You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/03/23 21:09:01 UTC
[Bug 65975] New: CLIENT-CERT authentication does not request cert from client and always denies access (401)
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Bug ID: 65975
Summary: CLIENT-CERT authentication does not request cert from
client and always denies access (401)
Product: Tomcat 9
Version: 9.0.60
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: martin.stangl@t-base.pro
Target Milestone: -----
Created attachment 38232
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38232&action=edit
ZIP file containing the adjusted default config as mentioned in the description
According to the documentation
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig,
setting certificateVerification="none" should behave as follows: "A none value
(which is the default) will not require a certificate chain unless the client
requests a resource protected by a security constraint that uses CLIENT-CERT
authentication."
The problem encountered is that a resource protected by a security constraint
that uses CLIENT-CERT authentication does not cause Tomcat to request a
certificate chain. As a result all access is denied.
Reproduced in Apache Tomcat versions 9.0.60 and 8.5.77
Tested Java versions: OpenJDK Runtime Environment (build 17.0.2+8-86) Tomcat
9.0.60 and 8.5.77, Zulu 8.56.0.23-CA-win64 (build 1.8.0_302-b08) on Tomcat
9.0.60
Tested Tomcat Connector on Tomcat 9.0.60:
- org.apache.coyote.http11.Http11NioProtocol - JSSE
- org.apache.coyote.http11.Http11AprProtocol, UpgradeProtocol
org.apache.coyote.http2.Http2Protocol - JSSE and OpenSSL
Tested Tomcat Connector on Tomcat 8.5.77:
- org.apache.coyote.http11.Http11NioProtocol - JSSE
catalina.log excerpt of a failed authentication:
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.271 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.277 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations
Loading persistent provider registrations from [C:\Program Files\Apache
Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml]
23-Mar-2022 21:15:11.282 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
23-Mar-2022 21:15:11.284 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
How to reproduce:
1. For changes made to the default condifuration see attachments:
- conf/server.xml: Connector port 8080 disabled, connector port 443 with SSL
configuration enabled and adjusted
- conf/tomcat-users.xml: Role "user" and one user added
- webapps/examples/WEB-INF/web.xml: Changed security-constraint, login-config
and security-role for CLIENT-CERT authentication
2. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser
This should result in "HTTP Status 401 – Unautorisiert"
To check if the configuration works otherwhise:
1. Change certificateVerification to "required" in conf/server.xml
2. Restart Tomcat
3. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser
This should return the example webpage showing the authenticated user.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #13 from Christopher Schultz <ch...@christopherschultz.net> ---
Wireshark
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #10 from Martin Stangl <ma...@t-base.pro> ---
Seems this CRL URL is on purpose like this. I will go forward and use a client
cert not issued by my AD CA for testing purposes.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #17 from Martin Stangl <ma...@t-base.pro> ---
Hi Christopher,
I captured the traffic from when the client certificate is submitted to the
server until the authentication completed. So basically the full 60 seconds of
delay.
Wireshark could not capture anything while my machine was offline, which is
understandable.
So the 3 attached captures are from when I connected to the hotel's wireless I
am currently staying at and show all outgoing traffic from my machine. I used
the source mac address for filtering and made one capture for each certificate
I used for testing.
Here the IPs of my machine:
ifIndex IPAddress PrefixLength
PrefixOrigin SuffixOrigin AddressState PolicyStore
------- --------- ------------
------------ ------------ ------------ -----------
37 fe80::145e:ea51:ed90:b7f1%37 64 WellKnown
Link Preferred ActiveStore
37 2a02:1205:5078:1db0:2582:b03f:b764:cd74 128
RouterAdv... Random Preferred ActiveStore
37 2a02:1205:5078:1db0:145e:ea51:ed90:b7f1 64
RouterAdv... Link Preferred ActiveStore
37 192.168.1.67 24 Dhcp
Dhcp Preferred ActiveStore
Let me know if we also need to capture the communication between the browser
and tomcat as this requires for me to setup Wireshark for Loopback capturing.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #6 from Martin Stangl <ma...@t-base.pro> ---
Hi Mark,
this did the trick. You definitely know your stuff. Thanks a lot.
I used TLS1.2 and the OpenSSL TLS implemntation and tested both
org.apache.coyote.http11.Http11NioProtocol and
org.apache.coyote.http11.Http11AprProtocol.
