO6RK22SCgWFkP6CXKkYf5Q+E/4d vfZWg25YwHQm7uPMEdBhDth9dIm9uZnoxDbzvmE3J7FIT30orJmb+MDLod1hAIYH CWgJ4oF7uWgk5Q2/+EkF3tSy9OAF6fY3x/y24dH+NHDBWfj/2PXv90ohY/+IMeJQ oYUuBwZd49BmdJiofw1IoRaDrtlJjw9aIFlszyS+bn87TSe2JozhMymmxhtPPb8C T9KCMbQGpRkNFm1/PgKNKFi8SaqAdd+wl2f7h88qA8HJ5Xyjmn88VJfHjFdMUoAe fgK1tcN1J4szSHO3ivCBMnqUeJPUgcWqJC8qh2likk77Mx+Qw3CMzfB0i4Ry7r1g kg3T1/uRekmyaVTowb4vuVGwYP3p9BCBBFezSEKCGELa8RrQ3rI= =m+qr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
You're (both) quite right, my apologies. (this is embarrassing) In my defense, I've been bouncing back and forth between my personal desktop machine (windows 10) where I was having this issue... and a development server, where this was working just fine. While at lunch, it occurred to me to wonder if I had the same Tomcat and TC-Native bits on each .. confirmed after lunch that these were different. (tc-native 1.2.21 on the desktop, 1.2.19 on the server) Changed those on my desktop to match those of the server, same issue... compared the server.xml files and found that on the desktop, where I had put back the older (7.x) format Connector stuff and - (the mistake) - left the clientAuth setting at "want" rather than "true". corrected that, working as expected. Went back to the OpenSSL Connector format and saw new errors... (useServerCipherSuitesOrder="true" in the Connector section caused a _default_hostConfig (something like that) error...PROBABLY because I had moved the SSLProtocls to theSSLHostConfig section moved the useServerCipherSuitesOrder attribute to the SSLHostConfig section and renamed it to honorCipherOrder to fix that). Also found I had to add the truststoreType and truststorePassword attributes to the SSLHostConfig element (docs seem to say that's ONLY for JSSE syntax - but I may be misunderstanding that), long story short, I now have a Connector element that works correctly: retested with tc-native 1.2.21 on the desktop... and its working as expected. (Still not sure what was going on previously). thanks, again. On Tue, Feb 12, 2019 at 12:27 PM Mark Thomas wrote: > On 12/02/2019 17:21, John Palmer wrote: > > using the old Connector/clientAuth="true" or the new > > Connector/SSLHostConfig/ certificateVerification="REQUIRED" > (tried > > lowercase and without the D) format..doesn't seem to work properly. > > > > no matter what value I use or which format... the behavior seems to be > that > > the client cert is prompted for, but is optional (the web pages are > > shown whether a cert is selected or Cancel is selected on the prompt. > > (in the latter case, a JSP scriplet that shows X509 certificate content > > throws an error, confirming that the client certifcate was not sent). > > > > (Openssl s_client cmd confirms that the "Acceptable client certificate CA > > names" > > from the trustStore specified ARE being sent). > > > > I don't doubt that I'm missing (mistyping or misunderstanding) something > > (again), but I'm gonna ask for help a little sooner this time rather > than > > continuing to beat a dead horse :) ... > > Maybe. Or you might have hit a Tomcat bug. > > So, starting with a clean build of the latest 8.5.x source... > > Enable TLS (uncomment the second of the comment out TLS connectors in > the default server.xml), switch it to NIO2 from APR/native and copy the > key, cert, etc. into the correct locations. > > Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome. > > Add certificateVerification="required" to the SSLHostConfig and restart. > > Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome > rejected. Ah. No trust store configured on the connector. > > Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart. > > Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome > rejected. Realised I tried to use OpenSSL config and I'm using JSSE. > Removed caCertificateFile="conf/ca-rsa-cert.pem" and added > truststoreFile="conf/ca-rsa.jks" to SSLHostConfig. > > Starts with TLS enabled with NIO2 on 8443. Connection from Chrome > prompts for client cert. Click cancel - connection rejected. As > expected. Try again, this time selecting a certificate - connection > allowed. > > All working as expected. > > Add Tomcat Native (so OpenSSL is usedd for TLS). > > Tomcat starts with NIO2 (OpenSSL) on port 8443. > > Prompted for user certificate. Click cancel. Connection refused. > > Try again. Prompted for certificate. Select valid cert. Connection > refused. Ah. the trust store again. Switch back to the OpenSSL config. > > Tomcat starts with NIO2 (OpenSSL) on port 8443. > > Prompted for user certificate. Click cancel. Connection refused. > > Try again. Prompted for certificate. Select valid cert. Connection allowed. > > All seems to be working as expected here. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
