You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Racine Faye <ra...@gmail.com> on 2017/06/21 16:38:50 UTC
Tomcat 8.5.15 Client Authentication Trust Store Changes
I have noticed that in Tomcat 8.5.15 on the Windows Server 2008 Operating
System that the way that tomcat presents user certificates has changed. I
have a trust store that I use on the tomcat 8.5.14 version that has only
DoD intermediate Email certificates which makes it so when users go to the
site they are prompted for only their email cert. When upgrading to 8.5.15
I used the same trust store and it now prompts for all certificates on the
computer. I am not sure if that is intended behavior or an oversight but it
is kind of confusing to users to be presented certificates that they can't
use. Another reason for having them only select the email cert is that only
the email certificate contains the information that we need to get their
user ID. I want to see if anyone else is having this issue or if anyone has
noticed that when specifying a trust store in Tomcat 8.5.15 that it will
present the user with all the certificates they have rather than only the
ones that the trust store will accept. To rule out an issue with my server
xml I have installed both 8.5.15 and 8.5.14 on the server and used the
exact same server.xml file and I see that the 8.5.14 version will ask the
user for only 1 cert and that the 8.5.15 version will ask the user for all
certs. If anyone has a fix for this or might know what is going on or if
there is an extra configuration needed that would be helpful.
Re: Tomcat 8.5.15 Client Authentication Trust Store Changes
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Racine,
On 6/21/17 3:53 PM, Racine Faye wrote:
> Thanks for the reply Christopher. The way tomcat has always worked
> in the past(Before 8.5.15) , is that your trust store is what
> tomcat uses to decide what certificates the browser should show to
> the user because it only shows them certificates that are in the
> certificate chain of whatever you import into your trust store. So
> if you import a root certificate it will show everything that has
> that root certificate in its chain but if you import in an
> intermediate it will only show the certificates that the
> intermediate accepts.
I understand all that. But what is important is that the client
(browser) determines which certificates are acceptable based upon what
the server provides.
> So the way it works for DoD is that on each CAC there are 2 client
> authentication certificates one Email Cert and one ID cert. They
> contain different information mainly the email address is only
> contained in the Email cert. When users are prompted to select a
> certificate they are only supposed to be given the selection of
> what certificates are in the trust store because it knows that
> anything not in that trust store won't be accepted anyways.
Right.
> When you set the clientAuth to true in the connector that is what
> makes it so Tomcat then asks for a certificate from the user for
> validation.
Correct.
> I have used both IE and Chrome and I get the same results in both.
> I am pretty sure it is not a browser issue though because I have
> both Tomcat 8.5.15 and 8.5.14 running on the same server using the
> same trust store and 8.5.14 asks for only Certificates that are in
> the Chain of the Intermediates that I imported in and 8.5.15 asks
> for all of the certificates.
Okay, that's good that you have eliminated some variables. I'm still
interested in what the differences are... there shouldn't be much
change between the two versions.
> Unfortunately I am not able to run openssl as I am on a goverment
> network and the software we can use is restricted.
Can you connect from another host where your software is less
restricted? What software CAN you run?
You can write a Java-based program that will connect to the server,
and run it in debug mode so the JVM is dumping tons of stuff to the
console. Are you allowed to compile and run some Java code?
> https://stackoverflow.com/questions/1666052/java-https-client-certific
ate-authentication
>
>
The previous link has a pretty good explanation of the way Tomcat
> has always worked in the past in the comments and explains about
> the behavior I am expecting.
I thoroughly understand what you are expecting. What you are
experiencing is .. unexpected.
Can you share your <Connector> configuration from both versions of
Tomcat? Remember to remove any secrets that may be in that configuration
.
Which connector are you actually using? You say "trust store" so I
would normally expect that you are using a Java-based connector with
JSSE. But since Tomcat 8.5.x you can use OpenSSL with Java-base
connectors, and the crypto is handled by a different subsystem
(OpenSSL instead of JSSE). Also, are you running on Windows or some
Unix-like system? In either case, do you have libtcnative or
tcnative.dll active? If so, what version?