Both worked.
org.apache.coyote.http11.Http11NioProtocol perfectly so. Authentication and
response from Tomcat happened immediately after selecting the certificate in
the browser. Felt almost faster than delivering a static page.
org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after
selecting the certificate in the browser.
Tested with Chrome, Edge and Postman with identical results.
I am happy with Nio working.
But if you want to look into the issue with
org.apache.coyote.http11.Http11AprProtocol, I am willing to support with
testing.
stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL.
Pauses after "Calling authenticate()":
24-Mar-2022 12:42:07.712 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'CN=T-base-CA, DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles
GenericPrincipal[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro()]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasRole Username
[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] has role [user]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: user
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed
all security constraints
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #4 from Martin Stangl <ma...@t-base.pro> ---
1)
Reconfigured to only use TLS1.2 and verified that OpenSSL is used:
From stderr:
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
OpenSSL successfully initialized [OpenSSL 1.1.1l 24 Aug 2021]
The used TLS version is not shown in the logs - probably need to change some
log config to see it.
Result is still the same.
Full stderr:
2022-03-24 10:25:50 Apache Commons Daemon procrun stderr initialized.
24-Mar-2022 10:25:51.720 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:
Apache Tomcat/9.0.60
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:
Mar 9 2022 14:52:25 UTC
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.60.0
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Windows 10
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.0
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:
amd64
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:
C:\Program Files\OpenJDK\jdk-17.0.2
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
17.0.2+8-86
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Oracle Corporation
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=C:\Program Files\Apache Software
Foundation\Tomcat 9.0\conf\logging.properties
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djavax.net.debug=all
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Duser.language=en -Duser.region=US
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
exit
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
abort
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xms128m
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xmx256m
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.2.31] using APR version [1.7.0].
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true], UDS
[true].
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
24-Mar-2022 10:25:51.777 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1l 24 Aug 2021]
24-Mar-2022 10:25:52.164 INFO [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
["https-openssl-apr-443"] connector has been configured to support negotiation
to [h2] via ALPN
24-Mar-2022 10:25:52.164 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-apr-443"]
javax.net.ssl|DEBUG|10|main|2022-03-24 10:25:52.458
CET|SunX509KeyManagerImpl.java:160|found key for : tomcat (
"certificate" : {
"version" : "v3",
"serial number" : "032883B4D8C10F02842E587217569586A3DF",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=R3, O=Let's Encrypt, C=US",
"not before" : "2022-03-23 15:15:31.000 CET",
"not after" : "2022-06-21 16:15:30.000 CEST",
"subject" : "CN=dev.intranet.t-base.pro",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://r3.o.lencr.org
,
accessMethod: caIssuers
accessLocation: URIName: http://r3.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74
..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: dev.intranet.t-base.pro
DNSName: education.dev.intranet.t-base.pro
DNSName: tenniscenter.dev.intranet.t-base.pro
DNSName: trainerplattform.dev.intranet.t-base.pro
DNSName: wptest.dev.intranet.t-base.pro
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78
VW..."..'.nY...x
0010: 9B B1 85 F9 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "032883B4D8C10F02842E587217569586A3DF",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=R3, O=Let's Encrypt, C=US",
"not before" : "2022-03-23 15:15:31.000 CET",
"not after" : "2022-06-21 16:15:30.000 CEST",
"subject" : "CN=dev.intranet.t-base.pro",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://r3.o.lencr.org
,
accessMethod: caIssuers
accessLocation: URIName: http://r3.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74
..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: dev.intranet.t-base.pro
DNSName: education.dev.intranet.t-base.pro
DNSName: tenniscenter.dev.intranet.t-base.pro
DNSName: trainerplattform.dev.intranet.t-base.pro
DNSName: wptest.dev.intranet.t-base.pro
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78
VW..."..'.nY...x
0010: 9B B1 85 F9 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "00912B084ACF0C18A753F6D62E25A75F5A",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2020-09-04 02:00:00.000 CEST",
"not after" : "2025-09-15 18:00:00.000 CEST",
"subject" : "CN=R3, O=Let's Encrypt, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://x1.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://x1.c.lencr.org/]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "4001772137D4E942B8EE76AA3C640AB7",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
"not before" : "2021-01-20 20:14:03.000 CET",
"not after" : "2024-09-30 20:14:03.000 CEST",
"subject" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName:
http://apps.identrust.com/roots/dstrootcax3.p7c
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15
.....,q...K.u...