On 12/02/2019 17:21, John Palmer wrote: > using the old Connector/clientAuth="true" or the new > Connector/SSLHostConfig/ certificateVerification="REQUIRED" (tried > lowercase and without the D) format..doesn't seem to work properly. > > no matter what value I use or which format... the behavior seems to be that > the client cert is prompted for, but is optional (the web pages are > shown whether a cert is selected or Cancel is selected on the prompt. > (in the latter case, a JSP scriplet that shows X509 certificate content > throws an error, confirming that the client certifcate was not sent). > > (Openssl s_client cmd confirms that the "Acceptable client certificate CA > names" > from the trustStore specified ARE being sent). > > I don't doubt that I'm missing (mistyping or misunderstanding) something > (again), but I'm gonna ask for help a little sooner this time rather than > continuing to beat a dead horse :) ... Maybe. Or you might have hit a Tomcat bug. So, starting with a clean build of the latest 8.5.x source... Enable TLS (uncomment the second of the comment out TLS connectors in the default server.xml), switch it to NIO2 from APR/native and copy the key, cert, etc. into the correct locations. Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome. Add certificateVerification="required" to the SSLHostConfig and restart. Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome rejected. Ah. No trust store configured on the connector. Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart. Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome rejected. Realised I tried to use OpenSSL config and I'm using JSSE. Removed caCertificateFile="conf/ca-rsa-cert.pem" and added truststoreFile="conf/ca-rsa.jks" to SSLHostConfig. Starts with TLS enabled with NIO2 on 8443. Connection from Chrome prompts for client cert. Click cancel - connection rejected. As expected. Try again, this time selecting a certificate - connection allowed. All working as expected. Add Tomcat Native (so OpenSSL is usedd for TLS). Tomcat starts with NIO2 (OpenSSL) on port 8443. Prompted for user certificate. Click cancel. Connection refused. Try again. Prompted for certificate. Select valid cert. Connection refused. Ah. the trust store again. Switch back to the OpenSSL config. Tomcat starts with NIO2 (OpenSSL) on port 8443. Prompted for user certificate. Click cancel. Connection refused. Try again. Prompted for certificate. Select valid cert. Connection allowed. All seems to be working as expected here. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 2/12/19 12:21, John Palmer wrote: > using the old Connector/clientAuth="true" or the new > Connector/SSLHostConfig/ > certificateVerification="REQUIRED" (tried lowercase and without the > D) format..doesn't seem to work properly. > > no matter what value I use or which format... the behavior seems to > be that the client cert is prompted for, but is optional (the > web pages are shown whether a cert is selected or Cancel is > selected on the prompt. (in the latter case, a JSP scriplet that > shows X509 certificate content throws an error, confirming that the > client certifcate was not sent). > > (Openssl s_client cmd confirms that the "Acceptable client > certificate CA names" from the trustStore specified ARE being > sent). > > I don't doubt that I'm missing (mistyping or misunderstanding) > something (again), but I'm gonna ask for help a little sooner this > time rather than continuing to beat a dead horse :) ... Can you copy/paste your actual configuration? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxjAhUACgkQHPApP6U8 pFiS8A//QFTFb+JC6n/QJ+KPZKZ5VYsNavfCZD5bkwoWByrO2KLoYQuzEyBMFHHr qXZ/Ry1dtW2IYbxP29BopteKx/kdFBe554MoXiDUdKYJSZa3d4Bgq1qkRjRvZ7Xq kago/cVz/ZmFK9xIYwz1mK1M4WfYCFA8BgIvyp9pQIGMzxCHSn8ull541XtFJrAz VBH64+3WGhpFjv6vsAwC4MVZY9lwc/2wEXD6k5cnscyHHJQbH3fWwjmpQZgT0PXf Q4g49YSTjBvvWu9QLE3Vq0QoqGmSnrCj8QjRVp4v5ot5JyxYXfjYY4/Gclu46x1a IFy+K5hQ7YTNTzkKczT+UZGGCBfxiyW6NVC7tBkVx6t8WPJbIwD1/CUYzEmw6x7P 2IKuwCCkDyApzmU2QYzL7jDeEFuN98URQwhQz+mvRKdQGW5D9C58E8Ka8EEazxgF dtstzkDeSNA9GEGJbk4H4e6+wiEjbCyBUj2zmxVYYYClA9oVa1888aEzDbSwJB15 eIwYnRal8RJ0hNt3ATh2lPV2NQHt168rf5Y3GMUPbO3kT7uKSjB7p/sJ8zWRxpMw gL7JxqlGT3RN7wsAe4H84bucgJsIPj5IMoNYILFLMCpiZD9xrpK0d/QVtM2rd3B4 cNZ6cRGiF1hU/BS9Xq6ZVYMMA2G54BRFFEtkhERpLte+3aLPixw= =fdPZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
using the old Connector/clientAuth="true" or the new Connector/SSLHostConfig/ certificateVerification="REQUIRED" (tried lowercase and without the D) format..doesn't seem to work properly. no matter what value I use or which format... the behavior seems to be that the client cert is prompted for, but is optional (the web pages are shown whether a cert is selected or Cancel is selected on the prompt. (in the latter case, a JSP scriplet that shows X509 certificate content throws an error, confirming that the client certifcate was not sent). (Openssl s_client cmd confirms that the "Acceptable client certificate CA names" from the trustStore specified ARE being sent). I don't doubt that I'm missing (mistyping or misunderstanding) something (again), but I'm gonna ask for help a little sooner this time rather than continuing to beat a dead horse :) ... thanks again.. John