You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/01/16 17:40:23 UTC

DO NOT REPLY [Bug 41382] New: - SSL Client certificate not present in servlet attribute "javax.servlet.request.X509Certificate" when using APR connector

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41382>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41382

           Summary: SSL Client certificate not present in servlet attribute
                    "javax.servlet.request.X509Certificate" when using APR
                    connector
           Product: Tomcat 5
           Version: 5.5.20
          Platform: All
        OS/Version: Windows XP
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: Connector:HTTP
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: cpierret@sparus-software.com


When using APR/native HTTPS connector, based on OpenSSL, if the client connects
to HTTPS connector with a valid client certificate, the client X509 certificate
is not present in the array of certificates in the
javax.servlet.request.X509Certificate ServletRequest attribute, only
certificates from the CAs in the certification chain are present. If no CA
certificate is sent by the client then the attribute is null.
 
This is not compliant with Servlet Specification v2.3, in the section "SRV.4.7
SSL Attributes" which states:
"If there is an SSL certificate associated with the request, it must be exposed
by the servlet container to the servlet programmer as an array of objects of
type java.security.cert.X509Certificate and accessible via a ServletRequest
attribute of javax.servlet.request.X509Certificate.
The order of this array is defined as being in ascending order of trust. The
first certificate in the chain is the one set by the client, the next is the one
used to authenticate the first, and so on."

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 41382] - SSL Client certificate not present in servlet attribute "javax.servlet.request.X509Certificate" when using APR connector

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41382>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41382


cpierret@sparus-software.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE




------- Additional Comments From cpierret@sparus-software.com  2007-01-17 15:12 -------
Duplicate of http://issues.apache.org/bugzilla/show_bug.cgi?id=37869

*** This bug has been marked as a duplicate of 37869 ***

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 41382] - SSL Client certificate not present in servlet attribute "javax.servlet.request.X509Certificate" when using APR connector

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41382>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41382





------- Additional Comments From cpierret@sparus-software.com  2007-01-16 08:42 -------
Created an attachment (id=19414)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=19414&action=view)
A patch fixing the bug

This patch is working for me (tested/validated in my company), and will be
deployed as part of a commercial product based on Tomcat 5.5.20.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org