subject:"Client\-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging\?"

Re: Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

2019-08-29 Thread Vivien Wu

Thank you for your response.
Perhaps I was not clear.. what I really want to do is to have Client
authentication only for the particular path (/Authn/X509).
But it does not seem to kick in and I am wondering if there is any
suggestion for troubleshooting.

-Vivien

On Thu, Aug 29, 2019 at 12:48 AM Mark Thomas  wrote:

> On 28/08/2019 23:09, Vivien Wu wrote:
> > Tomcat version: 8.5.14
> > OS: debian 9 (stretch)
> > Issues:  If using SSLVerifyClient=optional, it seems to work (log
> attached,
> > assuming config is validated);
> > however when trying to use SSLVerifyClient=none, the browser complains
> >
> > This site can’t provide a secure connection login-test.foo.com sent an
> > invalid response.
> > ERR_SSL_PROTOCOL_ERROR
>
> What did you expect?
>
> You told the Connector - explicitly - not to ask for CLIENT-CERT
> authentication.
>
> You told the application to require CLIENT-CERT authentication.
>
> It looks like SSLVerifyClient=optional is the correct setting for you
> use case.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

2019-08-29 Thread Mark Thomas

On 28/08/2019 23:09, Vivien Wu wrote:
> Tomcat version: 8.5.14
> OS: debian 9 (stretch)
> Issues:  If using SSLVerifyClient=optional, it seems to work (log attached,
> assuming config is validated);
> however when trying to use SSLVerifyClient=none, the browser complains
> 
> This site can’t provide a secure connection login-test.foo.com sent an
> invalid response.
> ERR_SSL_PROTOCOL_ERROR

What did you expect?

You told the Connector - explicitly - not to ask for CLIENT-CERT
authentication.

You told the application to require CLIENT-CERT authentication.

It looks like SSLVerifyClient=optional is the correct setting for you
use case.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

2019-08-28 Thread Vivien Wu

Tomcat version: 8.5.14
OS: debian 9 (stretch)
Issues:  If using SSLVerifyClient=optional, it seems to work (log attached,
assuming config is validated);
however when trying to use SSLVerifyClient=none, the browser complains

This site can’t provide a secure connection login-test.foo.com sent an
invalid response.
ERR_SSL_PROTOCOL_ERROR


When digging into tomcat log, the only clues as follows.


28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
authenticate()
28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test

.. wondering if anyone has any suggestion as how to debug the issues.

Thank you all in advance for your help.




Configuration:
1. web.xml




X509AuthHandler

net.shibboleth.idp.authn.impl.X509AuthServlet
3


X509AuthHandler
/Authn/X509



X509AuthHandler
/Authn/X509


CONFIDENTIAL


X509



 CLIENT-CERT





2. server.xml


 




 

 



3. logging.properties

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
net.unicon.tomcat7.realm.level = ALL
net.unicon.tomcat7.realm.useParentHandlers = true
org.apache.coyote.http11.level = ALL
org.apache.coyote.http11.useParentHandlers = true

with  -Djavax.net.debug=ssl




4. When SSLVerifyClient=none is specified in Connector,  got the following
in the browser,

This site can’t provide a secure connection login-test.foo.com sent an
invalid response.
ERR_SSL_PROTOCOL_ERROR

and in the catalina log,

28-Aug-2019 18:16:38.089 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine Received [GET
/idp/Authn/X509?conversation=e1s1 HTTP/1.1
Host: login-test.foo.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
DNT: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,mt;q=0.6,zh-TW;q=0.5
Cookie: JSESSIONID=70B72EE82D09700707565E884DB1E3C5.jvm1; x509passthrough=1

]
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /idp/Authn/X509
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[X509AuthHandler]' against GET /Authn/X509
--> true
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Automatic Forward to HTTPS/SSL]' against GET
/Authn/X509 --> true
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
hasUserDataPermission()
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
28-Aug-2019 18:16:38.090 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
authenticate()
28-Aug-2019 18:16:38.091 FINE [https-openssl-apr-8443-exec-1]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test
28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.AbstractProcessorLight.process Socket:
[org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@2081420c:139711359418528],
Status in: [OPEN_READ], State out: [OPEN]
28-Aug-2019 18:16:38.094 FINE [https-openssl-apr-8443-exec-1]
org.apache.coyote.AbstractProtocol$ConnectionHandler.release Pushed
Processor [org.apache.coyote.http11.Http11Processor@4c325234]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Processing
socket [139,711,359,418,528] with status [OPEN_READ]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Found
processor [null] for socket [139,711,359,418,528]
28-Aug-2019 18:16:38.115 FINE [https-openssl-apr-8443-exec-2]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Popped
processor [org.apache.coyote.http11.Http11Processor@4c325234] from cache
28-Aug-2019 18:16:38.124 FINE [https-openssl-apr-8443-exec-2]

Re: Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

Re: Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?

3 matches

Site Navigation

Mail list logo

Footer information