Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martynas, On 7/30/17 4:35 PM, Martynas Jusevičius wrote: > Hey list, > > I need my webapp to accept all SSL client certificates and do its > own validation. > > I'm upgrading server.xml from the JSSE SSL Connector which used > clientAuth="want" and a custom trustManagerClassName in order to do > that. > > The 8.5.16 docs indicate that this should be replaced with > SSLHostConfig certificateVerification="optionalNoCA". I have done, > and also using OpenSSL implementation now: > > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > className="org.apache.coyote.http2.Http2Protocol" /> certificateVerification="optionalNoCA"> certificateKeyFile="/usr/local/ssl/tomcat.key.pem" > certificateFile="/usr/local/ssl/tomcat.cert.pem" type="RSA" /> > > > However, I'm getting an exception that shows my client certificate > is validated and rejected by Tomcat/OpenSSL: > > tomcat_1 | https-openssl-apr-8443-exec-3, > handling exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, > called close() tomcat_1 | > https-openssl-apr-8443-exec-3, called closeInternal(true) > > Am I missing something? certificateVerification="optional" exhibits > the same behaviour. Can you please post the complete stack trace? You don't have a trust store configured. Is that intentional? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZf3xgAAoJEBzwKT+lPKRY7aUP/AtH3vUr3BbkCEDh6xKPtbr/ uy0VLj2obvNa793kuv9l8bWa/GIZZCmcH3X8obmaOA3mgT0N5kFTgwsVLXJHymCg bNI4LZl1ALJXvepxjz7+Ni4vgyjwybNEN2WE19qkJBjazK6hIRVvAb3YBvHS8F6D BCNj1ZgmN28DzsbbkP+JQ6IfURBqKm11U/PYZ3hVmefSTvhL/OrclHHfr4gFVM9N x5xGDZUVVtwvObQYSajyPylZ7t4EB72lzILGpiZ2jRARa9inpGRPQf0JbpzWBTxD kRCWZ58hfvcYAUXOXCpa0NR1fQpSWUMi/oIR19pebr1hXiNNyXurIHtn5aowZlYm 054G9ynFWEd5cKYGxOv3QrG2GDNkdckUaQKfih7pu7rZ9v31dUkGv5G/tuUh79NP J25l0p8oguUsK0cDmlS3obDcWTFipzig+l9GJtymp5JW9dPNKvCXJpAtZIl4Ldkh RO97uYE5T8ax6/svNq7VHM/aJEUXFFccvrtx3EgOGVF2xEBMc2VyYZJfgytqWZsy qBOQJVcR9O5xyVzboC7YFfSyyA/1TxKvCmjsI/C2Mq4mFFuhdXRy16DYuTiTtLaz Z8SoxSDiUPt2u0hbQIAf5I2wYjgvF54sXd2IjE2ms+hS9JHah9p3WF1C6U/F+sUQ 962NiU9VCGVGmJuYHVLg =XNGJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
Actually I am using Tomcat on Docker: https://hub.docker.com/_/tomcat/ I do not really know the answer to your question :/ On Sun, 30 Jul 2017 at 23.12, Mark Thomaswrote: > On 30/07/17 21:35, Martynas Jusevičius wrote: > > Hey list, > > > > I need my webapp to accept all SSL client certificates and do its own > > validation. > > > > I'm upgrading server.xml from the JSSE SSL Connector which used > > clientAuth="want" and a custom trustManagerClassName in order to do that. > > > > The 8.5.16 docs indicate that this should be replaced with SSLHostConfig > > certificateVerification="optionalNoCA". I have done, and also using > OpenSSL > > implementation now: > > > > > protocol="org.apache.coyote.http11.Http11AprProtocol" > >maxThreads="150" SSLEnabled="true" > > > className="org.apache.coyote.http2.Http2Protocol" > > /> > > > > certificateKeyFile="/usr/local/ssl/tomcat.key.pem" > > certificateFile="/usr/local/ssl/tomcat.cert.pem" > > type="RSA" /> > > > > > > > > However, I'm getting an exception that shows my client certificate is > > validated and rejected by Tomcat/OpenSSL: > > > > tomcat_1 | https-openssl-apr-8443-exec-3, > handling > > exception: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target > > tomcat_1 | https-openssl-apr-8443-exec-3, > > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target > > tomcat_1 | https-openssl-apr-8443-exec-3, called > > close() > > tomcat_1 | https-openssl-apr-8443-exec-3, called > > closeInternal(true) > > > > Am I missing something? certificateVerification="optional" exhibits the > > same behaviour. > > How is your tomcat-native binary built? If it has been built with OCSP > support then neither of the optional verification options will work > since OCSP validation will always fail. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
On 30/07/17 21:35, Martynas Jusevičius wrote: > Hey list, > > I need my webapp to accept all SSL client certificates and do its own > validation. > > I'm upgrading server.xml from the JSSE SSL Connector which used > clientAuth="want" and a custom trustManagerClassName in order to do that. > > The 8.5.16 docs indicate that this should be replaced with SSLHostConfig > certificateVerification="optionalNoCA". I have done, and also using OpenSSL > implementation now: > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" SSLEnabled="true" > > /> > > certificateFile="/usr/local/ssl/tomcat.cert.pem" > type="RSA" /> > > > > However, I'm getting an exception that shows my client certificate is > validated and rejected by Tomcat/OpenSSL: > > tomcat_1 | https-openssl-apr-8443-exec-3, handling > exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, called > close() > tomcat_1 | https-openssl-apr-8443-exec-3, called > closeInternal(true) > > Am I missing something? certificateVerification="optional" exhibits the > same behaviour. How is your tomcat-native binary built? If it has been built with OCSP support then neither of the optional verification options will work since OCSP validation will always fail. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
Hey list, I need my webapp to accept all SSL client certificates and do its own validation. I'm upgrading server.xml from the JSSE SSL Connector which used clientAuth="want" and a custom trustManagerClassName in order to do that. The 8.5.16 docs indicate that this should be replaced with SSLHostConfig certificateVerification="optionalNoCA". I have done, and also using OpenSSL implementation now: However, I'm getting an exception that shows my client certificate is validated and rejected by Tomcat/OpenSSL: tomcat_1 | https-openssl-apr-8443-exec-3, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target tomcat_1 | https-openssl-apr-8443-exec-3, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target tomcat_1 | https-openssl-apr-8443-exec-3, called close() tomcat_1 | https-openssl-apr-8443-exec-3, called closeInternal(true) Am I missing something? certificateVerification="optional" exhibits the same behaviour. Thanks. Martynas