Hi
Attached my certs. The error message they were getting were "unsupported
signature algorithm ecdsa_sha1". Unfortunately don't have the logs and can't
paste the actual client cert. I only have a packet capture during the failure
and I was comparing tomcat logs from successful case and the packet capture
from failure case. I noticed that the only difference is when the tomcat is
requesting for client certificate it is sending list of acceptable/supported
certificate types and signature algorithms. I am trying to understand where
tomcat gets those values from? We don't enable/disable any signature algorithms
in our java.security or java.policy files or in Catalina.policy files. The
only place we specify any ciphers is in our connector (connector.txt). How does
tomcat determine what to send as an acceptable/supported certificate type or
signature algorithm?
Thanks
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, September 22, 2021 6:16 PM
To: users@tomcat.apache.org
Subject: {EXTERNAL} Re: Supported signature algorithms in Tomcat 8.5
CAUTION: The message originated from an EXTERNAL SOURCE. Please use caution
when opening attachments, clicking links or responding to this email.
Sreevidya,
On 9/22/21 12:25, Mandava, Sreevidya wrote:
> Tomcat version : 8.5.70
>
> Attached my self -signed client cert(ecdsatestclient.crt_txt), self
> signed CA (rsatestca_original.crt_txt)output from openssl
> (defaultciphersuite.txt) my connector configuration(connector.txt)
Your attachment has been stripped. Please copy/paste your certificate in
PEM-encoded-DER format (i.e. -----BEGIN CERTIFICATE-----) into the body of your
post.
> Problem: We have a client that is connecting to tomcat with an ECC
> cert signed by a RSA signer.
That would be a very odd configuration indeed.
> Client authentication is enabled in tomcat. They are seeing handshake
> failures in ClientKeyExchange/Certificate Verify stage.
Do you have a specific error message and/or stack trace?
> Why is there difference between the "certificate types" and "signature
> algorithms"? Where/how does tomcat get the values for "certificate
> types" and "supported signature algorithms"?
Certificate types are usually "RSA" or "EC" (or maybe "DSA") and sometimes
just, generically, X.509. Signature algorithms are typically things like
"sha256withRSAencryption", etc.
Having the certificate itself would be very helpful in trying to debug this
issue.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the
use of the intended recipient and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If you are not the
intended recipient, any disclosure, distribution or other use of this e-mail
message or attachments is prohibited. If you have received this e-mail message
in error, please delete and notify the sender immediately. Thank you.
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10285467790209796342 (0x8ebd5275e02d48f6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA,
CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com
Validity
Not Before: Sep 16 17:40:39 2021 GMT
Not After : Sep 16 17:40:39 2022 GMT
