You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/02/03 20:35:11 UTC
DO NOT REPLY [Bug 48677] New: SSL with Form fallback authenticator
no longer works in 6.0.24
https://issues.apache.org/bugzilla/show_bug.cgi?id=48677
Summary: SSL with Form fallback authenticator no longer works
in 6.0.24
Product: Tomcat 6
Version: 6.0.24
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: preed@swri.org
For quite a while we've been using Tomcat 6.0.20 with the
SSLWithFormFallbackAuthenticator described here:
http://wiki.apache.org/tomcat/SSLWithFORMFallback
We need to have our server first attempt to do user authentication with SSL
certificates, and if that fails, let the user log in with a form.
This no longer works in Tomcat 6.0.24. Users with certificates can log in
successfully; if a user does not have a certificate, after the cert check
fails, Tomcat seems to close the connection without sending any data back to
the browser. Since the user never gets the form page, they can't log in.
This log line in particular appears when a user without a certificate tries to
log in with 6.0.24:
WARN http-443-1 org.apache.tomcat.util.net.jsse.JSSESupport - SSL server
initiated renegotiation is disabled, closing connection
That warning message gets printed out between the logging statements at lines
291 and 303 of SSLWithFormFallbackAuthenticator.java. (that is, between " No
certificates found in HttpRequest." and " No certificates included with this
request". That warning message does not appear when a user without a cert logs
in under Tomcat 6.0.20.
My hunch is that this may be related to the fix for bug 46950, "SSL
renegotiation does not occur when resource with CLIENT-CERT auth is requested",
which was supposedly in the unreleased version 6.0.21. I'm not sure, though.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no
longer works in 6.0.24
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48677
P. J. Reed <pr...@swri.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |preed@swri.org
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no
longer works in 6.0.24
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48677
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #2 from Mark Thomas <ma...@apache.org> 2010-02-04 01:36:38 GMT ---
Questions about allowUnsafeLegacyRenegotiation should be directed to the users
list.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48677] SSL with Form fallback authenticator no
longer works in 6.0.24
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48677
--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> 2010-02-04 00:08:56 UTC ---
The renegotiation protection feature that you are facing was implemented in
rev.891292.
Note, that you can disable it by setting allowUnsafeLegacyRenegotiation
attribute on a Connector to the value of "true". That is documented here:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/security-6.html
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org