- -chris
> On Wed, Jun 21, 2017 at 1:16 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote: Racine,
>
> On 6/21/17 12:38 PM, Racine Faye wrote:
>>>> I have noticed that in Tomcat 8.5.15 on the Windows Server
>>>> 2008 Operating System that the way that tomcat presents user
>>>> certificates has changed. I have a trust store that I use on
>>>> the tomcat 8.5.14 version that has only DoD intermediate
>>>> Email certificates which makes it so when users go to the
>>>> site they are prompted for only their email cert.
>>>>
>>>> When upgrading to 8.5.15 I used the same trust store and it
>>>> now prompts for all certificates on the computer.
>
> What prompts for all certificates on the computer?
>
>>>> I am not sure if that is intended behavior or an oversight
>>>> but it is kind of confusing to users to be presented
>>>> certificates that they can't use.
> I don't believe Tomcat is presenting any certificates to the user,
> is it? It's the browser that is showing the certificate selection
> to the user. What browser are you using?
>
>>>> Another reason for having them only select the email cert is
>>>> that only the email certificate contains the information that
>>>> we need to get their user ID.
> This is informative, but not really relevant. Theoretically, the
> user can provide any certificate that has been signed by a
> certificate in the trust store. So if the user decides to provide a
> signed certificate that does *not* have the email address in it,
> then your application needs to be the one signalling an error.
>
>>>> I want to see if anyone else is having this issue or if
>>>> anyone has noticed that when specifying a trust store in
>>>> Tomcat 8.5.15 that it will present the user with all the
>>>> certificates they have rather than only the ones that the
>>>> trust store will accept.
>
>>>> To rule out an issue with my server xml I have installed
>>>> both 8.5.15 and 8.5.14 on the server and used the exact same
>>>> server.xml file and I see that the 8.5.14 version will ask
>>>> the user for only 1 cert and that the 8.5.15 version will ask
>>>> the user for all certs. If anyone has a fix for this or might
>>>> know what is going on or if there is an extra configuration
>>>> needed that would be helpful.
>
> Are you using the same web browser with both Tomcat versions? What
> browser(s) are you using? Versions? What OS?
>
> Are you able to run openssl s_client against your Tomcat server?
> That can tell you what the server is providing as part of the TLS
> handshake... you may be able to tell the difference between what
> certs are being sent back with the handshake.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllMU34ACgkQHPApP6U8
pFgogw/+PGKI8A3T3ppULrQ4pn/kP5XFEPey/TBgihB5GgYiTSlAHydlWLoQD46Y
apE0GQ4QxQUfLJ8zIRtIg5wnIdizGeVK9ftsmESHHaRQrip+A6kZz1690abZPdMs
mO+S0taJFP2hW+Z2GQb0Deqktl11tsEgtFa00ue5RkCAiz7PyCJh+E9mpUu5t6Xp
HfVtfqw1Rjy7Yg2MYMmYNNAcriavn2rDClCIXyiEiwOsSg+E21KJHeE/lF97rhA/
tUAB0LcGWP+Uji1xwUYvgQ8q9fHXFUvQTP8OJlbKKFSo9nTDB0qdChqfzWVJ96u9
KO3DAsbT/JQdxYMvrtWFO/VVexFzL3+9Wq9QKQ7e08ZQ7wHFmRQPEdIzgauQ+Z3H
xsQN1tOPQ9o5DVXEQgQ2JMJEQHEf+Rb8EOcrbu0gjNBg131b2j+/0JHghW1ybSh0
wyTwu9Rmb89NyqGBdDX1YFrY6iB7XlxgydF2FXGW4yWxH3Y27oIBgS80t0WcB6Fk
JVT84EUmZBZ0TCJRzxNIjh1hZC3wOLLQL+Eomp4p4uFd8IibXNorpNFlYP6nuBKi
9SSoaLDT3t18oKwBiQZyA/SBn/tBcIncgri0+cB6Bi46ODMhOGuPEVbo2hT50DpR
76zmlpOnN0rmSx304HY9/KgVXfyvOD4ik/UkZmtWKg6padVITEo=
=PM0Q
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.5.15 Client Authentication Trust Store Changes
Posted by Mark Thomas <ma...@apache.org>.