Subject: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=ECDSA Test
Client, CN=ECDSA Test Client/emailAddress=sreevidya.mand...@mastercard.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a7:a0:ae:3b:02:26:ba:b9:2b:f4:06:80:b9:c4:
83:db:70:31:bf:96:45:c7:ab:63:73:78:dc:41:da:
44:c0:e9:41:a4:79:b4:64:c9:29:eb:3d:59:07:67:
95:da:0a:80:71:30:7b:19:30:31:37:47:6b:78:92:
a9:48:f8:8c:c2
ASN1 OID: prime256v1
Signature Algorithm: sha256WithRSAEncryption
1f:3c:bb:e5:18:48:b5:bf:90:8a:af:9a:5a:42:64:e3:6e:52:
20:71:8a:f8:4d:5c:ac:2a:a9:a5:9c:2f:22:9a:8a:ea:d0:6e:
47:36:7c:52:8e:8f:10:45:4b:a8:aa:cd:50:d2:04:ed:d5:87:
82:f4:f8:fa:70:84:ce:b6:90:c7:e1:1d:1a:35:60:21:7b:cd:
2b:c3:9b:09:6a:f7:a5:d9:3b:ee:a2:bb:99:72:4d:44:8b:0c:
f2:be:bf:7e:2e:fc:9d:88:a6:07:e6:24:65:3f:96:34:b8:79:
04:42:6b:13:e8:5e:bc:44:13:2c:c8:5d:52:04:96:6e:44:44:
cd:e5:9b:c0:21:1a:73:59:ff:00:01:9f:e2:7b:af:c3:cb:a9:
8b:5f:75:9f:7c:30:c3:ee:12:52:65:d2:7f:6f:ca:9a:06:83:
fd:aa:5e:64:35:6e:ca:5b:28:19:8b:32:97:7c:83:91:ec:7c:
17:3b:cc:02:6a:98:1a:8f:2b:a6:5b:9d:9d:46:50:3f:87:82:
47:6b:16:56:9f:6c:40:4a:8b:39:75:58:31:a1:d4:1d:7c:a1:
14:6d:65:81:6a:07:fe:ea:4b:c5:93:7d:4d:4f:63:a6:33:20:
77:b7:ec:ad:6a:e5:bf:07:30:80:05:70:f1:4f:4d:cb:c3:89:
7b:b9:c1:a8
-----BEGIN CERTIFICATE-----
MIIDBzCCAe8CCQCOvVJ14C1I9jANBgkqhkiG9w0BAQsFADCBpDELMAkGA1UEBhMC
VVMxETAPBgNVBAgMCE1pc3NvdXJpMRAwDgYDVQQHDAdPRmFsbG9uMRMwEQYDVQQK
DApNYXN0ZXJjYXJkMRQwEgYDVQQLDAtSU0EgVGVzdCBDQTEUMBIGA1UEAwwLUlNB
IFRlc3QgQ0ExLzAtBgkqhkiG9w0BCQEWIHNyZWV2aWR5YS5tYW5kYXZhQG1hc3Rl
cmNhcmQuY29tMB4XDTIxMDkxNjE3NDAzOVoXDTIyMDkxNjE3NDAzOVowgbAxCzAJ
BgNVBAYTAlVTMREwDwYDVQQIDAhNaXNzb3VyaTEQMA4GA1UEBwwHT0ZhbGxvbjET
MBEGA1UECgwKTWFzdGVyY2FyZDEaMBgGA1UECwwRRUNEU0EgVGVzdCBDbGllbnQx
GjAYBgNVBAMMEUVDRFNBIFRlc3QgQ2xpZW50MS8wLQYJKoZIhvcNAQkBFiBzcmVl
dmlkeWEubWFuZGF2YUBtYXN0ZXJjYXJkLmNvbTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABKegrjsCJrq5K/QGgLnEg9twMb+WRcerY3N43EHaRMDpQaR5tGTJKes9
WQdnldoKgHEwexkwMTdHa3iSqUj4jMIwDQYJKoZIhvcNAQELBQADggEBAB88u+UY
SLW/kIqvmlpCZONuUiBxivhNXKwqqaWcLyKaiurQbkc2fFKOjxBFS6iqzVDSBO3V
h4L0+PpwhM62kMfhHRo1YCF7zSvDmwlq96XZO+6iu5lyTUSLDPK+v34u/J2Ipgfm
JGU/ljS4eQRCaxPoXrxEEyzIXVIElm5ERM3lm8AhGnNZ/wABn+J7r8PLqYtfdZ98
MMPuElJl0n9vypoGg/2qXmQ1bspbKBmLMpd8g5HsfBc7zAJqmBqPK6ZbnZ1GUD+H
gkdrFlafbEBKizl1WDGh1B18oRRtZYFqB/7qS8WTfU1PY6YzIHe37K1q5b8HMIAF
cPFPTcvDiXu5wag=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9832665798727752812 (0x8874a572c04cdc6c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA,
CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com
Validity
Not Before: Sep 16 17:37:11 2021 GMT
Not After : Sep 16 17:37:11 2022 GMT
Subject: C=US, ST=Missouri, L=OFallon, O=Mastercard, OU=RSA Test CA,
CN=RSA Test CA/emailAddress=sreevidya.mand...@mastercard.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:60:8e:6a:a1:73:35:73:7c:20:3a:b1:25:fd:
b5:bd:69:ce:21:d2:4f:85:e5:f5:14:7e:da:bb:03:
03:4e:6a:8a:56:ea:18:fc:8f:28:2b:ac:43:e9:65:
9e:c1:f0:2d:fc:03:f7:41:13:8e:25:a1:b4:86:6f:
53:c2:fe:3a:3b:64:98:34:83:00:3f:39:eb:0c:cd:
19:8d:e6:31:ed:44:e6:5d:5f:94:7b:45:e1:4c:c9:
50:8d:6a:69:78:93:8e:b9:06:73:04:42:e9:ce:43:
