You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Goo Sam Kong <sk...@gmail.com> on 2010/11/12 17:27:26 UTC

Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR

Hi

I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.

I changed server.xml as below.

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">

    <!--APR library loader. Documentation at /docs/apr.html -->
    <Listener SSLEngine="on"
        className="org.apache.catalina.core.AprLifecycleListener" />
    <Listener className="org.apache.catalina.core.JasperListener" />
    <!-- Prevent memory leaks due to use of particular java/javax APIs-->
    <Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
    <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
/>
    <Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

    <GlobalNamingResources>
        <Resource auth="Container" description="User database that can be
updated and saved"
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
            pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase" />
    </GlobalNamingResources>

    <Service name="Catalina">

        <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
            redirectPort="8443" />
        <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
            SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
            SSLCipherSuite="AES128-SHA:DES-CBC3-SHA" SSLEnabled="true"
SSLEngine="on"
            SSLVerifyClient="optional" maxThreads="150" port="8443"
            protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" />

        <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


        <Engine defaultHost="localhost" name="Catalina">
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                resourceName="UserDatabase" />

            <Host appBase="webapps" autoDeploy="true" name="localhost"
                unpackWARs="true" xmlNamespaceAware="false"
xmlValidation="false">

                <Context docBase="cert" path="/cert" reloadable="true"
                    source="org.eclipse.jst.j2ee.server:cert" />
                <Context docBase="crl" path="/crl" reloadable="true"
                    source="org.eclipse.jst.j2ee.server:crl" />
                <Context docBase="tdci-2.5.0" path="/tdci-2.5.0"
reloadable="true"
                    source="org.eclipse.jst.j2ee.server:tdci-2.5.0" />
            </Host>
        </Engine>
    </Service>
</Server>

*My **Java **XML-RPC client thrown exception below:*
Exception in thread "main" java.net.SocketException: Software caused
connection abort: socket write error
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
    at
com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
    at
com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:666)
    at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624)
    at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
    at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
    at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
    at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
    at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:839)
    at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.apache.xmlrpc.DefaultXmlRpcTransport.sendXmlRpc(Unknown Source)
    at org.apache.xmlrpc.XmlRpcClientWorker.execute(Unknown Source)
    at org.apache.xmlrpc.XmlRpcClient.execute(Unknown Source)
    at
TdciXmlRpcCertAuthClient.requestWebIssuanceKey(TdciXmlRpcCertAuthClient.java:166)
    at TdciXmlRpcCertAuthClient.main(TdciXmlRpcCertAuthClient.java:63)

Please help.

Thank you.

SamKong Goo

Re: Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR

Posted by Goo Sam Kong <sk...@gmail.com>.

Hi Mark,

Thank you for the settings. I am not sure what is the APR/native connector
version, I am using the default APR/native connector in 6.0.29 (I do not
set/change APR on my Windows machine).

I am not sure why the client certificate authentication failed when my
client certificate was signed with SHA256 but client certificate
authentication worked perfectly when client certificate was signed with
SHA1.

>From http://old.nabble.com/SHA256-digest-windows-0.9.8k--td26123008.html, it
mentioned developer required to include a call to
OpenSSL_add_all_algorithms()
instead calling SSL_library_init() which only adds the more commonly uses
SSL
algorithms. I am not sure where should I include this.

Can you advice how to solve my problem?

My APR connector settings:
    <Connector port="8443"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
               SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
               SSLVerifyClient="optional"
               SSLVerifyDepth="1"
               SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
               SSLCACertificateFile="C:\usr-files\client-cert-ca.crt" />

On 13 November 2010 00:38, Mark Thomas <ma...@apache.org> wrote:

> On 12/11/2010 16:27, Goo Sam Kong wrote:
> > Hi
> >
> > I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
>
> APR/native connector version? SSL re-negotiation wasn't supported until
> recently and the CVE-2009-3555 fixes further complicate things.
>
> > <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
> >            SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
> >            SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
> >            SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
> >            SSLEnabled="true"
> >            SSLEngine="on"
> >            SSLVerifyClient="optional"
> >            maxThreads="150"
> >            port="8443"
> >            protocol="HTTP/1.1"
> >            scheme="https"
> >            secure="true"
> >            sslProtocol="TLS" />
>
> Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
> SSLVerifyClient="optional" can (should?) be removed.
> Is that SSLCipherSuite compatible with your client? Try removing that
> setting until everything else is working.
>
> The following settings are known to work:
>
> <Connector
>  port="8443"
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
>  SSLEnabled="true"
>  maxThreads="150"
>  scheme="https"
>  secure="true"
>  SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
>  SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
>  SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR

Posted by Mark Thomas <ma...@apache.org>.

On 12/11/2010 16:27, Goo Sam Kong wrote:
> Hi
> 
> I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.

APR/native connector version? SSL re-negotiation wasn't supported until
recently and the CVE-2009-3555 fixes further complicate things.

> <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
>            SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
>            SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
>            SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
>            SSLEnabled="true"
>            SSLEngine="on"
>            SSLVerifyClient="optional"
>            maxThreads="150"
>            port="8443"
>            protocol="HTTP/1.1"
>            scheme="https"
>            secure="true"
>            sslProtocol="TLS" />

Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
SSLVerifyClient="optional" can (should?) be removed.
Is that SSLCipherSuite compatible with your client? Try removing that
setting until everything else is working.

The following settings are known to work:

<Connector
  port="8443"
  protocol="org.apache.coyote.http11.Http11AprProtocol"
  SSLEnabled="true"
  maxThreads="150"
  scheme="https"
  secure="true"
  SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
  SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
  SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org