You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Balažic <da...@comtrade.com> on 2015/08/07 17:37:56 UTC
Firefox SSL with APR - losing client certificate
Hi!
I use tomcat 6.0.44 wit APR on Windows x64.
I set up SSLVerifyClient="optional" and since then encounter the following problem with Firefox 39.0.03 (IE works OK):
On first access Firefox shows the client certificate selection dialog. I select a certificate and continue. The web application "sees" the selected certificate and show a proper response page.
But on next access (I click a link) the client certificate is not visible to the application any more. It gets null from the method call
HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 (similar)
And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] Client certificate gone after 1 minute timeout (SSL, APR)"
(even more similar, except for me it fails on next access without a minute of waiting)
As suggested in the second link, clearing cache and authentication in the browser is a workaround that works. Kind of as one has to select the certificate again and do it before every click on a link.
Strange, just now it worked fine for a few minutes.
Is this some known issue?
Without APR, using JSSE, it works fine (and did so for years).
This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version).
Firefox version 39.0, today updated to 39.0.3
The Connector line from server.xml:
<Connector SSLCACertificateFile="C:/CA_list.pem"
SSLCertificateFile="C:/key_public.pem"
SSLCertificateKeyFile="C:/key_private.pem"
SSLEnabled="true" SSLPassword="changeit" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https"
secure="true" />
Regards,
David Balažic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Firefox SSL with APR - losing client certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
David,
On 9/17/15 3:06 PM, David Balažic wrote:
> Anyone with experience debugging SSL issues (with APR or from
> Firefox/Chrome side) ?
If you use Wireshark or a similar packet-capture rig, can you see
whether the browser is changing the way it sends its data?
With Wireshark, you can install the server's private key and then you
can read all the encrypted traffic. Wireshark will disassemble all the
packets and even give you rich information at the protocol-level about
what's in there. You can probably tell the difference between what
Firefox or Chrome sends to the server both before and after the "loss"
of the certificate.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJV/sWUAAoJEBzwKT+lPKRYxUUQAJDcG5Eeku6oTk7H8Wm1kRnl
ov5SzXr2r26n65EM6QlQmW1xedniX2CfLa9Hlk+rsC4LnWPsGKU6UGYEDFjlzAiG
AH9hHKXLlQpnjmelnngbWCMs5sp7oKeFSYcHwrYTj2UEiuBxIyK2SGKYulLdYy77
hrboWNN6q7d6fSQUwCnDBfbuVYKesvg65aA2BsBUcDLOBopNBAe5IMKMjDo37znJ
4Bt+4H+RBHD0dfYp8+vqcm9Ov6H2WbU5JgULrNnDTu4ytJ6ZdsIvYYlVJeQQZGOs
JfaI3cygWUAE3cEpbuUdLMNDC8WQF6PEnCjyrgMXjZDv9GcAuaIbgk/VbjblYV/g
cITsDGUtd7LQzm/XYqnJZ7uRXo7rKgPeuHwAlVBAIlvNLRcFF/VDL5jl/ouclNZQ
RRnR1aaYDWDqvMMAlXZ5/5qtMBYk20u2bvPULliNrbocmaIKweP+JVDyD1+OWruC
ylFNTp76SuJ5AZjqGUOATpRs+xoHtPlXih4LHXNyKd2vRGSvzbvACKtFQknGwqPT
Lqv5Czx1X5Jfhx5T5Fod5Tr+rW13HApo6C/lgz4Xipp6a3hSFawGVa6/FFus1zLE
wu4uQaU3IrvWAglbQNb7IWKP9rTamJQ0pyJiIWyvznkuoQt/ZpV5bCWW8eb1eDOM
+8kMLf1KNvyx3Zvs3pdS
=FXKO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Posted by David Balažic <da...@comtrade.com>.
Anyone with experience debugging SSL issues (with APR or from Firefox/Chrome side) ?
