Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Indunil,

On 2/1/18 7:33 AM, Indunil Rathnayake wrote:
> I have configured a tomcat connector for handling requests for a
> particular servlet and have configured a trust store for the
> connector. Anyone knows whether tomcat handles validation of "Key
> Usage" and "Extended Key Usage" extensions in client certificates?
> And how it's handled through tomcat(is it through the tomcat
> connector)?
> 
> Appreciate your help on this.

Are you interested in making sure that Tomcat verifies that the
certificate is e.g. allowed to be used for TLS client authentication?

I'm fairly sure Tomcat does not currently verify any of the key-usage
fields on a certificate. The assumption is that if a trusted CA
doesn't think a key should be used for authentication, then the CA
should not sign that certificate.

But it's reasonable to imagine a scenario where a code-signing
certificate signed by a CA could be "illegally" used as a TLS client
certificate, and in that case, Tomcat would allow the handshake.

It seems reasonable for Tomcat to verify that any "critical" key-use
extensions are respected, and perhaps even some non-critical ones.

Is this what you had in mind?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz46oACgkQHPApP6U8
pFiqiBAAmL6qk1g+TOSgsy9fvs7E540l8fuAk3jQ7l0z/uy9hOIUw6yYjvMorabG
MWmc6VLRJ95y1ALbmW/olEGVZ4SHihdnmlJbkZ8AqiKBQtaz6fWKXcGdYymlnoE5
jTye1XLBjk7lyhOWoP6bW315Bg+LI62gzUoFukphcmEQwE9CkpzVEJtpnfXpuCuf
xJl0sh8oTKaU+Fsy4nW4HITSmuVHNEaoKseKCRSjDe1z4pc1NG9n5QN4Ij5TX53o
JLIqv3c8dpyIO2+brIoc+KvXBNVBngaDsiDbJszGdhDICsIoz0andxHwzQRLoqtu
4I5eLpO/qbGNk10Kl/TRamnIUw+t79NsE+WeAbwX30zkEPkApb7rJ6M4g6haQPg5
wSaka+FLy/zdlNVzBw6iiJla4UiLtzlVXYUlCCC/j/cs+aV0A2ilsUYZNUrLMB3F
No77FxDt+bo6v8U2JqS4AU6N/5ktNVRfpwcDWQrNT1TTWFdOMzqxI1NVSm08hmwM
FrBaO6dL6ZikaB2x1Xb3STyGKb3t03R/AqI/CQpxUus9a/0AHVMNM8ru+gnB8kJu
TCkjE3+Tu3Uh+wLzR8bTkqpecFtLNV3Lf6I6k+FrbLb3XBWW7EBpTx3yeKbCij7X
rHigCnOMO/Np3YE6Ttuepja0poEYdLo+yGbaKxZQubIjVfPMmjU=
=e5q4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: database pool and minIdle support in 8

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pawel,

On 2/1/18 6:08 PM, Pawel Veselov wrote:
> On Thu, Feb 1, 2018 at 1:02 PM, Mark Thomas 
> wrote:
>> On 01/02/18 20:57, Pawel Veselov wrote:
>>> Hello.
>>> 
>>> It looks like in tomcat 8 (looking at master's HEAD), the
>>> minIdle support is broken. According to docs, minIdle supposed
>>> to do : "The minimum number of established connections that
>>> should be kept in the pool at all times. The connection pool
>>> can shrink below this number if validation queries fail."
>>> 
>>> I see that pool cleaner thread checks if the minIdle is *less*
>>> than pool size, and only then invokes checkIdle(). checkIdle()
>>> then will remove(!) connections from idle pool until the value
>>> drops down to minIdle. But I don't see any code that will add
>>> connections when minIdle is not met, and the documentation
>>> suggests that that's the intent.
>>> 
>>> Am I misunderstanding something? Is there a way to keep a level
>>> of connections in the pool? I don't want to have initialSize
>>> control that, as I need to at 0, to prevent failures during
>>> pool initialization...
>> But that is what initial size is for.
> 
> Indisputably so. However, that would be the only other way to
> achieve this, as long as the database connection don't die.

