RE: Question related to mutual authentication

2017-11-09 Thread Nicolas Therrien 
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, November 9, 2017 11:16 AM
To: users@tomcat.apache.org
Subject: Re: Question related to mutual authentication

Mark,

On 11/9/17 5:02 AM, Mark Thomas wrote:
> On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien 
> <nicolas.therr...@airbus-dscomm.com> wrote:
> 
> 
> 
>> My understanding is that when "certificateVerification" is set to 
>> "required", the server would perform the same verification as the 
>> client does, that is:
>> 
>> 1) Verify the incoming certificate is signed by an authority that is 
>> part of the local truststore.
> 
> Correct.
> 
>> 2) Verify that the incoming certificate's common name matches the 
>> hostname of the peer we are communicating with.
> 
> Incorrect.
> 
> The client very is intended to prove the identity of the user, not the 
> host the happen to be using.

s/very/cert/

This is also very (sic) dependent upon the URL that the client is using to 
connect to the server. For example, if you move a certificate with cn=localhost 
between many servers and access it using https://localhost/ then you will never 
get any errors. Likewise, if you redefine the DNS name and keep the URL 
consistent, then you will also connect without any errors.

Since you wrote the client, you are ultimately responsible for performing 
hostname verification. If you use HttpsURLConnection or anything else 
built-into the JVM like that that uses SSLContext and friends, you should 
automatically get hostname verification unless you specifically take steps to 
disable it.

But if you are rolling your own connection code, you won't get that kind of 
protection.

- -chris

--


Thanks to Christopher and Mark for your responses.  Much appreciated!

I understand now that when validating the client, we're validating the user, 
not a  machine name. This makes sense.  I realize now that both server and 
client validation are dependent on the context and is not necessarily a 
foolproof guarantee of identity.

This question is now closed :)

Nicolas Therrien ing.
Senior Software Engineer

Airbus DS Communications
home of VESTA®
200 Boul. de la Technologie, Suite 300
Gatineau, QC J8Z 3H6
Canada
819.931.2139  (DIRECT)
www.Airbus-DSComm.com

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question related to mutual authentication

2017-11-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 11/9/17 5:02 AM, Mark Thomas wrote:
> On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien
>  wrote:
> 
> 
> 
>> My understanding is that when "certificateVerification" is set
>> to "required", the server would perform the same verification as
>> the client does, that is:
>> 
>> 1) Verify the incoming certificate is signed by an authority that
>> is part of the local truststore.
> 
> Correct.
> 
>> 2) Verify that the incoming certificate's common name matches
>> the hostname of the peer we are communicating with.
> 
> Incorrect.
> 
> The client very is intended to prove the identity of the user, not
> the host the happen to be using.

s/very/cert/

This is also very (sic) dependent upon the URL that the client is
using to connect to the server. For example, if you move a certificate
with cn=localhost between many servers and access it using
https://localhost/ then you will never get any errors. Likewise, if
you redefine the DNS name and keep the URL consistent, then you will
also connect without any errors.

Since you wrote the client, you are ultimately responsible for
performing hostname verification. If you use HttpsURLConnection or
anything else built-into the JVM like that that uses SSLContext and
friends, you should automatically get hostname verification unless you
specifically take steps to disable it.

But if you are rolling your own connection code, you won't get that
kind of protection.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEfzIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhTCw/9HF0QXdvCte7W7E9B
kZmIhg7fZM965ecAInonLa8kGNVN+nAKoNeEu0lGZWeNYremaQ82tqMfwuKwwURR
+8HCh2Qfr6W/scQSOO258oO13MdlBayXYbCfFzVdnd7cO8+O+hFcQnIGqeWWiCS5
8MF8hje6/J+VI2Yu8wTlFooPqGYGOfm4xctnYdQsJjLlLL5gKI4D58aqwlBUsB4d
KF7xsh5rB5BocgAVRi0NhIPo2MOMEawX69tJWUjR5o+qzMKlepjoIMpgZ/qIQcZt
YRfFLEyp8l7/GskDsfwpL/ZP7b9mI0vu6OfHd1l4vPAryX5N82XoCT+AwpuWo1w8
PB7aqwiKvn/9GfhkTjAIFcFGqeiqO4iiScF0sKPKlVcozIPvNk8TuDg+8tUFrBxQ
ZlFKd2dHIRPGoOuJt/TWoY5vZny3CViBruuZNwvq1RXB6HMD56hodIVjWfLB0j45
3Ktz1D3fIaqW8dy1cfu3vltVNYnON7Hq5vmApp+pQ7ajry/6f7hO0Y2KfFW8hFb/
LKPgry/AuaYQ+XSEpPoKS3Rv6rIFcdzLlKtVV2gPOT56n0wCqQjkRu5ikssuIalZ
dtdpkzAK4/e14ntw2dLMBslg5iyqTf8hPMiOwWpu6+YKt6caoSWF2NiBM6KKOGJw
ndNKTKYeqBq1Wn9DsIxutKxObgc=
=kAw0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question related to mutual authentication

2017-11-09 Thread Mark Thomas 
On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien 
 wrote:



>My understanding is that when "certificateVerification" is set to
>"required", the server would perform the same verification as the
>client does, that is:
>
>1) Verify the incoming certificate is signed by an authority that is
>part of the local truststore.

Correct.

>2) Verify that the incoming certificate's common name matches the
>hostname of the peer we are communicating with.

Incorrect.

The client very is intended to prove the identity of the user, not the host the 
happen to be using.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question related to mutual authentication

2017-11-08 Thread Nicolas Therrien 
Hi!

I have successfully set up mutual authentication on a Tomcat 9.0.1 server 
running on CentOS 6.5.  To do my testing, I use a Java program that I wrote to 
verify my understanding of SSL and the server configuration. 

My question is about the server-side verification of the client certificate 
(CertificateRequest part of handshake). I noticed that the hostname/common name 
in the client certificate did not seem to be validated. I can move that 
certificate on several machines and the server will always accept it, as long 
as it is signed by one of the trusted authorities in the server JVM's 
truststore. I am puzzled by this behavior because I was expecting the hostname 
to matter. If my certificate was set for a machine, I was not expecting it to 
work on another machine.

My understanding is that when "certificateVerification" is set to "required", 
the server would perform the same verification as the client does, that is:

1) Verify the incoming certificate is signed by an authority that is part of 
the local truststore.
2) Verify that the incoming certificate's common name matches the hostname of 
the peer we are communicating with.


Also, should the server behavior be correct, can someone explain to me why it 
is like that?I find it odd that the client certificate can be copied around 
and used by anyone and still pass mutual authentication...

Thanks in advance,

Nicolas Therrien ing.
Senior Software Engineer

Airbus DS Communications
home of VESTA®
200 Boul. de la Technologie, Suite 300
Gatineau, QC J8Z 3H6
Canada
819.931.2139  (DIRECT)
www.Airbus-DSComm.com





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org