You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martynas Jusevičius <ma...@atomgraph.com> on 2017/07/30 20:35:24 UTC
[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
Hey list,
I need my webapp to accept all SSL client certificates and do its own
validation.
I'm upgrading server.xml from the JSSE SSL Connector which used
clientAuth="want" and a custom trustManagerClassName in order to do that.
The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
certificateVerification="optionalNoCA". I have done, and also using OpenSSL
implementation now:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
<SSLHostConfig certificateVerification="optionalNoCA">
<Certificate certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
certificateFile="/usr/local/ssl/tomcat.cert.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
However, I'm getting an exception that shows my client certificate is
validated and rejected by Tomcat/OpenSSL:
tomcat_1 | https-openssl-apr-8443-exec-3, handling
exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1 | https-openssl-apr-8443-exec-3,
IOException in getSession(): javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1 | https-openssl-apr-8443-exec-3, called
close()
tomcat_1 | https-openssl-apr-8443-exec-3, called
closeInternal(true)
Am I missing something? certificateVerification="optional" exhibits the
same behaviour.
Thanks.
Martynas
Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?
Posted by Martynas Jusevičius <ma...@atomgraph.com>.
Actually I am using Tomcat on Docker:
https://hub.docker.com/_/tomcat/
I do not really know the answer to your question :/
On Sun, 30 Jul 2017 at 23.12, Mark Thomas <ma...@apache.org> wrote:
> On 30/07/17 21:35, Martynas Jusevičius wrote:
> > Hey list,
> >
> > I need my webapp to accept all SSL client certificates and do its own
> > validation.
> >
> > I'm upgrading server.xml from the JSSE SSL Connector which used
> > clientAuth="want" and a custom trustManagerClassName in order to do that.
> >
> > The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> > certificateVerification="optionalNoCA". I have done, and also using
> OpenSSL
> > implementation now:
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > maxThreads="150" SSLEnabled="true" >
> > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol"
> > />
> > <SSLHostConfig certificateVerification="optionalNoCA">
> > <Certificate
> certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> > certificateFile="/usr/local/ssl/tomcat.cert.pem"
> > type="RSA" />
> > </SSLHostConfig>
> > </Connector>
> >
> > However, I'm getting an exception that shows my client certificate is
> > validated and rejected by Tomcat/OpenSSL:
> >
> > tomcat_1 | https-openssl-apr-8443-exec-3,
> handling
> > exception: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1 | https-openssl-apr-8443-exec-3,
> > IOException in getSession(): javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1 | https-openssl-apr-8443-exec-3, called
> > close()
> > tomcat_1 | https-openssl-apr-8443-exec-3, called
> > closeInternal(true)
> >
> > Am I missing something? certificateVerification="optional" exhibits the
> > same behaviour.
>
> How is your tomcat-native binary built? If it has been built with OCSP
> support then neither of the optional verification options will work
> since OCSP validation will always fail.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA"
ignored?
Posted by Mark Thomas <ma...@apache.org>.
On 30/07/17 21:35, Martynas Jusevičius wrote:
> Hey list,
>
> I need my webapp to accept all SSL client certificates and do its own
> validation.
>
> I'm upgrading server.xml from the JSSE SSL Connector which used
> clientAuth="want" and a custom trustManagerClassName in order to do that.
>
> The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> certificateVerification="optionalNoCA". I have done, and also using OpenSSL
> implementation now:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" >
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> />
> <SSLHostConfig certificateVerification="optionalNoCA">
> <Certificate certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> certificateFile="/usr/local/ssl/tomcat.cert.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> However, I'm getting an exception that shows my client certificate is
> validated and rejected by Tomcat/OpenSSL:
>
> tomcat_1 | https-openssl-apr-8443-exec-3, handling
> exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3,
> IOException in getSession(): javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3, called
> close()
> tomcat_1 | https-openssl-apr-8443-exec-3, called
> closeInternal(true)
>
> Am I missing something? certificateVerification="optional" exhibits the
> same behaviour.
How is your tomcat-native binary built? If it has been built with OCSP
support then neither of the optional verification options will work
since OCSP validation will always fail.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA"
ignored?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martynas,
On 7/30/17 4:35 PM, Martynas Jusevičius wrote:
> Hey list,
>
> I need my webapp to accept all SSL client certificates and do its
> own validation.
>
> I'm upgrading server.xml from the JSSE SSL Connector which used
> clientAuth="want" and a custom trustManagerClassName in order to do
> that.
>
> The 8.5.16 docs indicate that this should be replaced with
> SSLHostConfig certificateVerification="optionalNoCA". I have done,
> and also using OpenSSL implementation now:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig
> certificateVerification="optionalNoCA"> <Certificate
> certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> certificateFile="/usr/local/ssl/tomcat.cert.pem" type="RSA" />
> </SSLHostConfig> </Connector>
>
> However, I'm getting an exception that shows my client certificate
> is validated and rejected by Tomcat/OpenSSL:
>
> tomcat_1 | https-openssl-apr-8443-exec-3,
> handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3,
> IOException in getSession(): javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> tomcat_1 | https-openssl-apr-8443-exec-3,
> called close() tomcat_1 |
> https-openssl-apr-8443-exec-3, called closeInternal(true)
>
> Am I missing something? certificateVerification="optional" exhibits
> the same behaviour.
Can you please post the complete stack trace?
You don't have a trust store configured. Is that intentional?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZf3xgAAoJEBzwKT+lPKRY7aUP/AtH3vUr3BbkCEDh6xKPtbr/
uy0VLj2obvNa793kuv9l8bWa/GIZZCmcH3X8obmaOA3mgT0N5kFTgwsVLXJHymCg
bNI4LZl1ALJXvepxjz7+Ni4vgyjwybNEN2WE19qkJBjazK6hIRVvAb3YBvHS8F6D
BCNj1ZgmN28DzsbbkP+JQ6IfURBqKm11U/PYZ3hVmefSTvhL/OrclHHfr4gFVM9N
x5xGDZUVVtwvObQYSajyPylZ7t4EB72lzILGpiZ2jRARa9inpGRPQf0JbpzWBTxD
kRCWZ58hfvcYAUXOXCpa0NR1fQpSWUMi/oIR19pebr1hXiNNyXurIHtn5aowZlYm
054G9ynFWEd5cKYGxOv3QrG2GDNkdckUaQKfih7pu7rZ9v31dUkGv5G/tuUh79NP
J25l0p8oguUsK0cDmlS3obDcWTFipzig+l9GJtymp5JW9dPNKvCXJpAtZIl4Ldkh
RO97uYE5T8ax6/svNq7VHM/aJEUXFFccvrtx3EgOGVF2xEBMc2VyYZJfgytqWZsy
qBOQJVcR9O5xyVzboC7YFfSyyA/1TxKvCmjsI/C2Mq4mFFuhdXRy16DYuTiTtLaz
Z8SoxSDiUPt2u0hbQIAf5I2wYjgvF54sXd2IjE2ms+hS9JHah9p3WF1C6U/F+sUQ
962NiU9VCGVGmJuYHVLg
=XNGJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org