Hi Attached my certs. The error message they were getting were "unsupported signature algorithm ecdsa_sha1". Unfortunately don't have the logs and can't paste the actual client cert. I only have a packet capture during the failure and I was comparing tomcat logs from successful case and the packet capture from failure case. I noticed that the only difference is when the tomcat is requesting for client certificate it is sending list of acceptable/supported certificate types and signature algorithms. I am trying to understand where tomcat gets those values from? We don't enable/disable any signature algorithms in our java.security or java.policy files or in Catalina.policy files. The only place we specify any ciphers is in our connector (connector.txt). How does tomcat determine what to send as an acceptable/supported certificate type or signature algorithm?
Thanks -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, September 22, 2021 6:16 PM To: users@tomcat.apache.org Subject: {EXTERNAL} Re: Supported signature algorithms in Tomcat 8.5 CAUTION: The message originated from an EXTERNAL SOURCE. Please use caution when opening attachments, clicking links or responding to this email. Sreevidya, On 9/22/21 12:25, Mandava, Sreevidya wrote: > Tomcat version : 8.5.70 > > Attached my self -signed client cert(ecdsatestclient.crt_txt), self > signed CA (rsatestca_original.crt_txt)output from openssl > (defaultciphersuite.txt) my connector configuration(connector.txt) Your attachment has been stripped. Please copy/paste your certificate in PEM-encoded-DER format (i.e. -----BEGIN CERTIFICATE-----) into the body of your post. > Problem: We have a client that is connecting to tomcat with an ECC > cert signed by a RSA signer. That would be a very odd configuration indeed. > Client authentication is enabled in tomcat. They are seeing handshake > failures in ClientKeyExchange/Certificate Verify stage. Do you have a specific error message and/or stack trace? > Why is there difference between the "certificate types" and "signature > algorithms"? Where/how does tomcat get the values for "certificate > types" and "supported signature algorithms"? Certificate types are usually "RSA" or "EC" (or maybe "DSA") and sometimes just, generically, X.509. Signature algorithms are typically things like "sha256withRSAencryption", etc. Having the certificate itself would be very helpful in trying to debug this issue. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
Certificate: Data: Version: 1 (0x0) Serial Number: 10285467790209796342 (0x8ebd5275e02d48f6) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA, CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com Validity Not Before: Sep 16 17:40:39 2021 GMT Not After : Sep 16 17:40:39 2022 GMT Subject: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=ECDSA Test Client, CN=ECDSA Test Client/emailAddress=sreevidya.mand...@mastercard.