0010: 60 85 89 10 `...
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F
."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74
t-x1.letsencrypt
0020: 2E 6F 72 67 .org
]] ]
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
}
]}
)
24-Mar-2022 10:25:52.493 INFO [main] org.apache.catalina.startup.Catalina.load
Server initialization in [1115] milliseconds
24-Mar-2022 10:25:52.562 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
24-Mar-2022 10:25:52.562 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine:
[Apache Tomcat/9.0.60]
24-Mar-2022 10:25:52.570 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\docs]
24-Mar-2022 10:25:52.854 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 10:25:53.027 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\docs] has finished in [457] ms
24-Mar-2022 10:25:53.028 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\examples]
24-Mar-2022 10:25:53.419 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 10:25:53.605 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\examples] has finished in [577] ms
24-Mar-2022 10:25:53.606 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\ROOT]
24-Mar-2022 10:25:53.636 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 10:25:53.646 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\ROOT] has finished in [39] ms
24-Mar-2022 10:25:53.650 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandler ["https-openssl-apr-443"]
24-Mar-2022 10:25:53.663 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in [1169] milliseconds
24-Mar-2022 10:26:07.419 FINE [https-openssl-apr-443-exec-3]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /
24-Mar-2022 10:26:07.420 FINE [https-openssl-apr-443-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable
constraints defined
24-Mar-2022 10:26:07.434 FINE [https-openssl-apr-443-exec-3]
org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations
Loading persistent provider registrations from [C:\Program Files\Apache
Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml]
24-Mar-2022 10:26:07.445 FINE [https-openssl-apr-443-exec-3]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Not subject to any
constraint
24-Mar-2022 10:26:13.024 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable
constraint located
24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Not subject to any
constraint
24-Mar-2022 10:26:15.731 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
24-Mar-2022 10:26:15.731 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 10:26:15.732 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 10:26:15.732 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
2)
a) I replaced the login method in the web.xml
Removed:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Added:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
Form shows when accessing the protected URL and login using the certificate DN
and password as set in tomcat-users.xml works.
b) changed back to CLIENT-CERT and set certificateVerification="required"
Client cert is requested when accessing the protected URL and access is
granted.
So misconfiguration seems to be unlikely, except some configuration is missing
which is also not part of the default installation and nobody talks about
(means I have not found any hint of something else when researching
configuration examples).
Full stderr of the succesfull authentication with
certificateVerification="required":
2022-03-24 11:09:37 Apache Commons Daemon procrun stderr initialized.
24-Mar-2022 11:09:37.718 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:
Apache Tomcat/9.0.60
24-Mar-2022 11:09:37.721 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:
Mar 9 2022 14:52:25 UTC
24-Mar-2022 11:09:37.721 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.60.0
24-Mar-2022 11:09:37.721 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Windows 10
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.0
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:
amd64
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:
C:\Program Files\OpenJDK\jdk-17.0.2
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
17.0.2+8-86
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Oracle Corporation
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 11:09:37.722 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 11:09:37.731 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=C:\Program Files\Apache Software
Foundation\Tomcat 9.0\conf\logging.properties
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djavax.net.debug=all
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Duser.language=en -Duser.region=US
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
24-Mar-2022 11:09:37.732 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Mar-2022 11:09:37.733 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
exit
24-Mar-2022 11:09:37.733 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
abort
24-Mar-2022 11:09:37.733 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xms128m
24-Mar-2022 11:09:37.733 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xmx256m
24-Mar-2022 11:09:37.736 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.2.31] using APR version [1.7.0].
24-Mar-2022 11:09:37.736 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true], UDS
[true].