David Balažic
> -----Original Message-----
> From: David Balažic [mailto:david.balazic@comtrade.com]
> Sent: 10. September 2015 14:58
> To: users@tomcat.apache.org
> Subject: RE: Firefox SSL with APR - losing client certificate
> Importance: Low
>
> Reported as Bug 58244 - two way SSL loses client certificate after a few
> requests
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
>
>
> David Balažic
>
> > -----Original Message-----
> > From: David Balažic
> > Sent: 7. August 2015 17:38
> > To: users@tomcat.apache.org
> > Subject: Firefox SSL with APR - losing client certificate
> > Importance: Low
> >
> > Hi!
> >
> > I use tomcat 6.0.44 wit APR on Windows x64.
> > I set up SSLVerifyClient="optional" and since then encounter the following
> > problem with Firefox 39.0.03 (IE works OK):
> >
> > On first access Firefox shows the client certificate selection dialog. I select a
> > certificate and continue. The web application "sees" the selected certificate
> > and show a proper response page.
> > But on next access (I click a link) the client certificate is not visible to the
> > application any more. It gets null from the method call
> > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
> >
> > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869
> > (similar)
> > And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users]
> > Client certificate gone after 1 minute timeout (SSL, APR)"
> > (even more similar, except for me it fails on next access without a minute
> of
> > waiting)
> > As suggested in the second link, clearing cache and authentication in the
> > browser is a workaround that works. Kind of as one has to select the
> > certificate again and do it before every click on a link.
> >
> > Strange, just now it worked fine for a few minutes.
> >
> > Is this some known issue?
> >
> > Without APR, using JSSE, it works fine (and did so for years).
> >
> > This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to
> > apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
> > I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version).
> >
> > Firefox version 39.0, today updated to 39.0.3
> >
> > The Connector line from server.xml:
> >
> > <Connector SSLCACertificateFile="C:/CA_list.pem"
> > SSLCertificateFile="C:/key_public.pem"
> > SSLCertificateKeyFile="C:/key_private.pem"
> > SSLEnabled="true" SSLPassword="changeit"
> > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> > SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150"
> > port="8443"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > scheme="https"
> > secure="true" />
> >
> >
> > Regards,
> > David Balažic
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Posted by David Balažic <da...@comtrade.com>.
Reported as Bug 58244 - two way SSL loses client certificate after a few requests
https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
David Balažic
> -----Original Message-----
> From: David Balažic
> Sent: 7. August 2015 17:38
> To: users@tomcat.apache.org
> Subject: Firefox SSL with APR - losing client certificate
> Importance: Low
>
> Hi!
>
> I use tomcat 6.0.44 wit APR on Windows x64.
> I set up SSLVerifyClient="optional" and since then encounter the following
> problem with Firefox 39.0.03 (IE works OK):
>
> On first access Firefox shows the client certificate selection dialog. I select a
> certificate and continue. The web application "sees" the selected certificate
> and show a proper response page.
> But on next access (I click a link) the client certificate is not visible to the
> application any more. It gets null from the method call
> HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate")
>
> Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869
> (similar)
> And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users]
> Client certificate gone after 1 minute timeout (SSL, APR)"
> (even more similar, except for me it fails on next access without a minute of
> waiting)
> As suggested in the second link, clearing cache and authentication in the
> browser is a workaround that works. Kind of as one has to select the
> certificate again and do it before every click on a link.
>
> Strange, just now it worked fine for a few minutes.
>
> Is this some known issue?
>
> Without APR, using JSSE, it works fine (and did so for years).
>
> This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to
> apache-tomcat-6.0.44-windows-x64.zip (with or without APR).
> I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version).
>
> Firefox version 39.0, today updated to 39.0.3
>
> The Connector line from server.xml:
>
> <Connector SSLCACertificateFile="C:/CA_list.pem"
> SSLCertificateFile="C:/key_public.pem"
> SSLCertificateKeyFile="C:/key_private.pem"
> SSLEnabled="true" SSLPassword="changeit"
> SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150"
> port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> scheme="https"
> secure="true" />
>
>
> Regards,
> David Balažic
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Posted by David Balažic <da...@comtrade.com>.
I also happens with latest apache-tomcat-8.0.24-windows-x64.zip
Using this simple webapp:
In the webapps folder create a folder named "cert", there create a file named ccertA.jsp with contents:
<html>
<body>
<h3>client cert test - page A</h3>
User client cert data:
<%= ((java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))[0].getSubjectX500Principal().toString()%>
<p>
Check <a href="ccertB.jsp">page B</a>
<p>
Page served time: <%= new java.util.Date().toString() %>
</body>
</html>
Optionally create nother file"ccertB.jsp" with same content, except the "A" and "B" letter swapped.
