You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/02/03 20:35:11 UTC

DO NOT REPLY [Bug 48677] New: SSL with Form fallback authenticator no longer works in 6.0.24

https://issues.apache.org/bugzilla/show_bug.cgi?id=48677

           Summary: SSL with Form fallback authenticator no longer works
                    in 6.0.24
           Product: Tomcat 6
           Version: 6.0.24
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: preed@swri.org


For quite a while we've been using Tomcat 6.0.20 with the
SSLWithFormFallbackAuthenticator described here:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

We need to have our server first attempt to do user authentication with SSL
certificates, and if that fails, let the user log in with a form.

This no longer works in Tomcat 6.0.24.  Users with certificates can log in
successfully; if a user does not have a certificate, after the cert check
fails, Tomcat seems to close the connection without sending any data back to
the browser.  Since the user never gets the form page, they can't log in.

This log line in particular appears when a user without a certificate tries to
log in with 6.0.24:
WARN http-443-1 org.apache.tomcat.util.net.jsse.JSSESupport - SSL server
initiated renegotiation is disabled, closing connection

That warning message gets printed out between the logging statements at lines
291 and 303 of SSLWithFormFallbackAuthenticator.java.  (that is, between " No
certificates found in HttpRequest." and "  No certificates included with this
request".  That warning message does not appear when a user without a cert logs
in under Tomcat 6.0.20.

My hunch is that this may be related to the fix for bug 46950, "SSL
renegotiation does not occur when resource with CLIENT-CERT auth is requested",
which was supposedly in the unreleased version 6.0.21.  I'm not sure, though.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no longer works in 6.0.24

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48677

P. J. Reed <pr...@swri.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |preed@swri.org

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no longer works in 6.0.24

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48677

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #2 from Mark Thomas <ma...@apache.org> 2010-02-04 01:36:38 GMT ---
Questions about allowUnsafeLegacyRenegotiation should be directed to the users
list.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no longer works in 6.0.24

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48677

--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> 2010-02-04 00:08:56 UTC ---
The renegotiation protection feature that you are facing was implemented in
rev.891292.

Note, that you can disable it by setting allowUnsafeLegacyRenegotiation
attribute on a Connector to the value of "true". That is documented here:

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/security-6.html

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org