You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by André Cruz <an...@co.sapo.pt> on 2009/03/31 15:28:19 UTC
Renegotiate SSL connection in servlet
Hello all.
I'm coding a servlet that does SSL client cert authentication. The
requests already arrive on a SSL connector but for this servlet in
particular the SSL connection needs to be renegotiated to ask for a
client certificate. Is there anyway to do this inside a servlet? With
or without APR?
I'm running tomcat 6.0.18, java 6 on linux.
Thanks and best regards,
André Cruz
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by André Cruz <an...@co.sapo.pt>.
On Apr 1, 2009, at 14:23 , André Cruz wrote:
> On Apr 1, 2009, at 14:21 , Mark Thomas wrote:
>
>> André Cruz wrote:
>>> On Mar 31, 2009, at 22:17 , Mark Thomas wrote:
>>>
>>>> Caldarale, Charles R wrote:
>>>>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>>>>> Subject: Re: Renegotiate SSL connection in servlet
>>>>>>
>>>>>> Your only other option for Tomcat is to configure another
>>>>>> <Connector>
>>>>>> which would require a different IP or port number, which makes
>>>>>> it ...
>>>>>> inconvenient at best.
>>>>>
>>>>> Using a different port may not work at all with many versions of
>>>>> IE,
>>>>> which "know" that all HTTPS traffic is on 443 and ignore the
>>>>> port on
>>>>> the URL.
>>>>>
>>>>> "Standards? What standards? We don't need no stinkin'
>>>>> standards!"
>>>>
>>>> What happens if you define multiple security constraints? ie
>>>>
>>>> 1. Requires SSL for whole app
>>>> 2. Requires CLIENT-CERT auth for part of the app.
>>>
>>> Does not work. Client certificate is not requested.
>>
>> Hmm. That doesn't sound good. Can you create a bugzilla entry for
>> that use case
>> and I'll try and take a look as to why.
>
> Will do. Thanks.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by André Cruz <an...@co.sapo.pt>.
On Apr 1, 2009, at 14:21 , Mark Thomas wrote:
> André Cruz wrote:
>> On Mar 31, 2009, at 22:17 , Mark Thomas wrote:
>>
>>> Caldarale, Charles R wrote:
>>>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>>>> Subject: Re: Renegotiate SSL connection in servlet
>>>>>
>>>>> Your only other option for Tomcat is to configure another
>>>>> <Connector>
>>>>> which would require a different IP or port number, which makes
>>>>> it ...
>>>>> inconvenient at best.
>>>>
>>>> Using a different port may not work at all with many versions of
>>>> IE,
>>>> which "know" that all HTTPS traffic is on 443 and ignore the port
>>>> on
>>>> the URL.
>>>>
>>>> "Standards? What standards? We don't need no stinkin' standards!"
>>>
>>> What happens if you define multiple security constraints? ie
>>>
>>> 1. Requires SSL for whole app
>>> 2. Requires CLIENT-CERT auth for part of the app.
>>
>> Does not work. Client certificate is not requested.
>
> Hmm. That doesn't sound good. Can you create a bugzilla entry for
> that use case
> and I'll try and take a look as to why.
Will do. Thanks.
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by Mark Thomas <ma...@apache.org>.
André Cruz wrote:
> On Mar 31, 2009, at 22:17 , Mark Thomas wrote:
>
>> Caldarale, Charles R wrote:
>>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>>> Subject: Re: Renegotiate SSL connection in servlet
>>>>
>>>> Your only other option for Tomcat is to configure another <Connector>
>>>> which would require a different IP or port number, which makes it ...
>>>> inconvenient at best.
>>>
>>> Using a different port may not work at all with many versions of IE,
>>> which "know" that all HTTPS traffic is on 443 and ignore the port on
>>> the URL.
>>>
>>> "Standards? What standards? We don't need no stinkin' standards!"
>>
>> What happens if you define multiple security constraints? ie
>>
>> 1. Requires SSL for whole app
>> 2. Requires CLIENT-CERT auth for part of the app.
>
> Does not work. Client certificate is not requested.
Hmm. That doesn't sound good. Can you create a bugzilla entry for that use case
and I'll try and take a look as to why.
Mark
>
> André
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by André Cruz <an...@co.sapo.pt>.
On Mar 31, 2009, at 22:17 , Mark Thomas wrote:
> Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Subject: Re: Renegotiate SSL connection in servlet
>>>
>>> Your only other option for Tomcat is to configure another
>>> <Connector>
>>> which would require a different IP or port number, which makes
>>> it ...
>>> inconvenient at best.
