You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Sweeney, Bill" <bs...@CHARTONE.COM> on 2005/03/24 01:49:56 UTC

[QUAR]Re: clientAuth=true; non-SSL?

 
Thanks QM - 

Agreed.  No way around SSL, as the client certificate request is
dependent on the SSL handshake.



For those in the list who have followed these links while building their
own keystores and self signed certs and client certs for authentication:

http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S
upport
http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht
ml
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey
Cmd
http://mark.foster.cc/kb/openssl-keytool.html


I needed to add to the Java Options:
-Djavax.net.ssl.trustStore=[path to]\myClient.keystore 
-Djavax.net.ssl.trustStorePassword=mypassword

Else the server was not finding the client.keystore and was throwing
"bad_certificate" errors. 

Now works fine.  Tested in IE6 and Firefox. 

- wjs 





-----Original Message-----
From: QM [mailto:qm300@brandxdev.net] 
Sent: Wednesday, March 23, 2005 7:10 PM
To: Tomcat Users List
Subject: [QUAR]Re: clientAuth=true; non-SSL?

On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote:
: The question is this:  Do I need an SSL connection in order to get
: Tomcat to force the presentation of a client side certificate?  In
other
: words, I only want to force authentication, not wrap the connection in
: SSL.

If you want to force authentication using certs (which is what
clientAuth is all about) then I don't see a way around SSL.  The cert
exchange takes place during the SSL handshake.

If you want to just protect access to certain areas of the webapp, check
the Tomcat docs for "realms" and skim the servlet spec for "FORM
authentication."

-QM

-- 

software   -- http://www.brandxdev.net/
tech news  -- http://www.RoarNetworX.com/ code scan  --
http://www.JxRef.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: [QUAR]Re: clientAuth=true; non-SSL?

Posted by Mark Leone <mi...@cox.net>.

You may not be able to get around SSL, but you can go "through" it, so 
to speak. If you want cert-based authentication but you don't want to 
pay the overhead price for crypto processing, or you want your session 
to be accessible to third party systems, then you should be able to 
configure SSL or TLS with null values for the encryption algorithm and 
Message Authentication Code (MAC) (aka hash) algorithm. This is the 
default way that SSL/TLS work until the handshake protocol negotiates a 
cypherspec to use. By specifying null values in the cypherspec you can 
cause the record layer protocol (the underlying transport layer in 
SSL/TLS) to pass the application protocol in the clear just as it does 
the handshake protocol during cypherspec negotiation.

I'm just learning Tomcat, so I can't tell you how to do this in Tomcat. 
But I'm very familiar with the SSL and TLS protocol specs, and I know 
they support null cypherspecs. Hopefully there's a way to configure that 
in Tomcat- or if it's really important you could try hacking the code.

-Mark

Sweeney, Bill wrote:

> 
>Thanks QM - 
>
>Agreed.  No way around SSL, as the client certificate request is
>dependent on the SSL handshake.
>
>
>
>For those in the list who have followed these links while building their
>own keystores and self signed certs and client certs for authentication:
>
>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S
>upport
>http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht
>ml
>http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey
>Cmd
>http://mark.foster.cc/kb/openssl-keytool.html
>
>
>I needed to add to the Java Options:
>-Djavax.net.ssl.trustStore=[path to]\myClient.keystore 
>-Djavax.net.ssl.trustStorePassword=mypassword
>
>Else the server was not finding the client.keystore and was throwing
>"bad_certificate" errors. 
>
>Now works fine.  Tested in IE6 and Firefox. 
>
>- wjs 
>
>
>
>
>
>-----Original Message-----
>From: QM [mailto:qm300@brandxdev.net] 
>Sent: Wednesday, March 23, 2005 7:10 PM
>To: Tomcat Users List
>Subject: [QUAR]Re: clientAuth=true; non-SSL?
>
>On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote:
>: The question is this:  Do I need an SSL connection in order to get
>: Tomcat to force the presentation of a client side certificate?  In
>other
>: words, I only want to force authentication, not wrap the connection in
>: SSL.
>
>If you want to force authentication using certs (which is what
>clientAuth is all about) then I don't see a way around SSL.  The cert
>exchange takes place during the SSL handshake.
>
>If you want to just protect access to certain areas of the webapp, check
>the Tomcat docs for "realms" and skim the servlet spec for "FORM
>authentication."
>
>-QM
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org