On 21/06/17 20:53, Racine Faye wrote:
> Thanks for the reply Christopher. The way tomcat has always worked in
> the past(Before 8.5.15) , is that your trust store is what tomcat uses
> to decide what certificates the browser should show to the user
> because it only shows them certificates that are in the certificate
> chain of whatever you import into your trust store. So if you import a
> root certificate it will show everything that has that root
> certificate in its chain but if you import in an intermediate it will
> only show the certificates that the intermediate accepts. So the way
> it works for DoD is that on each CAC there are 2 client authentication
> certificates one Email Cert and one ID cert. They contain different
> information mainly the email address is only contained in the Email
> cert. When users are prompted to select a certificate they are only
> supposed to be given the selection of what certificates are in the
> trust store because it knows that anything not in that trust store
> won't be accepted anyways. When you set the clientAuth to true in the
> connector that is what makes it so Tomcat then asks for a certificate
> from the user for validation. I have used both IE and Chrome and I get
> the same results in both. I am pretty sure it is not a browser issue
> though because I have both Tomcat 8.5.15 and 8.5.14 running on the
> same server using the same trust store and 8.5.14 asks for only
> Certificates that are in the Chain of the Intermediates that I
> imported in and 8.5.15 asks for all of the certificates. Unfortunately
> I am not able to run openssl as I am on a goverment network and the
> software we can use is restricted.
> https://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication
> The previous link has a pretty good explanation of the way Tomcat has
> always worked in the past in the comments and explains about the
> behavior I am expecting.
I cannot reproduce the behaviour you are seeing.
I have tested with 8.5.14 and 8.5.15 (building both from source) and in
both cases specifying a truststoreFile limits the certs presented by the
browser to those signed by those in the truststoreFile.
That said, there have been quite a few changes in the TLS configuration
for 8.5.x and 9.0.x and it is possible that some edge cases exist that
are not handled correctly.
If you want us to look at this further you are going to need to provide
a test case that demonstrates the problem. This will need to include:
- Connector configuration for server.xml that reproduces the issue
- A complete set of keystores, certs and keys to configure Tomcat and
the browser
- Instructions on how to reproduce the issue
Obviously don't use real certs for any of the above. The TLS generation
presentation from 2016 may help you create all of these.
http://tomcat.apache.org/presentations.html
Finally, all of the above needs to be as simple as possible.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.5.15 Client Authentication Trust Store Changes
Posted by Racine Faye <ra...@gmail.com>.
Thanks for the reply Christopher. The way tomcat has always worked in
the past(Before 8.5.15) , is that your trust store is what tomcat uses
to decide what certificates the browser should show to the user
because it only shows them certificates that are in the certificate
chain of whatever you import into your trust store. So if you import a
root certificate it will show everything that has that root
certificate in its chain but if you import in an intermediate it will
only show the certificates that the intermediate accepts. So the way
it works for DoD is that on each CAC there are 2 client authentication
certificates one Email Cert and one ID cert. They contain different
information mainly the email address is only contained in the Email
cert. When users are prompted to select a certificate they are only
supposed to be given the selection of what certificates are in the
trust store because it knows that anything not in that trust store
won't be accepted anyways. When you set the clientAuth to true in the
connector that is what makes it so Tomcat then asks for a certificate
from the user for validation. I have used both IE and Chrome and I get
the same results in both. I am pretty sure it is not a browser issue
though because I have both Tomcat 8.5.15 and 8.5.14 running on the
same server using the same trust store and 8.5.14 asks for only
Certificates that are in the Chain of the Intermediates that I
imported in and 8.5.15 asks for all of the certificates. Unfortunately
I am not able to run openssl as I am on a goverment network and the
software we can use is restricted.
https://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication
The previous link has a pretty good explanation of the way Tomcat has
always worked in the past in the comments and explains about the
behavior I am expecting.
