Tomcat version: 8.5.14
OS: debian 9 (stretch)
Issues: If using SSLVerifyClient=optional, it seems to work (log attached,
assuming config is validated);
however when trying to use SSLVerifyClient=none, the browser complains
This site can’t provide a secure connection login-test.foo.com sent an
invalid response.
ERR_SSL_PROTOCOL_ERROR
When digging into tomcat log, the only clues as follows.
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
.. wondering if anyone has any suggestion as how to debug the issues.
Thank you all in advance for your help.
Configuration:
1. web.xml
X509AuthHandler
net.shibboleth.idp.authn.impl.X509AuthServlet
3
X509AuthHandler
/Authn/X509
X509AuthHandler
/Authn/X509
CONFIDENTIAL
X509
CLIENT-CERT
2. server.xml
3. logging.properties
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
net.unicon.tomcat7.realm.level = ALL
net.unicon.tomcat7.realm.useParentHandlers = true
org.apache.coyote.http11.level = ALL
org.apache.coyote.http11.useParentHandlers = true
with -Djavax.net.debug=ssl
4. When SSLVerifyClient=none is specified in Connector, got the following
in the browser,
This site can’t provide a secure connection login-test.foo.com sent an
invalid response.
ERR_SSL_PROTOCOL_ERROR
and in the catalina log,
28-Aug-2019 18:16:38.089 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine Received [GET
/idp/Authn/X509?conversation=e1s1 HTTP/1.1
Host: login-test.foo.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
DNT: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,mt;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=70B72EE82D09700707565E884DB1E3C5.jvm1; x509passthrough=1
]
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /idp/Authn/X509
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[X509AuthHandler]' against GET /Authn/X509
--> true
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Automatic Forward to HTTPS/SSL]' against GET
/Authn/X509 --> true
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@2081420c:139711359418528],
Status in: [OPEN_READ], State out: [OPEN]
28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed
Processor [org.apache.coyote.http11.Http11Processor@4c325234]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing
socket [139,711,359,418,528] with status [OPEN_READ]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Found
processor [null] for socket [139,711,359,418,528]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Popped
processor [org.apache.coyote.http11.Http11Processor@4c325234] from cache
28-Aug-2019 18:16:38.124 FINE [https-openssl-apr-8443-exec-2]