You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lucas Ventura Carro <us...@gmail.com> on 2016/06/23 11:51:41 UTC
Passing client certificate through Nginx to Tomcat SSL Valve
I have a webapp which reads a X.509 client certificate from the standard
servlet request attribute:
ServletRequest.getAttribute("javax.servlet.request.X509Certificate").
When Tomcat is the HTTPS endpoint, works like a charm.
But when there is a Nginx as the HTTPS endpoint, and Tomcat is configured
with HTTP, the certificate (of course) won't be at the attribute unless:
- Configured Nginx to send it through a header, using its variable
'$ssl_client_cert' [1]
- Added to Tomcat the SSL Valve [2] (same header as before).
But as a certificate in PEM format, it will contain new lines, and an HTTP
header can't be multilined (header-folding is deprecated [3]).
And here comes the incompatibility: Nginx replaces new lines with tab
characters, but the valve only try to change white spaces.
Should not be the SSL Valve smarter and try to replace one or multiple
whitespaces (the regex '\s+')? Or at least should be configurable the
delimiter character?
Thanks!
[1]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
[2]:
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/SSLValve.html
[3]: https://tools.ietf.org/html/rfc7230#section-3.2.4
--
Lucas
Re: Passing client certificate through Nginx to Tomcat SSL Valve
Posted by Mark Thomas <ma...@apache.org>.
On 29/05/17 17:02, Christopher Schultz wrote:
> Mark,
>
> On 5/29/17 11:40 AM, Christopher Schultz wrote:
>> Mark,
>
>> On 6/23/16 7:58 AM, Mark Thomas wrote:
>>> On a related topic, I wonder how tolerant
>>> CertificateFactory.generateCertificate() is since that will have
>>> an impact on exactly how smart the SSLValve needs to be.
>
>> Tested with Oracle Java 1.8.0_121:
>
>> * Normal PEM-encoded cert is parsed just fine by
>> CertificateFactory * Replacing all newlines with a single space
>> causes an error ("Incomplete data") * Replacing all newlines after
>> the first newline (after --- BEGIN ... ---) works as desired *
>> Removing all whitespace after the initial newline works as desired
>
>> So a certificate that looks like this:
>
>> -----BEGIN CERTIFICATE-----
>> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER
> TD
>
>
> ATACERTDATA......-----END
>> CERTIFICATE-----
>
>> Is good enough for CertificateFactory (in its current form).
>
>> We may be able to get away with just a single whitespace ->
>> newline character conversion, instead of completely restoring the
>> 64-character-wrapped PEM-encoded certificate.
>
> Furthermore, CertificateFactory does not complain if there is an
> additional newline between the "-----BEGIN CERTIFICATE-----\n" and the
> rest of the certificate.
>
> That means that, theoretically, we could simply write the "BEGIN"
> header, then a newline, then everything that follows it regardless of
> the composition, and CertificateFactory should be able to handle it.
Time to open an enhancement request and add this information?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Passing client certificate through Nginx to Tomcat SSL Valve
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 5/29/17 11:40 AM, Christopher Schultz wrote:
> Mark,
>
> On 6/23/16 7:58 AM, Mark Thomas wrote:
>> On a related topic, I wonder how tolerant
>> CertificateFactory.generateCertificate() is since that will have
>> an impact on exactly how smart the SSLValve needs to be.
>
> Tested with Oracle Java 1.8.0_121:
>
> * Normal PEM-encoded cert is parsed just fine by
> CertificateFactory * Replacing all newlines with a single space
> causes an error ("Incomplete data") * Replacing all newlines after
> the first newline (after --- BEGIN ... ---) works as desired *
> Removing all whitespace after the initial newline works as desired
>
> So a certificate that looks like this:
>
> -----BEGIN CERTIFICATE-----
> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER
TD
>
>
ATACERTDATA......-----END
> CERTIFICATE-----
>
> Is good enough for CertificateFactory (in its current form).
>
> We may be able to get away with just a single whitespace ->
> newline character conversion, instead of completely restoring the
> 64-character-wrapped PEM-encoded certificate.
Furthermore, CertificateFactory does not complain if there is an
additional newline between the "-----BEGIN CERTIFICATE-----\n" and the
rest of the certificate.
