SSLVerifyClient="optionalNoCA" stops working in tomcat 8.0.32?

[Florian Kleedorfer]

Hi!

TL;DR: The TLS handshake with client authentication using self-signed 
client certificates (using APR/openssl) stopped working from tomcat 
8.0.30 to tomcat 8.0.32. Cause is suspected in a change of openssl or 
APR between versions.

# Context:

We're using tomcat 8 in a setting where the client has a self-signed 
client certificate that is transmitted to the server to identify the 
client. The certificate is used to gather client-specific data in the 
appliation. We aren't interested in setting up our own PKI for that, or 
using official CAs. Self-signed certs on the client are fine, as far as 
we're concerned.

Our code that works in 8.0.30 stops working when switching to 8.0.32, as 
documented in this issue on github 
https://github.com/researchstudio-sat/webofneeds/issues/547

I am suspecting its either an APR or an openssl issue, or something 
related to the way we generate our certificates. I looked up the 
versions used in the last working and the first non-working tomcat minor 
releases:

tomcat 8.0.30: tcnative version 1.1.33.0, OpenSSL 1.0.1m 19 Mar 2015 
(works for us)
tomcat 8.0.32: tcnative version 1.2.4.0 , OpenSSL 1.0.2e 3 Dec 2015 
(doesn't work for us)

# Config:

I'm experiencing this on Windows 7, using the -x64 zip downloads.

Here's the configuration of the tomcat connector:

<Connector
    clientAuth="wanted" port="8443" minSpareThreads="5"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    SSLCertificateFile="C:/Users/fkleedorfer/wonkey/t-cert.pem"
    SSLCertificateKeyFile="C:/Users/fkleedorfer/wonkey/t-key.pem"
    SSLPassword="changeit"
    SSLVerifyClient="optionalNoCA"
    SSLVerifyDepth="2"
    sslProtocol="TLS"/>

# Logs:

Here's the trace of the failing TLS handshake (including the exception), 
with -Djavax.net.debug=all

client side:

https://gist.github.com/fkleedorfer/8b4c3932a1de4b51617eac5e03c0be29

server side, with java util logging level=ALL:

https://gist.github.com/fkleedorfer/f9ca53ee1466bf50dba6ce6d3c243b39

# Self-Signed Client certificate:

C:\Users\fkleedorfer\wonkey>keytool -list -v -providerclass 
org.bouncycastle.jce
.provider.BouncyCastleProvider -storetype UBER -storepass [XXXX] 
-keystore owner-k
eys.jks

Keystore-Typ: UBER
Keystore-Provider: BC

Keystore enthält 1 Eintrag

Aliasname: https://192.168.124.49:8443/owner
Erstellungsdatum: 19.05.2016
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigentümer: CN=https://192.168.124.49:8443/owner,OU=Web of Needs
Aussteller: CN=https://192.168.124.49:8443/owner,OU=Web of Needs
Seriennummer: 1
Gültig von: Wed May 18 00:00:00 CEST 2016 bis: Sat May 19 00:00:00 CEST 2018
Zertifikat-Fingerprints:
         MD5:  85:BD:2C:67:B5:BF:24:D5:D8:A2:F5:8D:51:F2:31:89
         SHA1: F1:92:56:6E:70:A8:DF:05:3E:B1:34:65:8F:CA:D8:69:C6:4C:34:A5
         SHA256: 
43:60:9F:10:05:F3:2B:60:89:16:0F:65:87:E4:07:C1:48:FE:5E:D2:51:
C6:BA:42:3B:0C:3F:25:9B:E3:37:FD
         Signaturalgorithmusname: SHA256WITHECDSA
         Version: 3


*******************************************
*******************************************
**
Any help is greatly appreciated, Thanks in advance!

Florian