Regression in mutual authentication in 9.0.86+?

[Amit Pande <Am...@veritas.com.INVALID>]

Hello all,

I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87 too).

Some of our tests which involve on mutual authentication ("certificateVerification = optional") have started to fail.

In tests where the client does pass the certificate, I didn't see any SSL handshake errors (with SSL handshake debugging enabled) but "javax.servlet.request.X509Certificate" attribute wasn't set. This is the attribute the application needs for further validations.

Could anyone please give pointers on how to debug this further?

Any code pointers where Tomcat sets this "javax.servlet.request.X509Certificate" attribute?

Also, one more question - with optional certificate verification, the connection doesn't fail if certificate is not passed. But connection will fail if SSL handshake fails when a certificate is passed by client, is that correct understanding?

Thanks,
Amit

Re: Regression in mutual authentication in 9.0.86+?

[Mark Thomas <ma...@apache.org>]

On 21/03/2024 16:12, Amit Pande wrote:
> Thank you Mark for your inputs.
> 
> Upon further debugging, it looks like the issue we ran into is also with the reloading of SSL context.
> 
> Test execution sequence:
> 1. Add a trusted CA in Tomcat's trust store.
> 2. The SSL context is reloaded if any of the trust/key store has changes.
> 3. Perform a mutual client authentication using a client certificate signed by the CA used in step 1.
> 
> Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat level but request made it to application and failed (due to empty javax.servlet.request.X509Certificate).

It sounds like you have optional certificate verification enabled.

> One follow-up question:
> 
> Are we planning to have an immediate 9.0.88 release, or it will be regular cadence? Asking because the versions until 9.0.85 have vulnerabilities reported and this regression might potentially block the upgrade to 9.0.86/87.

This fix will be picked up in the April release round.

Mark


> Lastly, I wholeheartedly echo the gratitude many have expressed around the awesome Tomcat leads.
> 
> Thanks,
> Amit
> 
> 
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Monday, March 18, 2024 4:41 AM
> To: users@tomcat.apache.org
> Subject: Re: Regression in mutual authentication in 9.0.86+?
> 
> 
> CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook.
> 
> 
> 
> I've just tested 9.0.x and mutual TLS authentication appears to be working as expected.
> 
> I suggest starting with testing a simple JSP that echoes that attribute and if you still see the issue, provide us with your configuration. Note that the issue may be related to the certs you are using so the configuration information should include steps to recreate the TLS certs with keystore, OpenSSL or similar.
> 
> On 15/03/2024 00:48, Amit Pande wrote:
>> Hello all,
>>
>> I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87 too).
>>
>> Some of our tests which involve on mutual authentication ("certificateVerification = optional") have started to fail.
>>
>> In tests where the client does pass the certificate, I didn't see any SSL handshake errors (with SSL handshake debugging enabled) but "javax.servlet.request.X509Certificate" attribute wasn't set. This is the attribute the application needs for further validations.
> 
> Have you confirmed that the certificate was sent from the client?
> 
>> Could anyone please give pointers on how to debug this further?
>>
>> Any code pointers where Tomcat sets this "javax.servlet.request.X509Certificate" attribute?
> 
> git clone
> grep
> 
>> Also, one more question - with optional certificate verification, the connection doesn't fail if certificate is not passed. But connection will fail if SSL handshake fails when a certificate is passed by client, is that correct understanding?
> 
> Yes, that is what I would expect.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Regression in mutual authentication in 9.0.86+?

[Amit Pande <Am...@veritas.com.INVALID>]

Thank you Mark for your inputs.

Upon further debugging, it looks like the issue we ran into is also with the reloading of SSL context.

Test execution sequence:
1. Add a trusted CA in Tomcat's trust store.
2. The SSL context is reloaded if any of the trust/key store has changes.
3. Perform a mutual client authentication using a client certificate signed by the CA used in step 1.

Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat level but request made it to application and failed (due to empty javax.servlet.request.X509Certificate).

One follow-up question:

Are we planning to have an immediate 9.0.88 release, or it will be regular cadence? Asking because the versions until 9.0.85 have vulnerabilities reported and this regression might potentially block the upgrade to 9.0.86/87.

Lastly, I wholeheartedly echo the gratitude many have expressed around the awesome Tomcat leads.

Thanks,
Amit


-----Original Message-----
From: Mark Thomas <ma...@apache.org> 
Sent: Monday, March 18, 2024 4:41 AM
To: users@tomcat.apache.org
Subject: Re: Regression in mutual authentication in 9.0.86+?


CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook.



I've just tested 9.0.x and mutual TLS authentication appears to be working as expected.

I suggest starting with testing a simple JSP that echoes that attribute and if you still see the issue, provide us with your configuration. Note that the issue may be related to the certs you are using so the configuration information should include steps to recreate the TLS certs with keystore, OpenSSL or similar.

On 15/03/2024 00:48, Amit Pande wrote:
> Hello all,
>
> I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87 too).
>
> Some of our tests which involve on mutual authentication ("certificateVerification = optional") have started to fail.
>
> In tests where the client does pass the certificate, I didn't see any SSL handshake errors (with SSL handshake debugging enabled) but "javax.servlet.request.X509Certificate" attribute wasn't set. This is the attribute the application needs for further validations.

Have you confirmed that the certificate was sent from the client?

> Could anyone please give pointers on how to debug this further?
>
> Any code pointers where Tomcat sets this "javax.servlet.request.X509Certificate" attribute?

git clone
grep

> Also, one more question - with optional certificate verification, the connection doesn't fail if certificate is not passed. But connection will fail if SSL handshake fails when a certificate is passed by client, is that correct understanding?

Yes, that is what I would expect.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Regression in mutual authentication in 9.0.86+?

[Mark Thomas <ma...@apache.org>]

I've just tested 9.0.x and mutual TLS authentication appears to be 
working as expected.

I suggest starting with testing a simple JSP that echoes that attribute 
and if you still see the issue, provide us with your configuration. Note 
that the issue may be related to the certs you are using so the 
configuration information should include steps to recreate the TLS certs 
with keystore, OpenSSL or similar.

On 15/03/2024 00:48, Amit Pande wrote:
> Hello all,
> 
> I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87 too).
> 
> Some of our tests which involve on mutual authentication ("certificateVerification = optional") have started to fail.
> 
> In tests where the client does pass the certificate, I didn't see any SSL handshake errors (with SSL handshake debugging enabled) but "javax.servlet.request.X509Certificate" attribute wasn't set. This is the attribute the application needs for further validations.

Have you confirmed that the certificate was sent from the client?

> Could anyone please give pointers on how to debug this further?
> 
> Any code pointers where Tomcat sets this "javax.servlet.request.X509Certificate" attribute?

git clone
grep

> Also, one more question - with optional certificate verification, the connection doesn't fail if certificate is not passed. But connection will fail if SSL handshake fails when a certificate is passed by client, is that correct understanding?

Yes, that is what I would expect.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org