What is the problem with failures during pool initialization? If you
don't want the pool to make initialSize connections when it starts,
when DO you want the pool to create those connections? During the
first "cleaning"?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz4aEACgkQHPApP6U8
pFjD4Q/6AsiZtzCvnHESmIyj3a7kxsgioTu5hQ8cZdHHBQGHQ/wDDsTX0Ln+8sAk
yzb+K+PZKTR8Ecv5H3GAn04zwcawq/h8qvhzmM2gn3auE9HZq6I/CqimRcYwjQ3b
ASP/zfAIbAa6dP2+YvX9aaGtsFl8osBDbFz8aKxH5ceNV0GEf2fCUgVZlUev7voS
9cv6fGcCcp/Uyw6VTszUL5MEImnXmte8Mu9/kZ8NejTL9OmqBsun3m/gUXgta2IH
3YsZIEkAr8JO9Zm4LgCgOpBHr2b8nI82rXJc1/j1DZACTwoMhbQM4QkbBb0qpH1x
BKTGDXYdOVF32U0hok1U4AluWwq9Zy9rexIOnGALU7xVYnKGuO7mP85ObJ/GH41F
pCzIXCm39NEizO2bHRSsSeJjNkIiGa3ettuBVojL1YAw6I/ZL1dtfgkSA4ZEh3Vm
jZxCxvopZsxSNbk6YwbscGaG7u+yd0dXywHzJZMsFG/IuFB3LJsTroKJtYTcDz5o
0xTfpWpruGaT5K2U5v5pcVMG7RL4o0Ez/CBZCSj/+eEtvreoAQDyeS9mMN0Hf2KZ
nI84kObsJeZaZLZpnaxbXfXF8jdG0DlF/6A/HyMURo29mkoa0iUYY4JT2fw4HEcD
ZyVNlzANv2GgzSYbH6fCcr/OUFiMZBokdlnmQSR69XNDGrTus24=
=drot
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat web-inf/lib and soft links, how to make them live happy

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Narahari,

On 2/1/18 5:07 PM, Narahari 'n' Savitha wrote:
> I think I found the solution.  Putting it here for comopleteness.
> 
> In the $CATALINA_BASE/conf/context.xml file add the following to
> the Context tag aka
> 
> It looked like this before  sessionCookieName="JSESSIONID_PAAS" swallowOutput="true" 
> useHttpOnly="true" >
> 
> and now it looks like
> 
>  swallowOutput="true" useHttpOnly="true" >
> 
> See that allowLinking attribute.  Once I set it up, I am good to
> go.

Why not simply bundle the JAR file with your application?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz4RUACgkQHPApP6U8
pFgHQBAAlkt3Pr0g0Y8thq4xcuy7+JSUE4D9iQatCgIWouJhVq1NOEaENUxQIQkD
+J9BqWXh9OgTKwC8mbNcCd9+NAf1l4wVT3SZq3SCEKA7F9NYjyOBEOtEPnN8l+pT
libHZN6+RGG4e6nc8RT1lOEXhavc2dIyxEtoNdj/HRBl3/YOqCcHN5sAaS7HfBhy
Fxa6okAsZymk1NxMnBvsNPz09ziQ8NIcVFmxwpCEtPLdMuHvvsMGLZ3PUsYEe8wF
+AwOz08sztVstK3182/+XEOQbav56hM7qtzaUP9yHLYE6MJULIDZf5zkRahBRbMQ
XDGnlV0Ha+MbCVGInY+sgpuW6zYqn3rP9iLYPFRiFaXoblg0BeDwnDxKvjQFV9kL
qE+PVxc7dOQ3OX6ua+CZL/eBsYvuDpP5K92vp8ai1yP5bv1CeLrILPiXOKCfDF5x
w/HNaeJH+6ZcKTxZWo2ClPvxZJf+FQ0YCWWkpdREmXYyK3h1ku4iikQP6dcUDguD
83Y+IEzwJeTQH6B6H2Hojt3ssaV1+tLocYAQmvoprWgqtY0d4bf4cSRBHf4VytE8
CIAFKwf5qSSlBwIOb25A8MEXN81i66dFclebmqUgB2ZK37baaDqYCXDHgO2A/sM6
EtdOeF9xmmbPUmx/7n0a62mX9vfG5DWy/0mm1pdIavCx+VViDAw=
=2jNc
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Indunil,

On 2/1/18 6:15 PM, Indunil Rathnayake wrote:
> Adding Chris

There's no need to specifically CC list members.

