: Tue, 23 Feb 2010 15:07:03 -0800
Subject: Re: Trouble with CLIENT-CERT authentication method
From: kevmacmi...@gmail.com
To: users@tomcat.apache.org
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote:
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
for authentication? Or, does the presence of the CLIENT-CERT
On 24/02/2010 15:03, Christopher Schultz wrote:
So, settingauth-method to CLIENT-CERT triggers an SSL renegotiation.
What if theConnector is set to clientAuth=want or
clientAuth=true? Will the initial SSL negotiation carry the client
certificate and therefore avoid CVE-2009-355?
Yes. But
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
for authentication? Or, does the presence of the CLIENT-CERT in web.xml
trigger an SSL-renegotiation where the client cert /is/ requested from
the client.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate.
Gotcha: I thought that false would cause the connector to ignore all
client cert
On 2/18/10, Christopher Schultz ch...@christopherschultz.net wrote:
Stupid question: don't you want clientAuth=true?
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate.
Gotcha: I thought that false would cause the connector to ignore
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote:
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources
On 2/17/10, Mark Thomas ma...@apache.org wrote:
CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a
On 18/02/2010 16:30, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/17/2010 7:24 PM, Kevin Mills wrote:
Sure thing - here is my Connector element:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=50 scheme=https secure=true
Christopher:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate. See the Connector doc page's
description of the accepted values for the clientAuth attribute:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
clientAuth is a
Greetings fellow Tomcat-ers:
I'm trying enable client certificate authentication on a per-webapp
basis using Tomcat 6.0.24. According to the various sources of
documentation I've found, this should be possible by enabling the SSL
Connector (which I've done), getting client certificate
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Mark
-
To unsubscribe,
On 2/17/10, Mark Thomas ma...@apache.org wrote:
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option
On 18/02/2010 00:04, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
On 2/17/10, Mark Thomas ma...@apache.org wrote:
Then you probably haven't got your config quite right. There are plenty
of things to go wrong with this but this definitely works - I was using
it just the other day.
We'll need to see:
- connector element from server.xml
- web.xml
-
On 18/02/2010 00:24, Kevin Mills wrote:
snip/
servlet-mapping
servlet-nameMyServlet/servlet-name
url-pattern/myServlet/url-pattern
/servlet-mapping
snip/
security-constraint
web-resource-collection
On 2/17/10, Mark Thomas ma...@apache.org wrote:
snip/
:-) Doesn't work, meaning I don't get prompted for my certificate.
I see my servlet's output without any sort of authentication.
What URL are you requesting? Only index.jsp will prompt for a cert. Your
servlet will just require SSL to
On 18/02/2010 00:42, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
snip/
:-) Doesn't work, meaning I don't get prompted for my certificate.
I see my servlet's output without any sort of authentication.
What URL are you requesting? Only index.jsp will prompt for a cert.
On 2/17/10, Mark Thomas ma...@apache.org wrote:
The rules on how security constraints combine are in the Servlet spec.
It can take a bit of time to get your head around it.
To require a cert for your servlet too, one option would be:
security-constraint
21 matches
Mail list logo