On Wed, Jun 21, 2017 at 1:16 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Racine,
>
> On 6/21/17 12:38 PM, Racine Faye wrote:
>> I have noticed that in Tomcat 8.5.15 on the Windows Server 2008
>> Operating System that the way that tomcat presents user
>> certificates has changed. I have a trust store that I use on the
>> tomcat 8.5.14 version that has only DoD intermediate Email
>> certificates which makes it so when users go to the site they are
>> prompted for only their email cert.
>>
>> When upgrading to 8.5.15 I used the same trust store and it now
>> prompts for all certificates on the computer.
>
> What prompts for all certificates on the computer?
>
>> I am not sure if that is intended behavior or an oversight but it
>> is kind of confusing to users to be presented certificates that
>> they can't use.
> I don't believe Tomcat is presenting any certificates to the user, is
> it? It's the browser that is showing the certificate selection to the
> user. What browser are you using?
>
>> Another reason for having them only select the email cert is that
>> only the email certificate contains the information that we need
>> to get their user ID.
> This is informative, but not really relevant. Theoretically, the user
> can provide any certificate that has been signed by a certificate in
> the trust store. So if the user decides to provide a signed
> certificate that does *not* have the email address in it, then your
> application needs to be the one signalling an error.
>
>> I want to see if anyone else is having this issue or if anyone has
>> noticed that when specifying a trust store in Tomcat 8.5.15 that it
>> will present the user with all the certificates they have rather
>> than only the ones that the trust store will accept.
>
>> To rule out an issue with my server xml I have installed both
>> 8.5.15 and 8.5.14 on the server and used the exact same server.xml
>> file and I see that the 8.5.14 version will ask the user for only 1
>> cert and that the 8.5.15 version will ask the user for all certs.
>> If anyone has a fix for this or might know what is going on or if
>> there is an extra configuration needed that would be helpful.
>
> Are you using the same web browser with both Tomcat versions? What
> browser(s) are you using? Versions? What OS?
>
> Are you able to run openssl s_client against your Tomcat server? That
> can tell you what the server is providing as part of the TLS
> handshake... you may be able to tell the difference between what certs
> are being sent back with the handshake.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxfIACgkQHPApP6U8
> pFhKFw//S1RAkI/aB2dJ0jhRM3VuzNBXOW3cvO+LdB0cUA+B2az9VKskPrRSgAPx
> Pu4uIcadJrda7PlLHEP/W5MxQRrBBPONybyIM/AUOx3t0halXRXAb+IUKPnZ0IH8
> /cS4vcI4C55mUh393hxVTcNPHh8egHvd1cJSm3nWwx+ZJwmfnjiLlssoMdgs3Lla
> 3NvAqVajCrVksgygkXr23qkcfH1utNxXZnTAxRXF4PmLgFk46M3Jnu6cJVhFNO3s
> Bc1zI+XYJwsX9fICE4dkmmWJ/ZblWgjG5nh4bSSq3Ons6MJg1anUcy0p7GsNUvaU
> 8uPUQiz2Xz4t/qPA2kBfsZUYwm/besLDdSp+CYr9VweT6apAp0Kr6kJu79W40MfR
> w4Qpo+8wEkLDjPL/VBBU9yEso4PCGkpFHFsCnfSPf/L+eltyCZkaQfaQK5OehUaa
> px1suyhbYe9xbMdq1WD06CSQYTlDuc7XxuNVgr8Nd1q3nQvkLZJAB/jIkEUhZ174
> GXw+Sqzp09YPSKleQuetPvsP1iqmqsikX40Asl70UdEmEvW55KUrzD+DzY68cGjn
> dcq6hEKVlLZ+0X96k3UEU8yRN7rCOexvypK0lfX2U0jgB2nZld4F5c0dwvqPy+UZ
> xnwJToijUlnCDh4t0+6WEggVizYEEuXZf04aI00WZeC96WfgJG8=
> =4E5V
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8.5.15 Client Authentication Trust Store Changes
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Racine,
On 6/21/17 12:38 PM, Racine Faye wrote:
> I have noticed that in Tomcat 8.5.15 on the Windows Server 2008
> Operating System that the way that tomcat presents user
> certificates has changed. I have a trust store that I use on the
> tomcat 8.5.14 version that has only DoD intermediate Email
> certificates which makes it so when users go to the site they are
> prompted for only their email cert.
