RE: Question related to mutual authentication

2017-11-09 Thread Nicolas Therrien
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, November 9, 2017 11:16 AM
To: users@tomcat.apache.org
Subject: Re: Question related to mutual authentication

Mark,

On 11/9/17 5:02 AM, Mark Thomas wrote:
> On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien 
>  wrote:
> 
> 
> 
>> My understanding is that when "certificateVerification" is set to 
>> "required", the server would perform the same verification as the 
>> client does, that is:
>> 
>> 1) Verify the incoming certificate is signed by an authority that is 
>> part of the local truststore.
> 
> Correct.
> 
>> 2) Verify that the incoming certificate's common name matches the 
>> hostname of the peer we are communicating with.
> 
> Incorrect.
> 
> The client very is intended to prove the identity of the user, not the 
> host the happen to be using.

s/very/cert/

This is also very (sic) dependent upon the URL that the client is using to 
connect to the server. For example, if you move a certificate with cn=localhost 
between many servers and access it using https://localhost/ then you will never 
get any errors. Likewise, if you redefine the DNS name and keep the URL 
consistent, then you will also connect without any errors.

Since you wrote the client, you are ultimately responsible for performing 
hostname verification. If you use HttpsURLConnection or anything else 
built-into the JVM like that that uses SSLContext and friends, you should 
automatically get hostname verification unless you specifically take steps to 
disable it.

But if you are rolling your own connection code, you won't get that kind of 
protection.

- -chris

--


Thanks to Christopher and Mark for your responses.  Much appreciated!

I understand now that when validating the client, we're validating the user, 
not a  machine name. This makes sense.  I realize now that both server and 
client validation are dependent on the context and is not necessarily a 
foolproof guarantee of identity.

This question is now closed :)

Nicolas Therrien ing.
Senior Software Engineer

Airbus DS Communications
home of VESTA®
200 Boul. de la Technologie, Suite 300
Gatineau, QC J8Z 3H6
Canada
819.931.2139  (DIRECT)
www.Airbus-DSComm.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: OSCP support in tomcat-native (was OCSP)

2017-11-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 11/9/17 12:19 PM, Coty Sutherland wrote:
> Hi,
> 
> I'm trying to determine whether or not we fully support OCSP in 
> tomcat-native 1.2.x on Linux. There isn't any documentation about
> it other than some on the Downloads page that says it's
> experimental on Windows:
> 
> "The Windows binaries are available in two variants. a) Default.
> This is what people usually use. This version of library is
> included in Apache Tomcat distributions. b) OCSP-enabled. This one
> has enabled (experimental) support for verification of client SSL
> certificates via OCSP protocol (45392)."
> 
> I see that it's enabled by default when building Linux, but for 
> Windows you have to enable it in the build.
> 
> Can anyone help me out here?

Without reading anything at all (from memory), I believe it all has to
do with how OpenSSL itself was built.

The reason we are mum on *NIX is because the consumer is expected to
provide their own OpenSSL library, while the Windows build comes from
us with a statically-linked OpenSSL (with or without OSCP compiled-in).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEokkACgkQHPApP6U8
pFgdcA/+LomHqxKsVS5VMn9ZCZT3Vuwdwl6JbBL5Tfrx+r226zfEvDDP/xjrKDNm
WxD+fXhfi4Vrf+vcZEdTSr2/ubCQIIE+fgj2WYhz9XWWGgPNOK1LRgk92HvWqy9B
tSbv5+hg6T7+gP8YoNKSr32j+MicgbkNE8BGmewMJNOMKkyHTWeGZaU726kqGeFC
oCGmuUbcWWxcE6wkk48Cdsy+/oTZcvAEDu82Pfl490joBI7gCURqa2AfYpv7b3qu
oYs/T7Cm+YMZAIU/kZBtlEQUUIscc/vf2AqHM8n22Uft5s9F9e1pSnm3aWmzAF6a
fM3NifxyQl1Yabl5wTfXxm3hBTzovZJsOQhfASq1pkbNS2dRGg1s9Z4ITXzCYwVv
+whoNLocxWeFmOY8S9CQM4PaGDPEWT2Pd7dFL1ae9xBNdNuc4mnbnvk980DpCHbG
7p6+U8T7Pun+GBC602VXDgdajfGHO6bWhwuu33H7G1JgGnPnrYaOCLupaQhXT/FC
ZQiyex2n+j3g07d269gs3UqsHxM3SA3COdogNpdfOYrdq+cYhov19G3R2O+lGd1/
WqciphuopiUbMtDs+s88zhw5AZldwEDHdsI2bxzthjATbT7VH+BLGSR+aF8SS3H/
ybix8mdlIP4G28Ml2q7jYzXoBji7SeTNt95Bes0xaQ6FcfaPI+Q=
=uwu2
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