That means that, theoretically, we could simply write the "BEGIN"
header, then a newline, then everything that follows it regardless of
the composition, and CertificateFactory should be able to handle it.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLEYSAAoJEBzwKT+lPKRYwqoQAKyldCc8V7PkkmDvyPrq4Feq
tbO8E5lY9LQS9RhUguoI29j7/9xJSG4Z12/hRk5dkwaMwTBWgZWIrnSkVKhooCUE
InFeg5F1Zt5YLK5LjtFkLg12XH55noQqEHW7cJa1XqpL72OC/qdEHMqOrMs9ZJPW
LMr8E7pMmgou4NB5zxn1w2O4ZPkeRUDaw0OLmYcCH11vo27FKORAZ3UB+IAcQzq7
tPwgC7hSP5sao7x892CFHOvqNBw6bEdjpgvLtg/ndaE3odzxf1OlPfjg52RW3cwQ
06TTL6Db7HPRGme9UzQBps0gPR/57uXDsAmySejAYs3e6y8P3q4Wcp+0q0Trj1j0
5zadfF0pOIxJC/IVycg69XtGjn5Wbec8yaqaylGuiM07riC4Aev/uvbp1AEmekP5
3mOkpIFh1eZFZhDyv019BhKNm4r9QRaqBJ0llh6tHwWhlN2Ube/AlOtXe8yUPE75
jLktl3t7dqtfzzrMxn1nzEP5EWOSISxHa8lkpDXmT6tQ3XXxXiYXVwPOsFls1seh
O7jlqzmmGe6vSRGIRIngh7a6oMczMaCWQ0ZWdk17oUdTYELhdLFHtFykA04wXXF7
B4BlJoG5hKTKf/d/+T+k/I57xuNYcMpSKaCZfhAJf/Gi4ASVZ3U12KpPPr66eOln
ipt2DAxpm1K9l4dVaeqH
=1a+W
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Passing client certificate through Nginx to Tomcat SSL Valve
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 6/23/16 7:58 AM, Mark Thomas wrote:
> On a related topic, I wonder how tolerant
> CertificateFactory.generateCertificate() is since that will have
> an impact on exactly how smart the SSLValve needs to be.
Tested with Oracle Java 1.8.0_121:
* Normal PEM-encoded cert is parsed just fine by CertificateFactory
* Replacing all newlines with a single space causes an error
("Incomplete data")
* Replacing all newlines after the first newline (after --- BEGIN ...
- ---) works as desired
* Removing all whitespace after the initial newline works as desired
So a certificate that looks like this:
- -----BEGIN CERTIFICATE-----
MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTD
ATACERTDATA......-----END
CERTIFICATE-----
Is good enough for CertificateFactory (in its current form).
We may be able to get away with just a single whitespace -> newline
character conversion, instead of completely restoring the
64-character-wrapped PEM-encoded certificate.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZLED8AAoJEBzwKT+lPKRY+ikP/18GRhuOz2XvQaWCDIKPncqo
0TEoDQBccKB+tiVF89kqaFakjIz832NzjwkeALxK76Sr6ybBwiW1+alky2uUlRa6
/YFZJK4rBlBlJqjXlBxs7M1kLErlzWpWrQA/PKCGylh1Eh8xcMWelGmtPyWUGWre
20ATMEKaeTpMNMv863MiYoDPfqMbTsMdpGjBUP6135M1cm1wW/IBYyJMPf94ep4v
jUNE7x0Ryv7iCaNFFoqxOTdsBh+b03+DHRw5/ltXMBKJY487ITSjeBAPwXj5wbJg
IvgzLm0Mu3DGEXBdV0loGi+ALso0ctbp2UuHNvw/j5P5qMjHvRvWpLpke91nCjLr
8mpQc49P1tC1zYPDEHeCXkRJKq78y0aJWwH41UmhlniEnbtcIDEEziBSpkeQM3H1
XrqTm3uthjTJgd8Hhcc5nFUMTdruDeeMmNNsyWp7lElGShf52DSZrGSsn9TNEOz0
eAc+4FuBdwDV+gFTcwMlqwL0XzoXuyQBZ13MDldS/zc7wGuXpFjjD9QJKdhdtHlo
CAgHayA13MEPSV9MuCBcfP8psOVaGQsnpIKOTHAinIyPYRgLUbibWW8NvQma2rHu
QcqCBGDDJspAp2YSP1+LF5lJAU5sC7ZZRqRO6JxDfcMqeEHEDijIwYnWrHa4K88P
ITjHyG0qEBQxkstpYSdb
=vEY+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Passing client certificate through Nginx to Tomcat SSL Valve
Posted by Mark Thomas <ma...@apache.org>.
On 23/06/2016 12:51, Lucas Ventura Carro wrote:
<snip/>
> And here comes the incompatibility: Nginx replaces new lines with tab
> characters, but the valve only try to change white spaces.
> Should not be the SSL Valve smarter and try to replace one or multiple
> whitespaces (the regex '\s+')? Or at least should be configurable the
> delimiter character?
Smarter sounds good to me. Why not try and write a patch for this?
On a related topic, I wonder how tolerant
CertificateFactory.generateCertificate() is since that will have an
impact on exactly how smart the SSLValve needs to be.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org