- -chris

> On 1 February 2018 at 18:03, Indunil Rathnayake
>  wrote:
> 
>> Hi,
>> 
>> I have configured a tomcat connector for handling requests for a 
>> particular servlet and have configured a trust store for the
>> connector. Anyone knows whether tomcat handles validation of "Key
>> Usage" and "Extended Key Usage" extensions in client
>> certificates? And how it's handled through tomcat(is it through
>> the tomcat connector)?
>> 
>> Appreciate your help on this.
>> 
>> Thanks and Regards
>> 
>> --
>> 
>> *Indunil Rathnayake *
>> 
>> *Faculty of Information Technology*
>> 
>> *University of Moratuwa.*
>> 
>> 
> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpz4EwACgkQHPApP6U8
pFjCcg/9HKMR3ZOqc8GnH94NBivjn7Vg9E3W47Wzk+RNT2i4NfZc4qTboghmDoW0
7obpHS475oQ6RRyWvXpbmF5LkVcMx1lNRXDo1t090x740bJ9mKyB9MpXJI49YoqZ
V3hH5Mu9ZsnX+2jU7xmU2d074PsVgl+YdOsn+uQm+yF+a7Gg7ChfLe1+MWe/bYog
GALkWQ5pGF34BDe4N4BAipjsBtrm6vvMf4ukmQAJsQ8A0QahAlVmv+N6/R8nyx7I
MM1kKpIlCf4yKkOafayS3oKrxIr0J6c58jCcfzr2+EmMQ+bHh+2V45/hqnLjyWYd
1VJy7EufCftU+ow6c4JtlBaiPGiEnNmaU66Giiw2fKgAevqAggQBjvUJsV6EADBv
QGj7qABDJzAn5bRHwSO4CXiqbtDpP3fLPPEnnlcZCGedSo4Gqa6akacfYenDEHNf
jxItoaSnJpqO4TdMWz0+5LO2Z73uDAYlaZi1uiCtyuGrQzr7bYsmSQ4bRsC01SQl
+44RF/1n2EC8/GWNK7Z9ucAQ0+3q5kxqyr+l58ifKNPlr2Or4z7J6Mk+PkQGTmM4
fx6usRzA613Qm5fFM6mXuxAOWIoFdzA8C55ImCk5r6m3uW4o6zEKH4IdTqjNd2xw
UV2uij1JZhm0xrVCXFBKSN6lHOlUTg/TjH9cxIldvE7NpbRmKY0=
=60ml
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Indunil Rathnayake]

Adding Chris

On 1 February 2018 at 18:03, Indunil Rathnayake 
wrote:

> Hi,
>
> I have configured a tomcat connector for handling requests for a
> particular servlet and have configured a trust store for the connector.
> Anyone knows whether tomcat handles validation of "Key Usage" and "Extended
> Key Usage" extensions in client certificates? And how it's handled through
> tomcat(is it through the tomcat connector)?
>
> Appreciate your help on this.
>
> Thanks and Regards
>
> --
>
> *Indunil Rathnayake *
>
> *Faculty of Information Technology*
>
> *University of Moratuwa.*
>
>


-- 

*Indunil Rathnayake *

*Faculty of Information Technology*

*University of Moratuwa.*

Email : *indunil@gmail.com * | Skype: indu.upeksha
| Mobile : (+94)713695179  | Twitter @indunilUR |

LinkedIn: http://lk.linkedin.com/in/indunil

|  Facebook
: https://www.facebook.com/indunilrathnayake80

Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Indunil Rathnayake]

Hi Chris,

On 1 February 2018 at 20:25, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Indunil,
>
> On 2/1/18 7:29 AM, Indunil Rathnayake wrote:
> > I have configured a tomcat connector for handling requests for a
> > particular servlet and have configured a trust store for the
> > connector. Anyone knows whether tomcat handles validation of "Key
> > Usage" and "Extended Key Usage" extensions in client certificates?
> > And how it's handled through tomcat(is it through the tomcat
> > connector)?
> >
> > Appreciate your help on this.
>
> This is a question better-asked on the users' list. Cross-posting to
> move the discussion there.
>

Thanks. I have already sent a mail to the users' list as well. Please
check. Really appreciate your help on this.


