You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Orendt, John" <jo...@medtronic.com.INVALID> on 2021/04/09 20:31:20 UTC
Tomcat, maybe Apache on Widows 10
Hi
My goal is to set up a web server on Windows 10 that supports TLSv1.3 with mutual authentication.
I have had success with Apache on Ubuntu 20.04. I was able to generate the server and client x509 leaf certs which apache validates up the chain of trust and actually does refuse the connection if a client cert has been revoked. Very nice.
Also, Apache provides these useful environmental variables like REMOTE_ADDR, SSL_CLIENT_VERIFY, SSL_CLIENT_S_DN, and SSL_PROTOCOL.
I'm using ProxyPass, ProxyPassReverse as a connector to Tomcat 9.
Unfortunately, these env vars do not get through to Tomcat 9.
For other reasons, related to TPM, I need to get this to work on Windows 10.
So far, my best three options are :
1. Use Tomcat 9 standalone and configure TLSv1.3
2. Use Tomcat 10 standalone and configure TLSv1.3
3. Use Apache2 and Tomcat and find a work around to get the environmental variables To Tomcat
For configuring TLS on Tomcat 9 or 10, a working example would be useful.
Will standalone Tomcat validate certs up the chain of trust and actually refuse the connection if a client cert has been revoked?
Please advise.
John Orendt
John.p.orendt@medtronic.com
[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
Re: Tomcat, maybe Apache on Widows 10
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 09.04.21 um 22:31 schrieb Orendt, John:
> Hi
>
> My goal is to set up a web server on Windows 10 that supports TLSv1.3 with mutual authentication.
>
> I have had success with Apache on Ubuntu 20.04. I was able to generate the server and client x509 leaf certs which apache validates up the chain of trust and actually does refuse the connection if a client cert has been revoked. Very nice.
>
> Also, Apache provides these useful environmental variables like REMOTE_ADDR, SSL_CLIENT_VERIFY, SSL_CLIENT_S_DN, and SSL_PROTOCOL.
>
> I'm using ProxyPass, ProxyPassReverse as a connector to Tomcat 9.
>
> Unfortunately, these env vars do not get through to Tomcat 9.
Can you give us more details, what you already tried?
If you want to use those Header variables, you will have to enable the
SSL Valve in Tomcat. The valve is described at
http://tomcat.apache.org/tomcat-10.0-doc/config/valve.html#SSL_Valve
You might want to combine that with the Remote IP Valve
(http://tomcat.apache.org/tomcat-10.0-doc/config/valve.html#Remote_IP_Valve)
and watch out to only accept connections from the httpd and not any
other clients (as you have to trust the values in the header fields
Tomcat will use).
>
> For other reasons, related to TPM, I need to get this to work on Windows 10.
>
> So far, my best three options are :
>
>
> 1. Use Tomcat 9 standalone and configure TLSv1.3
> 2. Use Tomcat 10 standalone and configure TLSv1.3
> 3. Use Apache2 and Tomcat and find a work around to get the environmental variables To Tomcat
>
> For configuring TLS on Tomcat 9 or 10, a working example would be useful.
Which parts are missing on
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ?
>
> Will standalone Tomcat validate certs up the chain of trust and actually refuse the connection if a client cert has been revoked?
I think it should. But it is always a good idea to test it yourself :)
Felix
>
> Please advise.
>
> John Orendt
> John.p.orendt@medtronic.com
> [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
>