In server.xml add a line:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https" maxThreads="150" URIEncoding="UTF-8"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLPassword="testing" SSLEnabled="true"
SSLCertificateKeyFile="C:/your_server_key_private.pem"
SSLCertificateFile="C:/ your_server_key _public.pem"
SSLCACertificateFile="C:/supported_client_CAs.pem" />
Then start with startup.bat and open the page https://localhost:8443/cert/ccertA.jsp and refresh it or click the link.
After a few click instead of the page an error will be presented:
HTTP Status 500 - An exception occurred processing JSP page /ccertA.jsp at line 5
type Exception report
message An exception occurred processing JSP page /ccertA.jsp at line 5
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: An exception occurred processing JSP page /ccertA.jsp at line 5
2: <body>
3: <h3>client cert test - page A</h3>
4: User client cert data:
5: <%= ((java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))[0].getSubjectX500Principal().toString()%>
6: <p>
7: Check <a href="ccertB.jsp">page B</a>
8: <p>
Stacktrace:
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:574)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
root cause
java.lang.NullPointerException
org.apache.jsp.ccertA_jsp._jspService(ccertA_jsp.java:93)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
note The full stack trace of the root cause is available in the Apache Tomcat/8.0.24 logs.
Apache Tomcat/8.0.24
The error occurs in about 30 seconds after first load (keep refreshing or clicking every few seconds or so).
Tested with:
- Chrome v44
- Firefox v39.0.3 and v40
The problem does not occur with IE v11.
Regards,
David Balažic
Software Engineer
www.comtrade.com
> -----Original Message-----
> From: David Balažic [mailto:david.balazic@comtrade.com]
> Sent: 10. August 2015 19:30
> To: Tomcat Users List
> Subject: RE: Firefox SSL with APR - losing client certificate
> Importance: Low
>
> > From: David Balažic [mailto:david.balazic@comtrade.com]
> >
> > > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > > Sent: 8. August 2015 14:33
> > >
> > > Quick question: this is with Tomcat only and no httpd out in front, righ
> > > t?
> >
> > Yes.
>
> It is also the same if run independently (without Eclipse):
> - extract apache-tomcat-6.0.44-windows-x64.zip
> - set JAVA_HOME,CATALINA_HOME, CATALINA_BASE and CATALINA_OPTS
> - copy war file into webapps folder
> - copy ojdbc6_g-11.2.0.2.0.jar into lib folder (my WAR uses an Oracle
> database)
> - execute startup.bat
>
> Java is again 1.6.0_45 (x64).
>
> It also happens with java version "1.8.0_51"
> Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
> Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
>
>
> I also tested on another system with 32 bit Windows 7, apache-tomcat-
> 6.0.44-windows-x86.zip , with
> java version "1.6.0_12"
> Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
> Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing)
>
> Same problem (with FF, while IE works fine).
>
> On the first system I also tried with Chrome: also has the problem.
>
> Interestingly, on one occasion with FF the problem did not surface for long
> time (about 15 minutes of testing).
> Then I cleared the "Active Logins" (shift-ctrl-del) in Firefox and tried again:
> the problem occurred right on second HTTP(S) request.
>
> Regards,
> David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Posted by David Balažic <da...@comtrade.com>.
> From: David Balažic [mailto:david.balazic@comtrade.com]
>
> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > Sent: 8. August 2015 14:33
> >
> > Quick question: this is with Tomcat only and no httpd out in front, righ
> > t?
>
> Yes.
It is also the same if run independently (without Eclipse):
- extract apache-tomcat-6.0.44-windows-x64.zip
- set JAVA_HOME,CATALINA_HOME, CATALINA_BASE and CATALINA_OPTS
- copy war file into webapps folder
- copy ojdbc6_g-11.2.0.2.0.jar into lib folder (my WAR uses an Oracle database)
- execute startup.bat
Java is again 1.6.0_45 (x64).