24-Mar-2022 11:09:37.737 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
24-Mar-2022 11:09:37.742 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1l 24 Aug 2021]
24-Mar-2022 11:09:38.034 INFO [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
["https-openssl-apr-443"] connector has been configured to support negotiation
to [h2] via ALPN
24-Mar-2022 11:09:38.034 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-apr-443"]
javax.net.ssl|DEBUG|10|main|2022-03-24 11:09:38.243
CET|SunX509KeyManagerImpl.java:160|found key for : tomcat (
"certificate" : {
"version" : "v3",
"serial number" : "032883B4D8C10F02842E587217569586A3DF",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=R3, O=Let's Encrypt, C=US",
"not before" : "2022-03-23 15:15:31.000 CET",
"not after" : "2022-06-21 16:15:30.000 CEST",
"subject" : "CN=dev.intranet.t-base.pro",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://r3.o.lencr.org
,
accessMethod: caIssuers
accessLocation: URIName: http://r3.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74
..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: dev.intranet.t-base.pro
DNSName: education.dev.intranet.t-base.pro
DNSName: tenniscenter.dev.intranet.t-base.pro
DNSName: trainerplattform.dev.intranet.t-base.pro
DNSName: wptest.dev.intranet.t-base.pro
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78
VW..."..'.nY...x
0010: 9B B1 85 F9 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "032883B4D8C10F02842E587217569586A3DF",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=R3, O=Let's Encrypt, C=US",
"not before" : "2022-03-23 15:15:31.000 CET",
"not after" : "2022-06-21 16:15:30.000 CEST",
"subject" : "CN=dev.intranet.t-base.pro",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://r3.o.lencr.org
,
accessMethod: caIssuers
accessLocation: URIName: http://r3.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74
..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: dev.intranet.t-base.pro
DNSName: education.dev.intranet.t-base.pro
DNSName: tenniscenter.dev.intranet.t-base.pro
DNSName: trainerplattform.dev.intranet.t-base.pro
DNSName: wptest.dev.intranet.t-base.pro
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78
VW..."..'.nY...x
0010: 9B B1 85 F9 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "00912B084ACF0C18A753F6D62E25A75F5A",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2020-09-04 02:00:00.000 CEST",
"not after" : "2025-09-15 18:00:00.000 CEST",
"subject" : "CN=R3, O=Let's Encrypt, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://x1.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://x1.c.lencr.org/]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D
.....XV..P.@....
0010: 8B 14 C2 C6 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "4001772137D4E942B8EE76AA3C640AB7",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
"not before" : "2021-01-20 20:14:03.000 CET",
"not after" : "2024-09-30 20:14:03.000 CEST",
"subject" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName:
http://apps.identrust.com/roots/dstrootcax3.p7c
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15
.....,q...K.u...
0010: 60 85 89 10 `...
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F
."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74
t-x1.letsencrypt
0020: 2E 6F 72 67 .org
]] ]
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
}
]}
)
24-Mar-2022 11:09:38.265 INFO [main] org.apache.catalina.startup.Catalina.load
Server initialization in [752] milliseconds
24-Mar-2022 11:09:38.322 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
24-Mar-2022 11:09:38.322 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine:
[Apache Tomcat/9.0.60]
24-Mar-2022 11:09:38.335 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\docs]
24-Mar-2022 11:09:38.546 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 11:09:38.652 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\docs] has finished in [316] ms
24-Mar-2022 11:09:38.653 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\examples]
24-Mar-2022 11:09:39.009 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 11:09:39.309 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\examples] has finished in [656] ms
24-Mar-2022 11:09:39.309 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\ROOT]
24-Mar-2022 11:09:39.356 FINE [main]
org.apache.catalina.authenticator.AuthenticatorBase.startInternal No
SingleSignOn Valve is present
24-Mar-2022 11:09:39.369 INFO [main]
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web
application directory [C:\Program Files\Apache Software Foundation\Tomcat
9.0\webapps\ROOT] has finished in [59] ms
24-Mar-2022 11:09:39.373 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandler ["https-openssl-apr-443"]
24-Mar-2022 11:09:39.387 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in [1122] milliseconds
24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 11:24:15.010 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations
Loading persistent provider registrations from [C:\Program Files\Apache
Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml]
24-Mar-2022 11:24:15.021 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
24-Mar-2022 11:24:15.022 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
24-Mar-2022 11:24:15.023 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
24-Mar-2022 11:24:15.027 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro]
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT'
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles
GenericPrincipal[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro()]
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.hasRole Username
[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] has role [user]
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: user
24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed
all security constraints
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #12 from Martin Stangl <ma...@t-base.pro> ---
I came up with another test: I took the server (notebook) offline, because if
no network cable is plugged in, network requests immediately fail and do not
time out.
Still the exact same delay.