>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpzKnAdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiHZhAAyUydZZQFgeFyfFjh
> Sy5kdz8T7vo8DDeyL3/63rmDGELdJHjiXeg5BIwfzkNawmZFky1esLHCKBSriO5Z
> 1VcZwvz5nkJaaMtEz77MDH+kLGtsQDeXhUE3riVK+iUZvciZIeUogv70uGdd5wDI
> buv/clfECgpE1A//LVWlp8jr67W0M8FWxhGC6Jy7UCjgRqkJgUDGynASt2qOxuUb
> k0Ih3F1yIK8gwg0enlk039P16PZrfsvZJzNv0OU6jmr11dkxrb4DiUiMAaoertSX
> cPHGefJ5VYpsKHA3qPSnSjYpzGWUJMat8Mpkj7QEcIMKpHjVXriGKLxNxdiz7rdm
> xBnZf5j5dxDRGDlNh25oY9tAup0WadjdefwMNRT+xKr5s3ohdS47BDWOAdQJZQkI
> lVPtfqlWyCqCRU/lJ0uOMPsbqfaLnISJ1u3uOozmujlviHp9GxOUqoAq7dZI52B9
> ZXjsmjK/nNMQMtlHUvWjZHvvYmbTyJLZtGbnLYoI+vx+VxXOe4CHH8EKucjQYifD
> NUzAoZ3dd0g4pCt0/3+VW26Keep4P+u4yZ7vvoOB4tum+DKbSJp557d8Raz59HZt
> YjQLiQtb1s4ppw6CtFfQaGd/8+oKuxhZevhImMUL1bkZnCB6qFZ9ziKnbVA1tgs4
> VNPK1KKa+WhopgCgPjSXGDiK3uw=
> =1J/l
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>


-- 

*Indunil Rathnayake *

*Faculty of Information Technology*

*University of Moratuwa.*

Re: database pool and minIdle support in 8

[Pawel Veselov]

On Thu, Feb 1, 2018 at 1:02 PM, Mark Thomas  wrote:
> On 01/02/18 20:57, Pawel Veselov wrote:
>> Hello.
>>
>> It looks like in tomcat 8 (looking at master's HEAD), the minIdle
>> support is broken. According to docs, minIdle supposed to do : "The
>> minimum number of established connections that should be kept in the
>> pool at all times. The connection pool can shrink below this number if
>> validation queries fail."
>>
>> I see that pool cleaner thread checks if the minIdle is *less* than
>> pool size, and only then invokes checkIdle(). checkIdle() then will
>> remove(!) connections from idle pool until the value drops down to
>> minIdle. But I don't see any code that will add connections when
>> minIdle is not met, and the documentation suggests that that's the
>> intent.
>>
>> Am I misunderstanding something? Is there a way to keep a level of
>> connections in the pool? I don't want to have initialSize control
>> that, as I need to at 0, to prevent failures during pool
>> initialization...
> But that is what initial size is for.

Indisputably so. However, that would be the only other way to achieve
this, as long as the database connection don't die.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat web-inf/lib and soft links, how to make them live happy

[Narahari 'n' Savitha]

I think I found the solution.  Putting it here for comopleteness.

In the $CATALINA_BASE/conf/context.xml file add the following to the
Context tag aka

It looked like this before


and now it looks like



See that allowLinking attribute.  Once I set it up, I am good to go.

-Narahari



On Thu, Feb 1, 2018 at 4:35 PM, Narahari 'n' Savitha 
wrote:

> Friends:
>
> I am sure the experts here have stumbled on this.  So please help.
>
> I have an app where I have
>
> myapp
>|_WEB-INF/lib/gson-2.3.1.jar
>
> When I start tomcat it works fine.
>
> NOw I do this
>
> cd  webapps/myapp/WEB-INF/lib
>
> ln -s ../../../thejars/gson-2.3.1.jar gson-2.3.1.jar
>
> I then restart tomcat and the error comes up like this
>
> java.io.IOException: Failed to access resource /WEB-INF/lib/gson-2.3.1.jar
>
> so if I do a SOFT link in linux the app wont start.
>
> On the other hand if I do a HARD link the app comes up fine.
>
> Any ideas ?
>
>

tomcat web-inf/lib and soft links, how to make them live happy

[Narahari 'n' Savitha]

Friends:

I am sure the experts here have stumbled on this.  So please help.

I have an app where I have

myapp
   |_WEB-INF/lib/gson-2.3.1.jar

When I start tomcat it works fine.

NOw I do this

cd  webapps/myapp/WEB-INF/lib

ln -s ../../../thejars/gson-2.3.1.jar gson-2.3.1.jar

I then restart tomcat and the error comes up like this

java.io.IOException: Failed to access resource /WEB-INF/lib/gson-2.3.1.jar

so if I do a SOFT link in linux the app wont start.

On the other hand if I do a HARD link the app comes up fine.

Any ideas ?