It also happens with java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
I also tested on another system with 32 bit Windows 7, apache-tomcat-6.0.44-windows-x86.zip , with
java version "1.6.0_12"
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing)
Same problem (with FF, while IE works fine).
On the first system I also tried with Chrome: also has the problem.
Interestingly, on one occasion with FF the problem did not surface for long time (about 15 minutes of testing).
Then I cleared the "Active Logins" (shift-ctrl-del) in Firefox and tried again: the problem occurred right on second HTTP(S) request.
Regards,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Posted by David Balažic <da...@comtrade.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: 8. August 2015 14:33
>
> Quick question: this is with Tomcat only and no httpd out in front, righ
> t?
Yes.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Firefox SSL with APR - losing client certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
David,
On 8/7/15 11:37 AM, David Balažic wrote:
> I use tomcat 6.0.44 wit APR on Windows x64. I set up
> SSLVerifyClient="optional" and since then encounter the following
> problem with Firefox 39.0.03 (IE works OK):
>
> On first access Firefox shows the client certificate selection
> dialog. I select a certificate and continue. The web application
> "sees" the selected certificate and show a proper response page.
> But on next access (I click a link) the client certificate is not
> visible to the application any more. It gets null from the method
> call
> HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate
")
>
> Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869
> (similar) And http://grokbase.com/t/tomcat/users/102pdv412y "
> [Tomcat-users] Client certificate gone after 1 minute timeout (SSL,
> APR)" (even more similar, except for me it fails on next access
> without a minute of waiting) As suggested in the second link,
> clearing cache and authentication in the browser is a workaround
> that works. Kind of as one has to select the certificate again and
> do it before every click on a link.
>
> Strange, just now it worked fine for a few minutes.
>
> Is this some known issue?
>
> Without APR, using JSSE, it works fine (and did so for years).
>
> This started after upgrading yesterday tomcat from 6.0.35_x64 (no
> APR) to apache-tomcat-6.0.44-windows-x64.zip (with or without
> APR). I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit
> version).
>
> Firefox version 39.0, today updated to 39.0.3
>
> The Connector line from server.xml:
>
> <Connector SSLCACertificateFile="C:/CA_list.pem"
> SSLCertificateFile="C:/key_public.pem"
> SSLCertificateKeyFile="C:/key_private.pem" SSLEnabled="true"
> SSLPassword="changeit" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
> SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150"
> port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> scheme="https" secure="true" />
Quick question: this is with Tomcat only and no httpd out in front, righ
t?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVxfcMAAoJEBzwKT+lPKRYSyUQAK+mRJXFuRE2snlnMI+AqkKw
R9gDYJ033fCr25ltrrF6a4kft8q4GkjzHyKHiffe6T9iYnSjiZJMNGRwVz/StIqV
ri5UQ8DxEg3TjC3x1NLzbyyzkCGaCNT6fUW1esjFehtQbsbvXezDQbLKy+c1UR39
38mjXEaurMnfLt/yCkssoluFRqmToyHbTALBZzcivKo1FkMTDRB/+zL/CbGv+beX
Nmse1nt9MNN3s3THAhp8GI3Zd6CHmzYDYBHVMXUol3EA8RexhuKP+tCd4MJ9H1cz
/dPG2RxjbXjYKmu27K/n0IBVpzS+IxenT6CVZrwUArB5MqEVcar4OVNqi6N7zDBU
dlR9rK5PKWk+EcavINoBTDeA/e5A8gfnjJGcGCXgtNVWYTFcXFztN9KsfWFytmJA
+xkrLqg+2KX8Dd/1Ez/3lI2MY/gTLXOdSxDFncloG7jS10D8ccnhnth6c+Ngf1IJ
fEQk+SaxHg/Er92/bAGVXoPLDeZk+dIcOnbaBVrncvuGmuXM0q4q/CGgTJSGk3RE
BAHd+r8S1nTLfOTYKNSFxk6Lbs5EU2PgCMFa8VFOd1OeM0PrgGwWoqpgbK3NPhw/
PBXa23Fxp9jHUVLtnr6QWn8Wmuq5blKVnkKyMTgSe+gnGLb+TUIHZCTkkoWvsEhg
Vy5GFQ2jLYPkGRa46xk2
=h7QZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org