On 07/02/17 19:33, George Stanchev wrote:
Mark,
Apologies for top posting. We have our own trust manager that is
attached to the connector because we want client certificates to be
passed in the application for validation and authentication rather
than the connector. If we switch to the OpenSSL/APR based certificate
processing, would the trust manager still work? I presume not, but
wanted to ask and if not, what are the options?
If the application is validating the client certs, just add valid
to/from date checking to that validation.
Mark
-----Original Message----- From: Mark Thomas
[mailto:ma...@apache.org] Sent: Monday, February 06, 2017 7:20 AM To:
Tomcat Users List <users@tomcat.apache.org> Subject: Re: Apache
Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore
expires, any webclient request is still accepted by server and not
refused
On 06/02/17 13:49, Francesco Leone wrote:
Dear Sirs, To communicate you a behaviour with Apache Tomcat
7.0.59
Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74
- OpenSSL 1.0.2g
We have a client - server communication. The Client certificate is
produced via keytool and we have same problem highlighted here
http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-
7-0-to-reject-connections-with-expired-client-certific
and
http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-
on-expired-certificates
What we got reading all flow, is that to solve our problem we
should implement a new X509TrustManager which creates our original
instance in its constructor, implements all methods as calls to the
original instance, and adds a call to checkValidity for each
certificate in certs[] inside checkServerTrusted.
Did we get well ? If yes, it sounds to us as a hole in the security
and so a bug in Tomcat, is there any chance to have this behaviour
(refuse connection at expired certificates) as standard in later
Apache tomcat 7.0.x release ? Any of this community can support us
?
This is not a Tomcat bug.
If you tell Java to trust a certificate, it will do so and ignore the
validity period.
I've looked into this in the past and short of implementing your own
X509TrustManager I haven't yet found an API Tomcat could use to add
an additional check on the trusted cert's validity.
A better general solution is to trust the CA(s) issuing the client
certificates rather than the client certificates. Then, because the
client cert is not in the trust store, Java checks it more thoroughly
- including the validity dates.
It is also worth looking at using an OpenSSL based TLS connector.
From what I recall of my previous testing OpenSSL did check the
validity dates of trusted certs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
