subject:"\[8.5.16\] SSLHostConfig certificateVerification=\"optionalNoCA\" ignored\?"

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martynas,

On 7/30/17 4:35 PM, Martynas Jusevičius wrote:
> Hey list,
> 
> I need my webapp to accept all SSL client certificates and do its
> own validation.
> 
> I'm upgrading server.xml from the JSSE SSL Connector which used 
> clientAuth="want" and a custom trustManagerClassName in order to do
> that.
> 
> The 8.5.16 docs indicate that this should be replaced with
> SSLHostConfig certificateVerification="optionalNoCA". I have done,
> and also using OpenSSL implementation now:
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxThreads="150" SSLEnabled="true" >  className="org.apache.coyote.http2.Http2Protocol" />  certificateVerification="optionalNoCA">  certificateKeyFile="/usr/local/ssl/tomcat.key.pem" 
> certificateFile="/usr/local/ssl/tomcat.cert.pem" type="RSA" /> 
>  
> 
> However, I'm getting an exception that shows my client certificate
> is validated and rejected by Tomcat/OpenSSL:
> 
> tomcat_1 | https-openssl-apr-8443-exec-3,
> handling exception: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target 
> tomcat_1 | https-openssl-apr-8443-exec-3, 
> IOException in getSession():  javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target 
> tomcat_1 | https-openssl-apr-8443-exec-3,
> called close() tomcat_1 |
> https-openssl-apr-8443-exec-3, called closeInternal(true)
> 
> Am I missing something? certificateVerification="optional" exhibits
> the same behaviour.

Can you please post the complete stack trace?

You don't have a trust store configured. Is that intentional?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZf3xgAAoJEBzwKT+lPKRY7aUP/AtH3vUr3BbkCEDh6xKPtbr/
uy0VLj2obvNa793kuv9l8bWa/GIZZCmcH3X8obmaOA3mgT0N5kFTgwsVLXJHymCg
bNI4LZl1ALJXvepxjz7+Ni4vgyjwybNEN2WE19qkJBjazK6hIRVvAb3YBvHS8F6D
BCNj1ZgmN28DzsbbkP+JQ6IfURBqKm11U/PYZ3hVmefSTvhL/OrclHHfr4gFVM9N
x5xGDZUVVtwvObQYSajyPylZ7t4EB72lzILGpiZ2jRARa9inpGRPQf0JbpzWBTxD
kRCWZ58hfvcYAUXOXCpa0NR1fQpSWUMi/oIR19pebr1hXiNNyXurIHtn5aowZlYm
054G9ynFWEd5cKYGxOv3QrG2GDNkdckUaQKfih7pu7rZ9v31dUkGv5G/tuUh79NP
J25l0p8oguUsK0cDmlS3obDcWTFipzig+l9GJtymp5JW9dPNKvCXJpAtZIl4Ldkh
RO97uYE5T8ax6/svNq7VHM/aJEUXFFccvrtx3EgOGVF2xEBMc2VyYZJfgytqWZsy
qBOQJVcR9O5xyVzboC7YFfSyyA/1TxKvCmjsI/C2Mq4mFFuhdXRy16DYuTiTtLaz
Z8SoxSDiUPt2u0hbQIAf5I2wYjgvF54sXd2IjE2ms+hS9JHah9p3WF1C6U/F+sUQ
962NiU9VCGVGmJuYHVLg
=XNGJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-30 Thread Martynas Jusevičius

Actually I am using Tomcat on Docker:
https://hub.docker.com/_/tomcat/

I do not really know the answer to your question :/

On Sun, 30 Jul 2017 at 23.12, Mark Thomas  wrote:

> On 30/07/17 21:35, Martynas Jusevičius wrote:
> > Hey list,
> >
> > I need my webapp to accept all SSL client certificates and do its own
> > validation.
> >
> > I'm upgrading server.xml from the JSSE SSL Connector which used
> > clientAuth="want" and a custom trustManagerClassName in order to do that.
> >
> > The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> > certificateVerification="optionalNoCA". I have done, and also using
> OpenSSL
> > implementation now:
> >
> >  > protocol="org.apache.coyote.http11.Http11AprProtocol"
> >maxThreads="150" SSLEnabled="true" >
> >  className="org.apache.coyote.http2.Http2Protocol"
> > />
> > 
> >  certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> >  certificateFile="/usr/local/ssl/tomcat.cert.pem"
> >  type="RSA" />
> > 
> > 
> >
> > However, I'm getting an exception that shows my client certificate is
> > validated and rejected by Tomcat/OpenSSL:
> >
> > tomcat_1 | https-openssl-apr-8443-exec-3,
> handling
> > exception: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1 | https-openssl-apr-8443-exec-3,
> > IOException in getSession():  javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1 | https-openssl-apr-8443-exec-3, called
> > close()
> > tomcat_1 | https-openssl-apr-8443-exec-3, called
> > closeInternal(true)
> >
> > Am I missing something? certificateVerification="optional" exhibits the
> > same behaviour.
>
> How is your tomcat-native binary built? If it has been built with OCSP
> support then neither of the optional verification options will work
> since OCSP validation will always fail.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-30 Thread Mark Thomas

On 30/07/17 21:35, Martynas Jusevičius wrote:
> Hey list,
> 
> I need my webapp to accept all SSL client certificates and do its own
> validation.
> 
> I'm upgrading server.xml from the JSSE SSL Connector which used
> clientAuth="want" and a custom trustManagerClassName in order to do that.
> 
> The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> certificateVerification="optionalNoCA". I have done, and also using OpenSSL
> implementation now:
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
>maxThreads="150" SSLEnabled="true" >
>  />
> 
>   certificateFile="/usr/local/ssl/tomcat.cert.pem"
>  type="RSA" />
> 
> 
> 
> However, I'm getting an exception that shows my client certificate is
> validated and rejected by Tomcat/OpenSSL:
> 
> tomcat_1 | https-openssl-apr-8443-exec-3, handling
> exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3,
> IOException in getSession():  javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3, called
> close()
> tomcat_1 | https-openssl-apr-8443-exec-3, called
> closeInternal(true)
> 
> Am I missing something? certificateVerification="optional" exhibits the
> same behaviour.

How is your tomcat-native binary built? If it has been built with OCSP
support then neither of the optional verification options will work
since OCSP validation will always fail.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-30 Thread Martynas Jusevičius

Hey list,

I need my webapp to accept all SSL client certificates and do its own
validation.

I'm upgrading server.xml from the JSSE SSL Connector which used
clientAuth="want" and a custom trustManagerClassName in order to do that.

The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
certificateVerification="optionalNoCA". I have done, and also using OpenSSL
implementation now:








However, I'm getting an exception that shows my client certificate is
validated and rejected by Tomcat/OpenSSL:

tomcat_1 | https-openssl-apr-8443-exec-3, handling
exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1 | https-openssl-apr-8443-exec-3,
IOException in getSession():  javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1 | https-openssl-apr-8443-exec-3, called
close()
tomcat_1 | https-openssl-apr-8443-exec-3, called
closeInternal(true)

Am I missing something? certificateVerification="optional" exhibits the
same behaviour.

Thanks.

Martynas

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

4 matches

Site Navigation

Mail list logo

Footer information