So most likely not network related.
stderr excerpt:
25-Mar-2022 22:16:54.202 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 22:16:54.230
CET|X509TrustManagerImpl.java:247|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "008210CFB0D240E3594463E0BB63828B00",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2015-06-04 13:04:38.000 CEST",
"not after" : "2035-06-04 13:04:38.000 CEST",
"subject" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
}
]}
)
25-Mar-2022 22:17:54.245 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=dev.intranet.t-base.pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #2 from Martin Stangl <ma...@t-base.pro> ---
Tried some other things with the same result:
- Tested with Apache Tomcat 9 on Windows Server
- Removed LockOutRealm and used UserDatabaseRealm directly
- Used MemoryRealm instead of UserDatabaseRealm
- Used a different role name
- Used allRolesMode="authOnly" and checked for role "*"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Martin Stangl <ma...@t-base.pro> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Martin Stangl <ma...@t-base.pro> ---
Hardware: PC
OS: Windows 10
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #8 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Martin Stangl from comment #6)
> org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after
> selecting the certificate in the browser.
>
> Tested with Chrome, Edge and Postman with identical results.
>
> I am happy with Nio working.
> But if you want to look into the issue with
> org.apache.coyote.http11.Http11AprProtocol, I am willing to support with
> testing.
>
> stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL.
> Pauses after "Calling authenticate()":
Hmm.
> 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> authenticate()
> 24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7]
> org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
> authenticate user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl,
> CN=Users, DC=intranet, DC=t-base, DC=pro] with realm
> [org.apache.catalina.realm.UserDatabaseRealm]
/Exactly/ 1 minute delay? Are you using OCSP (does OCSP even work for client
certs)?
Can you snoop outbound network traffic from the server to see if something is
making a network connection at the start of this pause?
At first, I was thinking "entropy problem" but (a) it was repeatable and (b)
it's exactly 1 minute which sounds more like a network timeout than anything
else.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #18 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Martin Stangl from comment #17)
> I captured the traffic from when the client certificate is submitted to the
> server until the authentication completed. So basically the full 60 seconds
> of delay.
>
> Wireshark could not capture anything while my machine was offline, which is
> understandable.
I think you misunderstood what I was suggesting: using Wireshark to monitor
*outbound* traffic during your testing. We want to catch whatever process is
making an outgoing connection and timing out. Wireshark should definitely be
able to tell you *something* is happening. DNS lookup, or connection-attempt to
some remote service which fails after 60 seconds when you are connected and
fails *immediately* when you are not connected.
> Let me know if we also need to capture the communication between the browser
> and tomcat as this requires for me to setup Wireshark for Loopback capturing.
No need to capture anything between the browser and the server. I'm only
interested in seeing what the server is trying to do when you authenticate.
I suspect if you look for new connection attempts (on any protocol, to any
host/port) as you authenticate, and you ignore the connection from the browser
-> Tomcat, you'll find the answer pretty quickly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #11 from Martin Stangl <ma...@t-base.pro> ---
I tested with 2 other client certificates. Same result.
Let's encrypt certificate with OSCP. (For some strange reasons javax.net.ssl
decided to print certificate details in this case)
25-Mar-2022 20:17:39.052 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 20:17:39.071
CET|X509TrustManagerImpl.java:247|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "008210CFB0D240E3594463E0BB63828B00",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2015-06-04 13:04:38.000 CEST",
"not after" : "2035-06-04 13:04:38.000 CEST",
"subject" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58
y.Y......s.....X
0010: F6 E9 9B 6E ...n
]
]
}
]}
)
25-Mar-2022 20:18:39.083 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=dev.intranet.t-base.pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
Self signed certificate:
25-Mar-2022 20:25:56.643 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
25-Mar-2022 20:26:56.666 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=Self-Signed, O=T-base OG, ST=Some-State, C=AT] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
The "server" is a Windows 10 notebook, so unfortunately very noisy. But I can
confirm that no related calls to the internet where done when using the
certificate issued by the Active Directory Certificate Service.
I will try to do some more snooping, but it will take 2 to 3 days until I get
to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Looking at the tested configuration, none of them will work.
Http11NioProtocol - JSSE - Fails due to TLS 1.3 PHA isn't supported
Http11AprProtocol - HTTP/2 - Fails as HTTP/2 doesn't permit PHA
You need to:
- Configure TLS 1.2 only
- Not configure HTTP/2
then it should work with any connector (NIO, NIO2 or APR/Native) and any TLS
implementation (JSSE or OpenSSL).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #16 from Martin Stangl <ma...@t-base.pro> ---
Created attachment 38235
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38235&action=edit
Wireshark capture of authentication with Self Signed certificate
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #19 from Martin Stangl <ma...@t-base.pro> ---
(In reply to Christopher Schultz from comment #18)
> I think you misunderstood what I was suggesting: using Wireshark to monitor
> *outbound* traffic during your testing.