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a7:a0:ae:3b:02:26:ba:b9:2b:f4:06:80:b9:c4: 83:db:70:31:bf:96:45:c7:ab:63:73:78:dc:41:da: 44:c0:e9:41:a4:79:b4:64:c9:29:eb:3d:59:07:67: 95:da:0a:80:71:30:7b:19:30:31:37:47:6b:78:92: a9:48:f8:8c:c2 ASN1 OID: prime256v1 Signature Algorithm: sha256WithRSAEncryption 1f:3c:bb:e5:18:48:b5:bf:90:8a:af:9a:5a:42:64:e3:6e:52: 20:71:8a:f8:4d:5c:ac:2a:a9:a5:9c:2f:22:9a:8a:ea:d0:6e: 47:36:7c:52:8e:8f:10:45:4b:a8:aa:cd:50:d2:04:ed:d5:87: 82:f4:f8:fa:70:84:ce:b6:90:c7:e1:1d:1a:35:60:21:7b:cd: 2b:c3:9b:09:6a:f7:a5:d9:3b:ee:a2:bb:99:72:4d:44:8b:0c: f2:be:bf:7e:2e:fc:9d:88:a6:07:e6:24:65:3f:96:34:b8:79: 04:42:6b:13:e8:5e:bc:44:13:2c:c8:5d:52:04:96:6e:44:44: cd:e5:9b:c0:21:1a:73:59:ff:00:01:9f:e2:7b:af:c3:cb:a9: 8b:5f:75:9f:7c:30:c3:ee:12:52:65:d2:7f:6f:ca:9a:06:83: fd:aa:5e:64:35:6e:ca:5b:28:19:8b:32:97:7c:83:91:ec:7c: 17:3b:cc:02:6a:98:1a:8f:2b:a6:5b:9d:9d:46:50:3f:87:82: 47:6b:16:56:9f:6c:40:4a:8b:39:75:58:31:a1:d4:1d:7c:a1: 14:6d:65:81:6a:07:fe:ea:4b:c5:93:7d:4d:4f:63:a6:33:20: 77:b7:ec:ad:6a:e5:bf:07:30:80:05:70:f1:4f:4d:cb:c3:89: 7b:b9:c1:a8 -----BEGIN CERTIFICATE----- MIIDBzCCAe8CCQCOvVJ14C1I9jANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC VVMxETAPBgNVBAgMCE1pc3NvdXJpMRAwDgYDVQQHDAdPRmFsbG9uMRMwEQYDVQQK DApNYXN0ZXJjYXJkMRQwEgYDVQQLDAtSU0EgVGVzdCBDQTEUMBIGA1UEAwwLUlNB IFRlc3QgQ0ExLzAtBgkqhkiG9w0BCQEWIHNyZWV2aWR5YS5tYW5kYXZhQG1hc3Rl cmNhcmQuY29tMB4XDTIxMDkxNjE3NDAzOVoXDTIyMDkxNjE3NDAzOVowgbAxCzAJ BgNVBAYTAlVTMREwDwYDVQQIDAhNaXNzb3VyaTEQMA4GA1UEBwwHT0ZhbGxvbjET MBEGA1UECgwKTWFzdGVyY2FyZDEaMBgGA1UECwwRRUNEU0EgVGVzdCBDbGllbnQx GjAYBgNVBAMMEUVDRFNBIFRlc3QgQ2xpZW50MS8wLQYJKoZIhvcNAQkBFiBzcmVl dmlkeWEubWFuZGF2YUBtYXN0ZXJjYXJkLmNvbTBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABKegrjsCJrq5K/QGgLnEg9twMb+WRcerY3N43EHaRMDpQaR5tGTJKes9 WQdnldoKgHEwexkwMTdHa3iSqUj4jMIwDQYJKoZIhvcNAQELBQADggEBAB88u+UY SLW/kIqvmlpCZONuUiBxivhNXKwqqaWcLyKaiurQbkc2fFKOjxBFS6iqzVDSBO3V h4L0+PpwhM62kMfhHRo1YCF7zSvDmwlq96XZO+6iu5lyTUSLDPK+v34u/J2Ipgfm JGU/ljS4eQRCaxPoXrxEEyzIXVIElm5ERM3lm8AhGnNZ/wABn+J7r8PLqYtfdZ98 MMPuElJl0n9vypoGg/2qXmQ1bspbKBmLMpd8g5HsfBc7zAJqmBqPK6ZbnZ1GUD+H gkdrFlafbEBKizl1WDGh1B18oRRtZYFqB/7qS8WTfU1PY6YzIHe37K1q5b8HMIAF cPFPTcvDiXu5wag= -----END CERTIFICATE-----
Certificate: Data: Version: 3 (0x2) Serial Number: 9832665798727752812 (0x8874a572c04cdc6c) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA, CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com Validity Not Before: Sep 16 17:37:11 2021 GMT Not After : Sep 16 17:37:11 2022 GMT Subject: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA, CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:60:8e:6a:a1:73:35:73:7c:20:3a:b1:25:fd: b5:bd:69:ce:21:d2:4f:85:e5:f5:14:7e:da:bb:03: 03:4e:6a:8a:56:ea:18:fc:8f:28:2b:ac:43:e9:65: 9e:c1:f0:2d:fc:03:f7:41:13:8e:25:a1:b4:86:6f: 53:c2:fe:3a:3b:64:98:34:83:00:3f:39:eb:0c:cd: 19:8d:e6:31:ed:44:e6:5d:5f:94:7b:45:e1:4c:c9: 50:8d:6a:69:78:93:8e:b9:06:73:04:42:e9:ce:43: 6e:b2:28:d5:31:9f:8a:c4:45:8b:fe:8d:66:5e:60: c2:01:f7:27:4c:70:96:e0:d1:73:b4:c2:6b:34:d8: