You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Francesco Leone <fr...@ericsson.com> on 2017/02/06 13:49:55 UTC
Apache Tomcat 7.0.59 - Even if a ws certificate stored in the
WSkeystore expires, any webclient request is still accepted by server and not
refused
Dear Sirs,
To communicate you a behaviour with Apache Tomcat 7.0.59
Apache Tomcat 7.0.59 is running with:
- RHEL6.6
- java jdk 1.8.0.74
- OpenSSL 1.0.2g
We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here
http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific
and
http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates
What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted.
Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ?
Any of this community can support us ?
Best Regards
Francesco
FRANCESCO LEONE Eng.
Ericsson
francesco.leone@ericsson.com
www.ericsson.com
Legal entity: TEI, registered office in Pagani. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Apache Tomcat 7.0.59 - Even if a ws certificate stored in the
WSkeystore expires, any webclient request is still accepted by server and not
refused
Posted by Francesco Leone <fr...@ericsson.com>.
Dear Sirs,
To communicate you a behaviour with Apache Tomcat 7.0.59
Apache Tomcat 7.0.59 is running with:
- RHEL6.6
- java jdk 1.8.0.74
- OpenSSL 1.0.2g
We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here
http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific
and
http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates
What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted.
Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ?
Any of this community can support us ?
Best Regards
Francesco
FRANCESCO LEONE Eng.
Ericsson
francesco.leone@ericsson.com
www.ericsson.com
Legal entity: TEI, registered office in Pagani. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the
WSkeystore expires, any webclient request is still accepted by server and not
refused
Posted by Mark Thomas <ma...@apache.org>.
On 07/02/17 19:33, George Stanchev wrote:
> Mark,
>
> Apologies for top posting. We have our own trust manager that is
> attached to the connector because we want client certificates to be
> passed in the application for validation and authentication rather
> than the connector. If we switch to the OpenSSL/APR based certificate
> processing, would the trust manager still work? I presume not, but
> wanted to ask and if not, what are the options?
If the application is validating the client certs, just add valid
to/from date checking to that validation.
Mark
>
>
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Monday, February 06, 2017 7:20 AM To:
> Tomcat Users List <us...@tomcat.apache.org> Subject: Re: Apache
> Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore
> expires, any webclient request is still accepted by server and not
> refused
>
> On 06/02/17 13:49, Francesco Leone wrote:
>> Dear Sirs, To communicate you a behaviour with Apache Tomcat
>> 7.0.59
>>
>> Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74
>> - OpenSSL 1.0.2g
>>
>> We have a client - server communication. The Client certificate is
>> produced via keytool and we have same problem highlighted here
>>
>> http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-
>>
>>
7-0-to-reject-connections-with-expired-client-certific
>>
>> and
>>
>> http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-
>>
>>
on-expired-certificates
>>
>>
>>
>> What we got reading all flow, is that to solve our problem we
>> should implement a new X509TrustManager which creates our original
>> instance in its constructor, implements all methods as calls to the
>> original instance, and adds a call to checkValidity for each
>> certificate in certs[] inside checkServerTrusted.
>>
>> Did we get well ? If yes, it sounds to us as a hole in the security
>> and so a bug in Tomcat, is there any chance to have this behaviour
>> (refuse connection at expired certificates) as standard in later
>> Apache tomcat 7.0.x release ? Any of this community can support us
>> ?
>
> This is not a Tomcat bug.
>
> If you tell Java to trust a certificate, it will do so and ignore the
> validity period.
>
> I've looked into this in the past and short of implementing your own
> X509TrustManager I haven't yet found an API Tomcat could use to add
> an additional check on the trusted cert's validity.
>
> A better general solution is to trust the CA(s) issuing the client
> certificates rather than the client certificates. Then, because the
> client cert is not in the trust store, Java checks it more thoroughly
> - including the validity dates.
>
> It is also worth looking at using an OpenSSL based TLS connector.
> From what I recall of my previous testing OpenSSL did check the
> validity dates of trusted certs.
>
> Mark
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the
WSkeystore expires, any webclient request is still accepted by server and not
refused
Posted by George Stanchev <Gs...@serena.com>.
Mark,
Apologies for top posting. We have our own trust manager that is attached to the connector because we want client certificates to be passed in the application for validation and authentication rather than the connector. If we switch to the OpenSSL/APR based certificate processing, would the trust manager still work? I presume not, but wanted to ask and if not, what are the options?
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, February 06, 2017 7:20 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused
On 06/02/17 13:49, Francesco Leone wrote:
> Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59
>
> Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 -
> OpenSSL 1.0.2g
>
> We have a client - server communication. The Client certificate is
> produced via keytool and we have same problem highlighted here
>
> http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-
> 7-0-to-reject-connections-with-expired-client-certific
>
> and
>
> http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-
> on-expired-certificates
>
>
>
> What we got reading all flow, is that to solve our problem we should
> implement a new X509TrustManager which creates our original instance
> in its constructor, implements all methods as calls to the original
> instance, and adds a call to checkValidity for each certificate in
> certs[] inside checkServerTrusted.
>
> Did we get well ? If yes, it sounds to us as a hole in the security
> and so a bug in Tomcat, is there any chance to have this behaviour
> (refuse connection at expired certificates) as standard in later
> Apache tomcat 7.0.x release ? Any of this community can support us ?
This is not a Tomcat bug.
If you tell Java to trust a certificate, it will do so and ignore the validity period.
I've looked into this in the past and short of implementing your own X509TrustManager I haven't yet found an API Tomcat could use to add an additional check on the trusted cert's validity.
A better general solution is to trust the CA(s) issuing the client certificates rather than the client certificates. Then, because the client cert is not in the trust store, Java checks it more thoroughly - including the validity dates.
It is also worth looking at using an OpenSSL based TLS connector. From what I recall of my previous testing OpenSSL did check the validity dates of trusted certs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the
WSkeystore expires, any webclient request is still accepted by server and not
refused
Posted by Mark Thomas <ma...@apache.org>.
On 06/02/17 13:49, Francesco Leone wrote:
> Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59
>
> Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 -
> OpenSSL 1.0.2g
>
> We have a client - server communication. The Client certificate is
> produced via keytool and we have same problem highlighted here
>
> http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific
>
> and
>
> http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates
>
>
>
> What we got reading all flow, is that to solve our problem we should
> implement a new X509TrustManager which creates our original instance
> in its constructor, implements all methods as calls to the original
> instance, and adds a call to checkValidity for each certificate in
> certs[] inside checkServerTrusted.
>
> Did we get well ? If yes, it sounds to us as a hole in the security
> and so a bug in Tomcat, is there any chance to have this behaviour
> (refuse connection at expired certificates) as standard in later
> Apache tomcat 7.0.x release ? Any of this community can support us ?
This is not a Tomcat bug.
If you tell Java to trust a certificate, it will do so and ignore the
validity period.
I've looked into this in the past and short of implementing your own
X509TrustManager I haven't yet found an API Tomcat could use to add an
additional check on the trusted cert's validity.
A better general solution is to trust the CA(s) issuing the client
certificates rather than the client certificates. Then, because the
client cert is not in the trust store, Java checks it more thoroughly -
including the validity dates.
It is also worth looking at using an OpenSSL based TLS connector. From
what I recall of my previous testing OpenSSL did check the validity
dates of trusted certs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org