RE: Firefox SSL with APR - losing client certificate

[David Balažic <da...@comtrade.com>]

Reported as Bug 58244 - two way SSL loses client certificate after a few requests

https://bz.apache.org/bugzilla/show_bug.cgi?id=58244


David Balažic

> -----Original Message-----
> From: David Balažic
> Sent: 7. August 2015 17:38
> To: users@tomcat.apache.org
> Subject: Firefox SSL with APR - losing client certificate
> Importance: Low
> 
> Hi!
> 
> I use tomcat 6.0.44 wit APR on Windows x64.
> I set up SSLVerifyClient="optional" and since then encounter the following
> problem with Firefox 39.0.03 (IE works OK):
> 
> On first access Firefox shows the client certificate selection dialog. I select a
> certificate and continue. The web application "sees" the selected certificate
> and show a proper response page.
> But on next access (I click a link) the client certificate is not visible to the
> application any more. It gets null from the method call
> HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
> 
> Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869
> (similar)
> And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users]
> Client certificate gone after 1 minute timeout (SSL, APR)"
> (even more similar, except for me it fails on next access without a minute of
> waiting)
> As suggested in the second link, clearing cache and authentication in the
> browser is a workaround that works. Kind of as one has to select the
> certificate again and do it before every click on a link.
> 
> Strange, just now it worked fine for a few minutes.
> 
> Is this some known issue?
> 
> Without APR, using JSSE, it works fine (and did so for years).
> 
> This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to
> apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
> I start tomcat from Eclipse, using JRE 1.6.0_45  (each 64 bit version).
> 
> Firefox version 39.0, today updated to 39.0.3
> 
> The Connector line from server.xml:
> 
> <Connector SSLCACertificateFile="C:/CA_list.pem"
> 	SSLCertificateFile="C:/key_public.pem"
> 	SSLCertificateKeyFile="C:/key_private.pem"
> 	SSLEnabled="true" SSLPassword="changeit"
> SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> 	SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150"
> port="8443"
> 	protocol="org.apache.coyote.http11.Http11AprProtocol"
> scheme="https"
> 	secure="true" />
> 
> 
> Regards,
> David Balažic
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Firefox SSL with APR - losing client certificate

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David,

On 9/17/15 3:06 PM, David Balažic wrote:
> Anyone with experience debugging SSL issues (with APR or from 
> Firefox/Chrome side) ?

If you use Wireshark or a similar packet-capture rig, can you see
whether the browser is changing the way it sends its data?

With Wireshark, you can install the server's private key and then you
can read all the encrypted traffic. Wireshark will disassemble all the
packets and even give you rich information at the protocol-level about
what's in there. You can probably tell the difference between what
Firefox or Chrome sends to the server both before and after the "loss"
of the certificate.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV/sWUAAoJEBzwKT+lPKRYxUUQAJDcG5Eeku6oTk7H8Wm1kRnl
ov5SzXr2r26n65EM6QlQmW1xedniX2CfLa9Hlk+rsC4LnWPsGKU6UGYEDFjlzAiG
AH9hHKXLlQpnjmelnngbWCMs5sp7oKeFSYcHwrYTj2UEiuBxIyK2SGKYulLdYy77
hrboWNN6q7d6fSQUwCnDBfbuVYKesvg65aA2BsBUcDLOBopNBAe5IMKMjDo37znJ
4Bt+4H+RBHD0dfYp8+vqcm9Ov6H2WbU5JgULrNnDTu4ytJ6ZdsIvYYlVJeQQZGOs
JfaI3cygWUAE3cEpbuUdLMNDC8WQF6PEnCjyrgMXjZDv9GcAuaIbgk/VbjblYV/g
cITsDGUtd7LQzm/XYqnJZ7uRXo7rKgPeuHwAlVBAIlvNLRcFF/VDL5jl/ouclNZQ
RRnR1aaYDWDqvMMAlXZ5/5qtMBYk20u2bvPULliNrbocmaIKweP+JVDyD1+OWruC
ylFNTp76SuJ5AZjqGUOATpRs+xoHtPlXih4LHXNyKd2vRGSvzbvACKtFQknGwqPT
Lqv5Czx1X5Jfhx5T5Fod5Tr+rW13HApo6C/lgz4Xipp6a3hSFawGVa6/FFus1zLE
wu4uQaU3IrvWAglbQNb7IWKP9rTamJQ0pyJiIWyvznkuoQt/ZpV5bCWW8eb1eDOM
+8kMLf1KNvyx3Zvs3pdS
=FXKO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Firefox SSL with APR - losing client certificate

[David Balažic <da...@comtrade.com>]

Anyone with experience debugging SSL issues (with APR or from Firefox/Chrome side) ?

David Balažic


> -----Original Message-----
> From: David Balažic [mailto:david.balazic@comtrade.com]
> Sent: 10. September 2015 14:58
> To: users@tomcat.apache.org
> Subject: RE: Firefox SSL with APR - losing client certificate
> Importance: Low
> 
> Reported as Bug 58244 - two way SSL loses client certificate after a few
> requests
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
> 
> 
> David Balažic
> 
> > -----Original Message-----
> > From: David Balažic
> > Sent: 7. August 2015 17:38
> > To: users@tomcat.apache.org
> > Subject: Firefox SSL with APR - losing client certificate
> > Importance: Low
> >
> > Hi!
> >
> > I use tomcat 6.0.44 wit APR on Windows x64.
> > I set up SSLVerifyClient="optional" and since then encounter the following
> > problem with Firefox 39.0.03 (IE works OK):
> >
> > On first access Firefox shows the client certificate selection dialog. I select a
> > certificate and continue. The web application "sees" the selected certificate
> > and show a proper response page.
> > But on next access (I click a link) the client certificate is not visible to the
> > application any more. It gets null from the method call
> > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
> >
> > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869
> > (similar)
> > And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users]
> > Client certificate gone after 1 minute timeout (SSL, APR)"
> > (even more similar, except for me it fails on next access without a minute
> of
> > waiting)
> > As suggested in the second link, clearing cache and authentication in the
> > browser is a workaround that works. Kind of as one has to select the
> > certificate again and do it before every click on a link.
> >
> > Strange, just now it worked fine for a few minutes.
> >
> > Is this some known issue?
> >
> > Without APR, using JSSE, it works fine (and did so for years).
> >
> > This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to
> > apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
> > I start tomcat from Eclipse, using JRE 1.6.0_45  (each 64 bit version).
> >
> > Firefox version 39.0, today updated to 39.0.3
> >
> > The Connector line from server.xml:
> >
> > <Connector SSLCACertificateFile="C:/CA_list.pem"
> > 	SSLCertificateFile="C:/key_public.pem"
> > 	SSLCertificateKeyFile="C:/key_private.pem"
> > 	SSLEnabled="true" SSLPassword="changeit"
> > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> > 	SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150"
> > port="8443"
> > 	protocol="org.apache.coyote.http11.Http11AprProtocol"
> > scheme="https"
> > 	secure="true" />
> >
> >
> > Regards,
> > David Balažic
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org