OCSP support in tomcat-native

2017-11-09 Thread Coty Sutherland
Hi,

I'm trying to determine whether or not we fully support OCSP in
tomcat-native 1.2.x on Linux. There isn't any documentation about it
other than some on the Downloads page that says it's experimental on
Windows:

"The Windows binaries are available in two variants. a) Default. This
is what people usually use. This version of library is included in
Apache Tomcat distributions. b) OCSP-enabled. This one has enabled
(experimental) support for verification of client SSL certificates via
OCSP protocol (45392)."

I see that it's enabled by default when building Linux, but for
Windows you have to enable it in the build.

Can anyone help me out here?



Thanks,
Coty

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: stopping scanning of TLDs

2017-11-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ray,

On 11/8/17 3:51 PM, Ray Holme wrote:
> this makes it easy in linux or mac land for i in *.jar; do echo
> scanning $i; jar tf $i | grep "\.tld"; sleep 1; done

I'd change that to:

$ for i in *.jar; do echo scanning $i; unzip -l "$i" | grep -i "\.tld"
; done

Changes:

1. Use unzip instead of jar. It's much faster.
2. Quote "$i", in case the filename contain (*shudder*) spaces
3. Use -i switch with grep, in case the filename happens to be TAGLIB.TL
D

- -chris

> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> 
> Ray,
> 
> On 11/8/17 11:24 AM, Ray Holme wrote:
>> In a prior post, I asked if there was a way to see if a jar uses
>> a tag library. Chris responded - look for ".tld" in the files.
> 
> To clarify, I was responding to a question as to whether a JAR
> file *contained* a tag library, not that it used one. Big
> difference.
> 
>> So I looked (turns out ecj.. has no ".tld": $ grep "tld" 
>> *.jarBinary file catalina-storeconfig.jar matches Binary file 
>> ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches
> 
> I agree with Chris Cheshire: check the ZIP contents list and not a 
> binary check. Though the ZIP filenames are stored (mostly) in the 
> clear, it's possible that you might get unlucky. Also make sure
> you use a case-insensitive check.
> 
>> I am just trying to find a reliable way to see if there is TAG 
>> library.
> 
> Searching for .tld files ought to do it.
> 
> Have you found a case where this *didn't* work?
> 
> - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools -
> http://gpgtools.org Comment: Using GnuPG with Thunderbird -
> http://www.enigmail.net/
> 
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloDaJ0dHGNocmlzQGNo 
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgcMQ/8Dv1fKlSVTjyznXD5 
> cYi2HPYt+enG2bMSzJICEhpQEHn6S0S1Veaf4pGfM1m27KPqvdghDgqGB/yoGt4P 
> 2YU6LF8xa7AHVIvx+TwFtwcyL58NcqpO6uFM1MsUiAa3VYGUTY63R1B4EkTeWHuB 
> HoEDDIi17hOBGivctsFjkBaNgCKpnN4SUpMg3b9f4SZHgI4DjFIm0AQGUsI5pstQ 
> NKHzc/QFYu4+qqtb+A41cawf0jpvBtk2mY6SGqPu930SNWGpy8C5iQnyEguBS9ts 
> ZJVx3uYHBUFDByv+Cjudu7oJ1ceFrGQWWT6IumzMRQwL4RqueKLSjW2nXGR2gYmb 
> tF23FlKIQ2jljn5YgKkMmfgkQ2MeAbTJcubJBdJBT2LrzAKxK+0Ms2HCjfGBo777 
> GeRJ5JPHku0h3sn5clnYwsGMP1lcut+353VuNJsHg9NyhltBm7ubHB2240vaEGFF 
> CxpNBa/VZuMRbu1Jp8OmCTO232sjHWY0b8ySESy0CQXYHx5S3/pCB8IoLfGV8VVh 
> VQChjyJcsUePa0qmioi6kmKPeluy9J63POXgiPk+UCKUgr3R0Ogc2Fu+sqE3CkqK 
> 0zf4Op/FALSfSqq67LTksy2oz4Ep1QC7CjKR2C/KG0nf6zaAPMVccmpqwccOuGWU 
> acEI1f6+9qXg6ZZQNneKsqr9Sfw= =kaCd -END PGP SIGNATURE-
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEgBQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgsuw/+IE2s4l93jQcAMKcL
0bbQ3lqski6L6zgaq38odjPgyMvx1tWugGKRY8vDsBpGl2b/hFmm4R5V+D6i4lX+
kq6el8pqrvimx/o/R+81eZxQ/PgMFj8I1Gp900gnnEarO9QsrnbWZnV85+HN75OG
cAwvjpdL8KcCabiw8r3jxXTmfS3xCKW9F/RBj+nftwV1tT8V/tBqWl3WsryZBlER
xG+cpijACb51z0e3Lo6N2+S/kFHKPk7xBhh+IWp2lPdrBY2I6YbR53kwP9ZG76+g
qYB/LPawQjSFVBUoMgpg/HSitay9sgwOeUcHnNcZRsQqNvMuf+WOCRope/tnGV48
xqbHE4xRJV7m13glAgtDugWjNNqVw4zEpzoZHFnnXyy4zrZ5iYO38NiMf8Ni8rwU
6BS4gVAnEAHTF29j1iFsRTOxsqrxBdMXhlNyk+NThpY3GyZr1OHc2D3XXb5av0zM
3GOq8rmrNy7ck7T0BuoHQmkEfJWsv0R0INVYuysJd01dFl3aQ+JQ9BNhyhcnGR9f
EyN0R+yKjNnUUiCUDhGE7zBxcqK7mda/T1Qzb4o40efY6zYno7Er6W4Rf0e4Y4Tl
juPT/z+asZrGva4LvVYnFHH21OgyNF47S80CnL0RafqPJuN0/EFxOUjknU24afL2
cUY3WrObveDJ1n9lsfSCKlNE4Qg=
=mNz6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question related to mutual authentication