Re: database pool and minIdle support in 8

[Mark Thomas]

On 01/02/18 20:57, Pawel Veselov wrote:
> Hello.
> 
> It looks like in tomcat 8 (looking at master's HEAD), the minIdle
> support is broken. According to docs, minIdle supposed to do : "The
> minimum number of established connections that should be kept in the
> pool at all times. The connection pool can shrink below this number if
> validation queries fail."
> 
> I see that pool cleaner thread checks if the minIdle is *less* than
> pool size, and only then invokes checkIdle(). checkIdle() then will
> remove(!) connections from idle pool until the value drops down to
> minIdle. But I don't see any code that will add connections when
> minIdle is not met, and the documentation suggests that that's the
> intent.
> 
> Am I misunderstanding something? Is there a way to keep a level of
> connections in the pool? I don't want to have initialSize control
> that, as I need to at 0, to prevent failures during pool
> initialization...

But that is what initial size is for.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

database pool and minIdle support in 8

[Pawel Veselov]

Hello.

It looks like in tomcat 8 (looking at master's HEAD), the minIdle
support is broken. According to docs, minIdle supposed to do : "The
minimum number of established connections that should be kept in the
pool at all times. The connection pool can shrink below this number if
validation queries fail."

I see that pool cleaner thread checks if the minIdle is *less* than
pool size, and only then invokes checkIdle(). checkIdle() then will
remove(!) connections from idle pool until the value drops down to
minIdle. But I don't see any code that will add connections when
minIdle is not met, and the documentation suggests that that's the
intent.

Am I misunderstanding something? Is there a way to keep a level of
connections in the pool? I don't want to have initialSize control
that, as I need to at 0, to prevent failures during pool
initialization...

Thank you,
  Pawel.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Indunil,

On 2/1/18 7:29 AM, Indunil Rathnayake wrote:
> I have configured a tomcat connector for handling requests for a
> particular servlet and have configured a trust store for the
> connector. Anyone knows whether tomcat handles validation of "Key
> Usage" and "Extended Key Usage" extensions in client certificates?
> And how it's handled through tomcat(is it through the tomcat
> connector)?
> 
> Appreciate your help on this.

This is a question better-asked on the users' list. Cross-posting to
move the discussion there.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpzKnAdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiHZhAAyUydZZQFgeFyfFjh
Sy5kdz8T7vo8DDeyL3/63rmDGELdJHjiXeg5BIwfzkNawmZFky1esLHCKBSriO5Z
1VcZwvz5nkJaaMtEz77MDH+kLGtsQDeXhUE3riVK+iUZvciZIeUogv70uGdd5wDI
buv/clfECgpE1A//LVWlp8jr67W0M8FWxhGC6Jy7UCjgRqkJgUDGynASt2qOxuUb
k0Ih3F1yIK8gwg0enlk039P16PZrfsvZJzNv0OU6jmr11dkxrb4DiUiMAaoertSX
cPHGefJ5VYpsKHA3qPSnSjYpzGWUJMat8Mpkj7QEcIMKpHjVXriGKLxNxdiz7rdm
xBnZf5j5dxDRGDlNh25oY9tAup0WadjdefwMNRT+xKr5s3ohdS47BDWOAdQJZQkI
lVPtfqlWyCqCRU/lJ0uOMPsbqfaLnISJ1u3uOozmujlviHp9GxOUqoAq7dZI52B9
ZXjsmjK/nNMQMtlHUvWjZHvvYmbTyJLZtGbnLYoI+vx+VxXOe4CHH8EKucjQYifD
NUzAoZ3dd0g4pCt0/3+VW26Keep4P+u4yZ7vvoOB4tum+DKbSJp557d8Raz59HZt
YjQLiQtb1s4ppw6CtFfQaGd/8+oKuxhZevhImMUL1bkZnCB6qFZ9ziKnbVA1tgs4
VNPK1KKa+WhopgCgPjSXGDiK3uw=
=1J/l
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Mutual SSL client certificate validation(Key Usage and Extended Key Usage) in tomcat server

[Indunil Rathnayake]

Hi,

I have configured a tomcat connector for handling requests for a particular
servlet and have configured a trust store for the connector. Anyone knows
whether tomcat handles validation of "Key Usage" and "Extended Key Usage"
extensions in client certificates? And how it's handled through tomcat(is
it through the tomcat connector)?

Appreciate your help on this.