>
> When upgrading to 8.5.15 I used the same trust store and it now
> prompts for all certificates on the computer.
What prompts for all certificates on the computer?
> I am not sure if that is intended behavior or an oversight but it
> is kind of confusing to users to be presented certificates that
> they can't use.
I don't believe Tomcat is presenting any certificates to the user, is
it? It's the browser that is showing the certificate selection to the
user. What browser are you using?
> Another reason for having them only select the email cert is that
> only the email certificate contains the information that we need
> to get their user ID.
This is informative, but not really relevant. Theoretically, the user
can provide any certificate that has been signed by a certificate in
the trust store. So if the user decides to provide a signed
certificate that does *not* have the email address in it, then your
application needs to be the one signalling an error.
> I want to see if anyone else is having this issue or if anyone has
> noticed that when specifying a trust store in Tomcat 8.5.15 that it
> will present the user with all the certificates they have rather
> than only the ones that the trust store will accept.
> To rule out an issue with my server xml I have installed both
> 8.5.15 and 8.5.14 on the server and used the exact same server.xml
> file and I see that the 8.5.14 version will ask the user for only 1
> cert and that the 8.5.15 version will ask the user for all certs.
> If anyone has a fix for this or might know what is going on or if
> there is an extra configuration needed that would be helpful.
Are you using the same web browser with both Tomcat versions? What
browser(s) are you using? Versions? What OS?
Are you able to run openssl s_client against your Tomcat server? That
can tell you what the server is providing as part of the TLS
handshake... you may be able to tell the difference between what certs
are being sent back with the handshake.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxfIACgkQHPApP6U8
pFhKFw//S1RAkI/aB2dJ0jhRM3VuzNBXOW3cvO+LdB0cUA+B2az9VKskPrRSgAPx
Pu4uIcadJrda7PlLHEP/W5MxQRrBBPONybyIM/AUOx3t0halXRXAb+IUKPnZ0IH8
/cS4vcI4C55mUh393hxVTcNPHh8egHvd1cJSm3nWwx+ZJwmfnjiLlssoMdgs3Lla
3NvAqVajCrVksgygkXr23qkcfH1utNxXZnTAxRXF4PmLgFk46M3Jnu6cJVhFNO3s
Bc1zI+XYJwsX9fICE4dkmmWJ/ZblWgjG5nh4bSSq3Ons6MJg1anUcy0p7GsNUvaU
8uPUQiz2Xz4t/qPA2kBfsZUYwm/besLDdSp+CYr9VweT6apAp0Kr6kJu79W40MfR
w4Qpo+8wEkLDjPL/VBBU9yEso4PCGkpFHFsCnfSPf/L+eltyCZkaQfaQK5OehUaa
px1suyhbYe9xbMdq1WD06CSQYTlDuc7XxuNVgr8Nd1q3nQvkLZJAB/jIkEUhZ174
GXw+Sqzp09YPSKleQuetPvsP1iqmqsikX40Asl70UdEmEvW55KUrzD+DzY68cGjn
dcq6hEKVlLZ+0X96k3UEU8yRN7rCOexvypK0lfX2U0jgB2nZld4F5c0dwvqPy+UZ
xnwJToijUlnCDh4t0+6WEggVizYEEuXZf04aI00WZeC96WfgJG8=
=4E5V
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org