2017-11-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 11/9/17 5:02 AM, Mark Thomas wrote:
> On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien
>  wrote:
> 
> 
> 
>> My understanding is that when "certificateVerification" is set
>> to "required", the server would perform the same verification as
>> the client does, that is:
>> 
>> 1) Verify the incoming certificate is signed by an authority that
>> is part of the local truststore.
> 
> Correct.
> 
>> 2) Verify that the incoming certificate's common name matches
>> the hostname of the peer we are communicating with.
> 
> Incorrect.
> 
> The client very is intended to prove the identity of the user, not
> the host the happen to be using.

s/very/cert/

This is also very (sic) dependent upon the URL that the client is
using to connect to the server. For example, if you move a certificate
with cn=localhost between many servers and access it using
https://localhost/ then you will never get any errors. Likewise, if
you redefine the DNS name and keep the URL consistent, then you will
also connect without any errors.

Since you wrote the client, you are ultimately responsible for
performing hostname verification. If you use HttpsURLConnection or
anything else built-into the JVM like that that uses SSLContext and
friends, you should automatically get hostname verification unless you
specifically take steps to disable it.

But if you are rolling your own connection code, you won't get that
kind of protection.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEfzIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhTCw/9HF0QXdvCte7W7E9B
kZmIhg7fZM965ecAInonLa8kGNVN+nAKoNeEu0lGZWeNYremaQ82tqMfwuKwwURR
+8HCh2Qfr6W/scQSOO258oO13MdlBayXYbCfFzVdnd7cO8+O+hFcQnIGqeWWiCS5
8MF8hje6/J+VI2Yu8wTlFooPqGYGOfm4xctnYdQsJjLlLL5gKI4D58aqwlBUsB4d
KF7xsh5rB5BocgAVRi0NhIPo2MOMEawX69tJWUjR5o+qzMKlepjoIMpgZ/qIQcZt
YRfFLEyp8l7/GskDsfwpL/ZP7b9mI0vu6OfHd1l4vPAryX5N82XoCT+AwpuWo1w8
PB7aqwiKvn/9GfhkTjAIFcFGqeiqO4iiScF0sKPKlVcozIPvNk8TuDg+8tUFrBxQ
ZlFKd2dHIRPGoOuJt/TWoY5vZny3CViBruuZNwvq1RXB6HMD56hodIVjWfLB0j45
3Ktz1D3fIaqW8dy1cfu3vltVNYnON7Hq5vmApp+pQ7ajry/6f7hO0Y2KfFW8hFb/
LKPgry/AuaYQ+XSEpPoKS3Rv6rIFcdzLlKtVV2gPOT56n0wCqQjkRu5ikssuIalZ
dtdpkzAK4/e14ntw2dLMBslg5iyqTf8hPMiOwWpu6+YKt6caoSWF2NiBM6KKOGJw
ndNKTKYeqBq1Wn9DsIxutKxObgc=
=kAw0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Configuring DIGEST auth for manager

2017-11-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Philippe,

On 11/8/17 4:19 PM, Philippe Mouawad wrote:
> Any feedback on this ?

Yep. Two days ago.

- -chris

> On Sun, Nov 5, 2017 at 9:16 PM, Philippe Mouawad < 
> p.moua...@ubik-ingenierie.com> wrote:
> 
>> Hello, I am having issues making Digest auth work in Tomcat
>> 8.5.23 for manager application.
>> 
>> I have done the following:
>> 