a2:35:c6:02:26:bc:d4:23:98:35:e5:9b:b3:ce:16: 2d:d1:25:5c:8e:c8:fd:9e:fb:86:3d:72:84:26:a5: fa:f6:32:50:4e:8f:37:3c:1e:8c:15:1a:bc:f5:79: c0:b1:cb:79:cb:e9:a1:b8:8c:7e:b1:35:30:d5:48: d2:91:44:cc:bf:63:5e:18:eb:ad:86:42:72:0d:c6: 3a:3a:5b:7a:f3:77:3c:ef:ec:8f:bb:52:98:fb:95: 44:2e:ee:44:c3:8d:35:90:a3:18:7e:79:78:40:31: 8e:b1:36:3a:37:70:9b:f6:f0:7f:43:43:12:f8:06: 6a:15 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A2:D2:8A:15:B0:D9:88:62:58:85:AA:C8:5A:50:F1:B7:DD:1F:9D:CF X509v3 Authority Key Identifier: keyid:A2:D2:8A:15:B0:D9:88:62:58:85:AA:C8:5A:50:F1:B7:DD:1F:9D:CF X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3d:1a:60:8d:79:4a:c5:60:bb:6e:f2:45:ba:95:4c:b0:7b:18: 8f:cd:07:e3:a8:89:6a:f5:e7:e3:4e:d8:2d:5d:3d:01:15:1e: 6b:4f:fd:96:76:6e:67:fa:2d:e2:81:87:55:7b:c3:71:91:b1: 08:16:af:46:fc:e4:cc:c1:d8:ea:fc:bc:18:07:c8:93:7e:d9: 2f:c3:2b:12:97:8c:06:37:8d:1b:3a:56:e4:5a:79:ea:b9:54: d6:6b:87:48:41:73:a9:75:72:68:20:f0:c0:50:df:30:d0:bf: e4:4d:54:7c:17:43:4f:a6:4b:6a:c3:7e:fe:4d:56:f0:88:53: a3:af:0d:ff:7a:e0:fe:f7:ec:36:c9:f3:86:5d:e8:16:6d:81: 3d:d1:ca:d5:a9:7e:66:d9:5a:a4:e5:39:f9:7a:43:0c:df:e9: 08:c9:03:8c:df:5c:49:1f:06:c8:34:f2:99:2e:ba:de:5c:45: cf:b1:f5:4a:82:83:26:e2:c4:b7:c9:ee:9c:6e:32:cc:13:c7: 81:e1:83:51:b8:57:d8:f2:71:98:cd:d5:b4:ad:c4:94:cf:4f: 48:12:67:e9:f0:99:a6:18:49:0c:8c:bf:3e:89:aa:cf:8d:fb: 46:7f:77:90:9f:bd:d1:ad:52:16:d4:6d:04:7d:e8:d5:5e:64: 1b:04:4d:9f -----BEGIN CERTIFICATE----- MIIEHTCCAwWgAwIBAgIJAIh0pXLATNxsMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD VQQGEwJVUzERMA8GA1UECAwITWlzc291cmkxEDAOBgNVBAcMB09GYWxsb24xEzAR BgNVBAoMCk1hc3RlcmNhcmQxFDASBgNVBAsMC1JTQSBUZXN0IENBMRQwEgYDVQQD DAtSU0EgVGVzdCBDQTEvMC0GCSqGSIb3DQEJARYgc3JlZXZpZHlhLm1hbmRhdmFA bWFzdGVyY2FyZC5jb20wHhcNMjEwOTE2MTczNzExWhcNMjIwOTE2MTczNzExWjCB pDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJpMRAwDgYDVQQHDAdPRmFs bG9uMRMwEQYDVQQKDApNYXN0ZXJjYXJkMRQwEgYDVQQLDAtSU0EgVGVzdCBDQTEU MBIGA1UEAwwLUlNBIFRlc3QgQ0ExLzAtBgkqhkiG9w0BCQEWIHNyZWV2aWR5YS5t YW5kYXZhQG1hc3RlcmNhcmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAoWCOaqFzNXN8IDqxJf21vWnOIdJPheX1FH7auwMDTmqKVuoY/I8oK6xD 6WWewfAt/AP3QROOJaG0hm9Twv46O2SYNIMAPznrDM0ZjeYx7UTmXV+Ue0XhTMlQ jWppeJOOuQZzBELpzkNusijVMZ+KxEWL/o1mXmDCAfcnTHCW4NFztMJrNNiiNcYC JrzUI5g15ZuzzhYt0SVcjsj9nvuGPXKEJqX69jJQTo83PB6MFRq89XnAsct5y+mh uIx+sTUw1UjSkUTMv2NeGOuthkJyDcY6Olt683c87+yPu1KY+5VELu5Ew401kKMY fnl4QDGOsTY6N3Cb9vB/Q0MS+AZqFQIDAQABo1AwTjAdBgNVHQ4EFgQUotKKFbDZ iGJYharIWlDxt90fnc8wHwYDVR0jBBgwFoAUotKKFbDZiGJYharIWlDxt90fnc8w DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPRpgjXlKxWC7bvJFupVM sHsYj80H46iJavXn407YLV09ARUea0/9lnZuZ/ot4oGHVXvDcZGxCBavRvzkzMHY 6vy8GAfIk37ZL8MrEpeMBjeNGzpW5Fp56rlU1muHSEFzqXVyaCDwwFDfMNC/5E1U fBdDT6ZLasN+/k1W8IhTo68N/3rg/vfsNsnzhl3oFm2BPdHK1al+ZtlapOU5+XpD DN/pCMkDjN9cSR8GyDTymS663lxFz7H1SoKDJuLEt8nunG4yzBPHgeGDUbhX2PJx mM3VtK3ElM9PSBJn6fCZphhJDIy/Pomqz437Rn93kJ+90a1SFtRtBH3o1V5kGwRN nw== -----END CERTIFICATE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org