You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Goo Sam Kong <sk...@gmail.com> on 2010/11/12 17:27:26 UTC
Client not able with perform client-cert authentication with Tomcat
6.0.29 on APR
Hi
I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
I changed server.xml as below.
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener" />
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be
updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="8443" />
<Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
SSLCipherSuite="AES128-SHA:DES-CBC3-SHA" SSLEnabled="true"
SSLEngine="on"
SSLVerifyClient="optional" maxThreads="150" port="8443"
protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true" xmlNamespaceAware="false"
xmlValidation="false">
<Context docBase="cert" path="/cert" reloadable="true"
source="org.eclipse.jst.j2ee.server:cert" />
<Context docBase="crl" path="/crl" reloadable="true"
source="org.eclipse.jst.j2ee.server:crl" />
<Context docBase="tdci-2.5.0" path="/tdci-2.5.0"
reloadable="true"
source="org.eclipse.jst.j2ee.server:tdci-2.5.0" />
</Host>
</Engine>
</Service>
</Server>
*My **Java **XML-RPC client thrown exception below:*
Exception in thread "main" java.net.SocketException: Software caused
connection abort: socket write error
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at
com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
at
com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:666)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:584)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1057)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1041)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:839)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.xmlrpc.DefaultXmlRpcTransport.sendXmlRpc(Unknown Source)
at org.apache.xmlrpc.XmlRpcClientWorker.execute(Unknown Source)
at org.apache.xmlrpc.XmlRpcClient.execute(Unknown Source)
at
TdciXmlRpcCertAuthClient.requestWebIssuanceKey(TdciXmlRpcCertAuthClient.java:166)
at TdciXmlRpcCertAuthClient.main(TdciXmlRpcCertAuthClient.java:63)
Please help.
Thank you.
SamKong Goo
Re: Client not able with perform client-cert authentication with
Tomcat 6.0.29 on APR
Posted by Goo Sam Kong <sk...@gmail.com>.
Hi Mark,
Thank you for the settings. I am not sure what is the APR/native connector
version, I am using the default APR/native connector in 6.0.29 (I do not
set/change APR on my Windows machine).
I am not sure why the client certificate authentication failed when my
client certificate was signed with SHA256 but client certificate
authentication worked perfectly when client certificate was signed with
SHA1.
>From http://old.nabble.com/SHA256-digest-windows-0.9.8k--td26123008.html, it
mentioned developer required to include a call to
OpenSSL_add_all_algorithms()
instead calling SSL_library_init() which only adds the more commonly uses
SSL
algorithms. I am not sure where should I include this.
Can you advice how to solve my problem?
My APR connector settings:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
SSLVerifyClient="optional"
SSLVerifyDepth="1"
SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
SSLCACertificateFile="C:\usr-files\client-cert-ca.crt" />
On 13 November 2010 00:38, Mark Thomas <ma...@apache.org> wrote:
> On 12/11/2010 16:27, Goo Sam Kong wrote:
> > Hi
> >
> > I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
>
> APR/native connector version? SSL re-negotiation wasn't supported until
> recently and the CVE-2009-3555 fixes further complicate things.
>
> > <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
> > SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
> > SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
> > SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
> > SSLEnabled="true"
> > SSLEngine="on"
> > SSLVerifyClient="optional"
> > maxThreads="150"
> > port="8443"
> > protocol="HTTP/1.1"
> > scheme="https"
> > secure="true"
> > sslProtocol="TLS" />
>
> Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
> SSLVerifyClient="optional" can (should?) be removed.
> Is that SSLCipherSuite compatible with your client? Try removing that
> setting until everything else is working.
>
> The following settings are known to work:
>
> <Connector
> port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> SSLEnabled="true"
> maxThreads="150"
> scheme="https"
> secure="true"
> SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
> SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
> SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Client not able with perform client-cert authentication with
Tomcat 6.0.29 on APR
Posted by Mark Thomas <ma...@apache.org>.
On 12/11/2010 16:27, Goo Sam Kong wrote:
> Hi
>
> I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
APR/native connector version? SSL re-negotiation wasn't supported until
recently and the CVE-2009-3555 fixes further complicate things.
> <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
> SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
> SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
> SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
> SSLEnabled="true"
> SSLEngine="on"
> SSLVerifyClient="optional"
> maxThreads="150"
> port="8443"
> protocol="HTTP/1.1"
> scheme="https"
> secure="true"
> sslProtocol="TLS" />
Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
SSLVerifyClient="optional" can (should?) be removed.
Is that SSLCipherSuite compatible with your client? Try removing that
setting until everything else is working.
The following settings are known to work:
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org