>> 1) Edit server.xml and have set MessageDigestCredentialHandler
>> with SHA-256 > className="org.apache.catalina.realm.LockOutRealm">  > className="org.apache.catalina.realm.UserDatabaseRealm" 
>> resourceName="*UserDatabase*"> > className="org.apache.catalina 
>> .realm.MessageDigestCredentialHandler" algorithm="*SHA-256*" /> 
>>  
>> 
>> 2) Generated password using: ./digest.sh -a *SHA-256* -h
>> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s
>> 0 password1234
>> 
>> I also tried : ./digest.sh -a SHA-256 -h
>> org.apache.catalina.realm.MessageDigestCredentialHandler -i 1 -s
>> 0 tomcat:UserDatabase:password1234
>> 
>> 3) Set the last part of password following "password1234:" in 
>> tomcat-users.xml  > rolename="admin"/>  > username="tomcat" password="b9c950640e1b3740e98a 
>> cb93e669c65766f6670dd1609ba91ff41052ba48c6f3" 
>> roles="manager-gui,admin,manager"/>
>> 
>> 4) Edit /webapps/manager/WEB-INF/web.xml
>> 
>>  DIGEST 
>> UserDatabase 
>> 
>> I then try to login to http://localhost:8080/manager/html and
>> enter admin and password1234 it fails.
>> 
>> There must be something I am missing.
>> 
>> Sorry if I misread some documentation or if my question is
>> stupid, these are the docs I have seen: -
>> https://tomcat.apache.org/tomcat-8.5-doc/config/credentialha 
>> ndler.html#MessageDigestCredentialHandler Note the start of this
>> part is not that clear for me. I think my format is 
>> *salt$iterationCount$encodedCredential* - a hex encoded salt,
>> iteration code and a hex encoded credential, each separated by $
>> 
>> I have also tried solutions described here without success: -
>> http://www.techpaste.com/2013/05/enable-password-encryption- 
>> policy-tomcat-7/ -
>> https://stackoverflow.com/questions/39967289/how-to-use-dige 
>> st-authentication-in-tomcat-8-5 -
>> https://stackoverflow.com/questions/2978884/tomcat-digest- 
>> with-manager-webapp
>> 
>> Regards Philippe
>> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEfAQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhNJA/+LXoZeXKxpxyPG4KX
+Yx5HDJfdkWf+EzMhl7ezmxCgr6HbR/yfaHJdtnWFA96RotU4Pc6Hmw/WA2gy37o
Ppo0ElE9W0JuR9R6oDerg6ZOjTE5laUsoYhiQ2shbxchWe6/1N6Tv28MUMdLkahX
BNDoqShn1It3UVTHtJvUk5J1Jzh/xu/RNYFLwGmu8n/Cf40w6pGWF5HwW+Dz2VpK
HpbnR2JX+i0Cw2NNTDI8F+m4lJpsRyLBm2hoj7eYEgsjNncjSIpmd08dpJFZTZRb
Eby7M0kpMwFR+gAwq6nMh5LTYi5OXqp2UqgRRfay2w3jpio/MONQS25R3noO2BtN
eeRQetAdMmkehJLJck4D/gD4ccJ4PZ22esIjVj1XC3YrBI2hCn7T5bVjQEHBQsqO
fBkkPf56xHrs2pPo7AbG4h9k8WHw03HczikKIVGiYdxCdlefzKVm7xuYoZH6ibD7
zOsnebKYajesp6lnuLOluIA7VGdGJDZ8lob4fmrCAlDivcNsBR0gDl4sC7SOOiN0
kbCiPklMnrIEYDtJv4wzMdUJbX10rD9ig7qz5wGkAp6Ueu8RqRK3MNQ51d2mcwKR
KpTeKtC7NxaMocCtpvuVZ6d4OLuAIghxM00pLsIcrrDsaf2MJ8vJXJ3w22bbrwPu
hMmV35bf9fC99FmEmzDv+56FJ8s=
=0qve
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question related to mutual authentication

