You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Palod, Manish" <Ma...@McAfee.com> on 2021/05/04 17:17:51 UTC
Tomcat 9: Client Certificate verification setting with optional is
not working
Hi,
We are in process of migrating from Tomcat 7 to Tomcat 9.
We use cert-based client authentication in our application, support password-based and cert-based authentication.
For this purpose, we are setting certificateVerification="optional" attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were setting clientAuth="want" ]
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
address="0.0.0.0"
maxPostSize="10485760"
URIEncoding="UTF-8" server=" ">
<SSLHostConfig
truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
certificateVerification="optional" sslProtocol="TLS"
protocols="TLSv1.2">
<Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
type="RSA" />
</SSLHostConfig>
</Connector>
When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
Can someone help in understanding why Tomcat 9, setting with "optional" value not working.
As per Tomcat 9 SSLHostConfig documentation<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>, client authentication with optional setting should work?
certificateVerification
Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
Regards
Manish
Re: Tomcat 9: Client Certificate verification setting with optional
is not working
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark and Manish,
On 5/10/21 13:11, Mark Thomas wrote:
> On 08/05/2021 18:26, Palod, Manish wrote:
>> Hi,
>>
>> We further debugged the issue and narrowed down the issue to dynamic
>> update of Truststore. We add certificate into TrustStore dynamically.
>> We have to restart the server to use the newly added certificate.
>> This was working fine with Tomcat 7.
>
> I'm surprised that worked.
>
>> Are we missing any configuration detail or any other details required
>> by Tomcat 9 for this use case?
>
> I'd expect you top have to reload the TLS config to pickup the changes.
> You can do that via JMX or the Manager app.
... without having to restart Tomcat. :)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9: Client Certificate verification setting with optional
is not working
Posted by Mark Thomas <ma...@apache.org>.
On 08/05/2021 18:26, Palod, Manish wrote:
> Hi,
>
> We further debugged the issue and narrowed down the issue to dynamic update of Truststore. We add certificate into TrustStore dynamically. We have to restart the server to use the newly added certificate.
> This was working fine with Tomcat 7.
I'm surprised that worked.
> Are we missing any configuration detail or any other details required by Tomcat 9 for this use case?
I'd expect you top have to reload the TLS config to pickup the changes.
You can do that via JMX or the Manager app.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 9: Client Certificate verification setting with optional
is not working
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Hi,
We further debugged the issue and narrowed down the issue to dynamic update of Truststore. We add certificate into TrustStore dynamically. We have to restart the server to use the newly added certificate.
This was working fine with Tomcat 7.
Are we missing any configuration detail or any other details required by Tomcat 9 for this use case?
Regards
Manish
-----Original Message-----
From: Palod, Manish
Sent: Wednesday, May 5, 2021 9:21 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: Tomcat 9: Client Certificate verification setting with optional is not working
Hi Mark,
Thank you for your suggestion. We will try with private browsing mode.
No, we tried in normal browsing mode only. Our issue with optional applies to very first-time access only.
When we tried with certificateVerification="required" first, we were prompted with Client certificate, after that we changed the settings back to "optional" and still application is working with client certificate, and that is due to client certificate is available in cache.
Regards
Manish
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, May 5, 2021 1:47 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9: Client Certificate verification setting with optional is not working
CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 04/05/2021 18:17, Palod, Manish wrote:
> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application, support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional"
> attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were
> setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
> address="0.0.0.0"
> maxPostSize="10485760"
> URIEncoding="UTF-8" server=" ">
> <SSLHostConfig
> truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
> certificateVerification="optional" sslProtocol="TLS"
> protocols="TLSv1.2">
> <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.
I've just tested this locally and certificateVerification="optional" is working as expected.
Are you testing with a private browsing window? Browsers can sometimes be "helpful" and cache things between sessions. After opting not to provide a certificate once, I wasn't prompted gain until I used a private window or cleared out the cache.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 9: Client Certificate verification setting with optional
is not working
Posted by "Palod, Manish" <Ma...@McAfee.com>.
Hi Mark,
Thank you for your suggestion. We will try with private browsing mode.
No, we tried in normal browsing mode only. Our issue with optional applies to very first-time access only.
When we tried with certificateVerification="required" first, we were prompted with Client certificate, after that we changed the settings back to "optional" and still application is working with client certificate, and that is due to client certificate is available in cache.
Regards
Manish
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, May 5, 2021 1:47 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9: Client Certificate verification setting with optional is not working
CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 04/05/2021 18:17, Palod, Manish wrote:
> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application, support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional"
> attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were
> setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
> address="0.0.0.0"
> maxPostSize="10485760"
> URIEncoding="UTF-8" server=" ">
> <SSLHostConfig
> truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
> certificateVerification="optional" sslProtocol="TLS"
> protocols="TLSv1.2">
> <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.
I've just tested this locally and certificateVerification="optional" is working as expected.
Are you testing with a private browsing window? Browsers can sometimes be "helpful" and cache things between sessions. After opting not to provide a certificate once, I wasn't prompted gain until I used a private window or cleared out the cache.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9: Client Certificate verification setting with optional
is not working
Posted by Mark Thomas <ma...@apache.org>.
On 04/05/2021 18:17, Palod, Manish wrote:
> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application, support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional" attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
> address="0.0.0.0"
> maxPostSize="10485760"
> URIEncoding="UTF-8" server=" ">
> <SSLHostConfig
> truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
> certificateVerification="optional" sslProtocol="TLS"
> protocols="TLSv1.2">
> <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.
I've just tested this locally and certificateVerification="optional" is
working as expected.
Are you testing with a private browsing window? Browsers can sometimes
be "helpful" and cache things between sessions. After opting not to
provide a certificate once, I wasn't prompted gain until I used a
private window or cleared out the cache.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org