This is exactly what I captured. Every packet leaving the machine during the
authentication process.
> making an outgoing connection and timing out. Wireshark should definitely be
> able to tell you *something* is happening. DNS lookup, or connection-attempt
> to some remote service which fails after 60 seconds when you are connected
> and fails *immediately* when you are not connected.
Wireshark does not get anything if no interface is connected. And this makes
sense to me, because to which of the not connected interface should the traffic
go? It does not make it so far, therefore Wireshark will not get anything to
capture.
And as I mentioned before: Wait time is still 60 seconds, even with immediate
network communication failures due to having no network connection. So the
delay might still be related to communication, but is most likely not
originating from the network code.
The relevant request should be in the first 2 to 3 seconds of each capture, but
there is nothing in there which is common to the three captures. The only SYNs
without ACKs I see are related to some devices on the WLAN (a Huawai Honor 7, I
could not identify the other device). Also they start a little too late and the
retries end way before 60 seconds.
So as far as I can tell, nothing goes out which relates to the issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Martin Stangl <ma...@t-base.pro> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |Windows 10
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Tomcat has unit tests for this which have been passing consistently for as long
as I can remember. This is also at least one test in the Servlet TCK for this
that Tomcat also passes.
TLS 1.3 changed how client certificate authentication works. It uses a new
process called post handshake authentication. JSSE does not support this on the
server side and currently has no plans to since HTTP/2 does not allow it.
I suspect one of two causes:
1. TLS v1.3 + JSSE
2. Misconfiguration
Tomcat emits a warning if you use certificateVerification="want" with TLS 1.3.
I suspect we need a similar warning for TLS 1.3 +
certificateVerification="none" + CLIENT-CERT
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #20 from Martin Stangl <ma...@t-base.pro> ---
I verified that the 60000 milliseconds delay are the timeout configured by the
connectionTimeout parameter of the connector.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #22 from Martin Stangl <ma...@t-base.pro> ---
I will make a step by step guide but cannot do it before Saturday.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #7 from Martin Stangl <ma...@t-base.pro> ---
Hi Mark,
Just fyi: According to my tests, TLS 1.3 with OpenSSL also does not work. So it
is not limited to JSSE.
You mentioned to output a warning when CLIENT-CERT is used with an unsupported
protocol. Would it be possible to throw an error if PHA is attempted in an
unsupported configuration (TLS 1.3, HTTP2)?
This might be not as good in avoiding the problem in the first place, but much
better in figuring out on what the problem is, if it occurs.
kr
Martin
PS: Mark, how does the bug process work. Should I set the bug to resolved as I
have a solution, or will you do it, once you are done with it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #9 from Martin Stangl <ma...@t-base.pro> ---
Hi Christopher,
no OCSP, but I noticed that the CRL LDAP URL is invalid:
URL=ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint
(ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint)
I will try to fix the AD Certificate Service configuration by either fixing the
URL or getting rid of the CRL and try again with a new client certificate.
I agree, looks very much like a network timeout.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #14 from Martin Stangl <ma...@t-base.pro> ---
Created attachment 38233
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38233&action=edit
Wireshark capture of authentication with Let's Encrypt OSCP certificate
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #21 from Mark Thomas <ma...@apache.org> ---
Testing this locally with 9.0.x, Tomcat Native 1.2.x and the APR connector this
works as expected for me. I modified the examples web application to use
CLIENT-CERT, configured the APR connector for TLSv1.2 and no HTTP/2 and used
the standard test keys and certs we use for the Tomcat unit tests.
To investigate further we are going to need exact steps to recreate this from a
clean install of the latest 9.0.x release including any test keys and certs you
are using.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
--- Comment #15 from Martin Stangl <ma...@t-base.pro> ---
Created attachment 38234
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38234&action=edit
Wireshark capture of authentication with Active Directory issued certificate
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEEDINFO |RESOLVED
--- Comment #23 from Mark Thomas <ma...@apache.org> ---
Requested information has not been provided so I'm closing this issue.
If you are able to recreate this issue and can provide the steps to recreate it
from a clean install of the latest 9.0.x release, then feel free to re-open
this issue and provide the reproduction steps.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org