>>
>> Using a different port may not work at all with many versions of
>> IE, which "know" that all HTTPS traffic is on 443 and ignore the
>> port on the URL.
>>
>> "Standards? What standards? We don't need no stinkin' standards!"
>
> What happens if you define multiple security constraints? ie
>
> 1. Requires SSL for whole app
> 2. Requires CLIENT-CERT auth for part of the app.
Does not work. Client certificate is not requested.
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Renegotiate SSL connection in servlet
>>
>> Your only other option for Tomcat is to configure another <Connector>
>> which would require a different IP or port number, which makes it ...
>> inconvenient at best.
>
> Using a different port may not work at all with many versions of IE, which "know" that all HTTPS traffic is on 443 and ignore the port on the URL.
>
> "Standards? What standards? We don't need no stinkin' standards!"
What happens if you define multiple security constraints? ie
1. Requires SSL for whole app
2. Requires CLIENT-CERT auth for part of the app.
Mark
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Renegotiate SSL connection in servlet
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Renegotiate SSL connection in servlet
>
> Your only other option for Tomcat is to configure another <Connector>
> which would require a different IP or port number, which makes it ...
> inconvenient at best.
Using a different port may not work at all with many versions of IE, which "know" that all HTTPS traffic is on 443 and ignore the port on the URL.
"Standards? What standards? We don't need no stinkin' standards!"
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Renegotiate SSL connection in servlet
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 3/31/2009 9:51 AM, André Cruz wrote:
> On Mar 31, 2009, at 14:44 , Christopher Schultz wrote:
>> <Connector ... clientAuth="want" />
>
> The problem with "want" is that, at least with IE, the browser always
> prompts the user for a certificate.
Hmm... that's not supposed to happen :(
I've never used client-cert, so I don't have any particular advice for
you, unfortunately.
What I do know is that the <Connector> element is pretty global... you
can't have it ask for certs for some requests and not others. Also, your
code won't be able to touch anything until after the SSL negotiation is
over, so you can't modify the SSL settings or anything like that.
Your only other option for Tomcat is to configure another <Connector>
which would require a different IP or port number, which makes it ...
inconvenient at best.
> I just want the prompt to appear when a specific servlet is requested. I
> can do this with Apache and <Location> directives but I would like to
> use a tomcat-only configuration.
I think httpd might be required, here, but I'd love to hear what others
have to say. If you don't hear anything else for a day or so, re-post a
new message with something like "CLIENT-CERT 'want' asks for cert on
MSIE" or something like that. I'm certain that 'want' is not supposed to
ask the remote user for a cert.
Hmm... maybe I'm wrong. See section 5.1 of this page:
http://jack.godau.googlepages.com/jbosscertificatesandopenssl
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknSLJUACgkQ9CaO5/Lv0PAZQwCcDGWCQFeAu5Exwbnag2rkZqXm
DFMAoKKIB9Fh0V/n4ig4/ovEHuQErIix
=AZGl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by André Cruz <an...@co.sapo.pt>.
On Mar 31, 2009, at 14:44 , Christopher Schultz wrote:
> On 3/31/2009 9:28 AM, André Cruz wrote:
>> I'm coding a servlet that does SSL client cert authentication. The
>> requests already arrive on a SSL connector but for this servlet in
>> particular the SSL connection needs to be renegotiated to ask for a
>> client certificate. Is there anyway to do this inside a servlet?
>> With or
>> without APR?
>
> I think you just want to set the clientAuth attribute on your
> connector:
>
> <Connector ... clientAuth="want" />
The problem with "want" is that, at least with IE, the browser always
prompts the user for a certificate.
I just want the prompt to appear when a specific servlet is requested.
I can do this with Apache and <Location> directives but I would like
to use a tomcat-only configuration.
Best regards,
André Cruz
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Renegotiate SSL connection in servlet
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 3/31/2009 9:28 AM, André Cruz wrote:
> I'm coding a servlet that does SSL client cert authentication. The
> requests already arrive on a SSL connector but for this servlet in
> particular the SSL connection needs to be renegotiated to ask for a
> client certificate. Is there anyway to do this inside a servlet? With or
> without APR?
I think you just want to set the clientAuth attribute on your connector:
<Connector ... clientAuth="want" />
See
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
and
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
If you use "want", then a certificate will be available if one is
provided. If it is /not/ provided, then you will get NULL when you ask
for it. I don't know if there's a way to force the browser to
"renegotiate" the SSL connection and provide a certificate the second
(or third...) time around.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknSHjAACgkQ9CaO5/Lv0PBBVACdF3/fSYRYEVHOlT953tCVkTrl
B/UAn2EYIz/S9stu8neieyVtKPnhT2zL
=jcBJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org