Thanks and Regards

-- 

*Indunil Rathnayake *

*Faculty of Information Technology*

*University of Moratuwa.*

Re: Questions about JSSEUtil#getKeyManagers

[Nitkalya Wiriyanuparb (Ing)]

On 24 Jan 2018, 10:19 PM +1300, Nitkalya Wiriyanuparb (Ing) 
, wrote:

>
> On 24 Jan 2018, 9:45 PM +1300, Mark Thomas , wrote:
> > On 23/01/18 02:57, Nitkalya (Ing) Wiriyanuparb wrote:
> > > Hi all,
> > >
> > > I'm on Java 8 and Tomcat 8.5.26 (built from tag) moving from 7.0.41.
> > >
> > > I have a little problem with how JSSEUtil#getKeyManagers creates key
> > > managers. This essentially causes Tomcat to sometimes serves an incorrect
> > > server certificate chain during ServerHello.
> > > -Djavax.net.debug=all gave me a clue as it printed out multiple "matching
> > > alias", so I believe it's because the key manager (and key store) returned
> > > from that method doesn't contain only one key. From what I see, when
> > > switching to in-memory key store getKeyManagers creates a new key store of
> > > the configured type, calls setKeyEntry and expects the new key store to
> > > have only this one key in it.
> > >
> > > Note that we have our own implementation of the key store, but please bear
> > > with me.
> > >
> > > I'm also aware of this following bit of documentation and I suspect that
> > > the second sentence is very much related to my problem here. I'm also sure
> > > the certificateKeyAlias is set correctly and SSLHostConfigCertificate has
> > > all the expected values when I checked in debug mode.
> > >
> > > > The alias used for the server key and certificate in the keystore. If 
> > > > not
> > > specified, the first key read from the keystore will be used. The order in
> > > which keys are read from the keystore is implementation dependent.
> > >
> > > We didn't have this problem in 7.0.41 because it's doing something less
> > > complex and eventually just creates a JSSEKeyManager with the expected key
> > > alias with the key store as a delegate – see
> > > https://github.com/apache/tomcat70/blob/TOMCAT_7_0_41/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L563
> > >
> > > But in 8.5,
> > > https://github.com/apache/tomcat85/blob/TOMCAT_8_5_26/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java#L267
> > > the identity comparison "ksUsed == ks" looks kind of weird to me as
> > > KeyStore.getInstance (at least in Oracle Java 8) always returns a new
> > > instance of KeyStore, so the checks will never be true (or will it?).
> >
> > Yes they will. As per the comment at line 255, non-PKCS#8 keystores will
> > use the original key store.
> >
> > > Ideally, I'd want to find a way to get into that if block so the end state
> > > is like in 7.0.41.
> > >
> > > As I mentioned, we have our own key store implementation and it always
> > > loads all keys it's supposed to know about so reassigning "ksUsed =
> > > KeyStore.getInstance..." doesn't make a difference for us – it actually
> > > makes it worse as without it "ksUsed == ks" would have been true.
> >
> > And there is the problem.
> >
> > Tomcat is jumping through quite a few hoops to handle various use cases:
> > - PEM encoded keys
> > - keystores with multiple keys each with their own password
> >
> > That last one is the cause of most of the trouble. Key stores allow this
> > but the KeyManagerFactory API doesn't. This is why we now always create
> > the in-memory key store. When we do this, we can't just use JKS for the
> > in-memory key store type as that creates issues like BZ 61557.
> >
> > > We technically can just modify or introduce a new key store implementation
> > > to cater for Tomcat implementation – locally patching Tomcat to remove the
> > > identity check would work for us as well.
> > >
> > > Before doing that, am I missing something obvious? is reimplementing our
> > > key store the way to go here?
> >
> > I don't think you are missing anything obvious. We could look at adding
> > (even more) configuration options to separately control the type and
> > provider for the in-memory key store (assuming using JKS here would work
> > for you) but I'm a little concerned about how complex that code is getting.
> >
> I guess that’s another option. JKS would work for us. We have our own 
> implementation of in-memory key store that would also (almost) work if Tomcat 
> let us pick a different key store type for the in-memory store. But that 
> sounds a bit yucky as it's exposing an option for internal Tomcat 
> implementation.
>
> > I think I'd look at modifying your key store implementation but if that
> > is a lot of work, we can explore some additional configuration options
> > in Tomcat.
> The current easiest workaround for us is patching Tomcat internally as 
> mentioned (our application stack is pretty strict so we’re sure nothing will 
> be using a different key store). But if the current Tomcat implementation is 
> here to stay, I would prefer doing the right thing. I’ll discuss this with my 
> team and try creating another key store type for Tomcat as well.

Just to close this thread with our solution. We've created another KeyStore 
type that basically delegates to our main or