2017-11-09 Thread Mark Thomas
On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien 
 wrote:



>My understanding is that when "certificateVerification" is set to
>"required", the server would perform the same verification as the
>client does, that is:
>
>1) Verify the incoming certificate is signed by an authority that is
>part of the local truststore.

Correct.

>2) Verify that the incoming certificate's common name matches the
>hostname of the peer we are communicating with.

Incorrect.

The client very is intended to prove the identity of the user, not the host the 
happen to be using.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: non www to www URL Rewrite

2017-11-09 Thread RAVIRAJ SHAH
Hi Andre,

Thanks for quick reply
yes it is pointing to same public IP

Thanks,
Raviraj



Thanks & Regards,
Raviraj Shah


On 8 November 2017 at 22:50, André Warnier (tomcat)  wrote:

> On 08.11.2017 17:35, RAVIRAJ SHAH wrote:
>
>> Sorry for my language
>> my query with example
>>
>> Let's say my website domain is "example.com"
>> Now I want to redirect "example.com" to "www.example.com"
>> Kindly share how I can achieve it
>>
>
> Well first, you need the 2 entries in the DNS server for "example.com".
> You need :
> example.com --> public Internet IP address of your server (A)
> www.example.com --> public  Internet IP address of your server (B)
>
> and A == B
>
> otherwise it will never work.
> Do you have that ?
>
> You can check this by getting a command-line window somewhere and entering
> :
> nslookup example.com
> nslookup www.example.com
> and both should give the same IP address.
>
>
>
>
>
>> On Wed, Nov 8, 2017, 19:08 André Warnier (tomcat)  wrote:
>>
>> On 08.11.2017 14:30, RAVIRAJ SHAH wrote:
>>>
 Anybody please help

>>>
>>> I think that you first try to communicate more clearly what you want to
>>> achieve.
>>> "redirect non-www URL to www URL only"
>>> does not appear to make much sense.
>>>
>>> Also please send your message to the list as *plain text*, not html.
>>> It will make it easier to read configuration lines below which look like
>>> URL's.
>>>
>>>
>>>
 On Tue, Nov 7, 2017, 12:00 RAVIRAJ SHAH 
 wrote:

 Dear All,
>
> Kindly request you to help to resolve this issue
>
> Problem Statement :
> we want to redirect non-www URL to www URL only
>
> Current setup :
>
> Defined rewrite valve in server.xml as below
>
>
>  autoDeploy=
> "true">
>
>
>
>   
 />
>>>

>
>
> 
>
> Created rewrite.config file in ../conf/Catalina//
>
>
> *RewriteCond %{HTTP_HOST} !^(.*)\.yourdomain\.com$ [NC] RewriteRule
>
 ^(.*)$
>>>
 http://www.yourdomain.com /$1 [R=301,L]*
>
> *kindly do needful*
>
> Thanks & Regards,
> Raviraj Shah
>
>
>

>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>