6e:b2:28:d5:31:9f:8a:c4:45:8b:fe:8d:66:5e:60:
c2:01:f7:27:4c:70:96:e0:d1:73:b4:c2:6b:34:d8:
a2:35:c6:02:26:bc:d4:23:98:35:e5:9b:b3:ce:16:
2d:d1:25:5c:8e:c8:fd:9e:fb:86:3d:72:84:26:a5:
fa:f6:32:50:4e:8f:37:3c:1e:8c:15:1a:bc:f5:79:
c0:b1:cb:79:cb:e9:a1:b8:8c:7e:b1:35:30:d5:48:
d2:91:44:cc:bf:63:5e:18:eb:ad:86:42:72:0d:c6:
3a:3a:5b:7a:f3:77:3c:ef:ec:8f:bb:52:98:fb:95:
44:2e:ee:44:c3:8d:35:90:a3:18:7e:79:78:40:31:
8e:b1:36:3a:37:70:9b:f6:f0:7f:43:43:12:f8:06:
6a:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A2:D2:8A:15:B0:D9:88:62:58:85:AA:C8:5A:50:F1:B7:DD:1F:9D:CF
X509v3 Authority Key Identifier:
keyid:A2:D2:8A:15:B0:D9:88:62:58:85:AA:C8:5A:50:F1:B7:DD:1F:9D:CF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
3d:1a:60:8d:79:4a:c5:60:bb:6e:f2:45:ba:95:4c:b0:7b:18:
8f:cd:07:e3:a8:89:6a:f5:e7:e3:4e:d8:2d:5d:3d:01:15:1e:
6b:4f:fd:96:76:6e:67:fa:2d:e2:81:87:55:7b:c3:71:91:b1:
08:16:af:46:fc:e4:cc:c1:d8:ea:fc:bc:18:07:c8:93:7e:d9:
2f:c3:2b:12:97:8c:06:37:8d:1b:3a:56:e4:5a:79:ea:b9:54:
d6:6b:87:48:41:73:a9:75:72:68:20:f0:c0:50:df:30:d0:bf:
e4:4d:54:7c:17:43:4f:a6:4b:6a:c3:7e:fe:4d:56:f0:88:53:
a3:af:0d:ff:7a:e0:fe:f7:ec:36:c9:f3:86:5d:e8:16:6d:81:
3d:d1:ca:d5:a9:7e:66:d9:5a:a4:e5:39:f9:7a:43:0c:df:e9:
08:c9:03:8c:df:5c:49:1f:06:c8:34:f2:99:2e:ba:de:5c:45:
cf:b1:f5:4a:82:83:26:e2:c4:b7:c9:ee:9c:6e:32:cc:13:c7:
81:e1:83:51:b8:57:d8:f2:71:98:cd:d5:b4:ad:c4:94:cf:4f:
48:12:67:e9:f0:99:a6:18:49:0c:8c:bf:3e:89:aa:cf:8d:fb:
46:7f:77:90:9f:bd:d1:ad:52:16:d4:6d:04:7d:e8:d5:5e:64:
1b:04:4d:9f
-----BEGIN CERTIFICATE-----
MIIEHTCCAwWgAwIBAgIJAIh0pXLATNxsMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD
VQQGEwJVUzERMA8GA1UECAwITWlzc291cmkxEDAOBgNVBAcMB09GYWxsb24xEzAR
BgNVBAoMCk1hc3RlcmNhcmQxFDASBgNVBAsMC1JTQSBUZXN0IENBMRQwEgYDVQQD
DAtSU0EgVGVzdCBDQTEvMC0GCSqGSIb3DQEJARYgc3JlZXZpZHlhLm1hbmRhdmFA
bWFzdGVyY2FyZC5jb20wHhcNMjEwOTE2MTczNzExWhcNMjIwOTE2MTczNzExWjCB
pDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE1pc3NvdXJpMRAwDgYDVQQHDAdPRmFs
bG9uMRMwEQYDVQQKDApNYXN0ZXJjYXJkMRQwEgYDVQQLDAtSU0EgVGVzdCBDQTEU
MBIGA1UEAwwLUlNBIFRlc3QgQ0ExLzAtBgkqhkiG9w0BCQEWIHNyZWV2aWR5YS5t
YW5kYXZhQG1hc3RlcmNhcmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAoWCOaqFzNXN8IDqxJf21vWnOIdJPheX1FH7auwMDTmqKVuoY/I8oK6xD
6WWewfAt/AP3QROOJaG0hm9Twv46O2SYNIMAPznrDM0ZjeYx7UTmXV+Ue0XhTMlQ
jWppeJOOuQZzBELpzkNusijVMZ+KxEWL/o1mXmDCAfcnTHCW4NFztMJrNNiiNcYC
JrzUI5g15ZuzzhYt0SVcjsj9nvuGPXKEJqX69jJQTo83PB6MFRq89XnAsct5y+mh
uIx+sTUw1UjSkUTMv2NeGOuthkJyDcY6Olt683c87+yPu1KY+5VELu5Ew401kKMY
fnl4QDGOsTY6N3Cb9vB/Q0MS+AZqFQIDAQABo1AwTjAdBgNVHQ4EFgQUotKKFbDZ
iGJYharIWlDxt90fnc8wHwYDVR0jBBgwFoAUotKKFbDZiGJYharIWlDxt90fnc8w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPRpgjXlKxWC7bvJFupVM
sHsYj80H46iJavXn407YLV09ARUea0/9lnZuZ/ot4oGHVXvDcZGxCBavRvzkzMHY
6vy8GAfIk37ZL8MrEpeMBjeNGzpW5Fp56rlU1muHSEFzqXVyaCDwwFDfMNC/5E1U
fBdDT6ZLasN+/k1W8IhTo68N/3rg/vfsNsnzhl3oFm2BPdHK1al+ZtlapOU5+XpD
DN/pCMkDjN9cSR8GyDTymS663lxFz7H1SoKDJuLEt8nunG4yzBPHgeGDUbhX2PJx
mM3VtK3ElM9PSBJn6fCZphhJDIy/Pomqz437Rn93kJ+90a1SFtRtBH3o1V5kGwRN
nw==
-----END CERTIFICATE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
