[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Martynas Jusevičius
Hey list,

I need my webapp to accept all SSL client certificates and do its own
validation.

I'm upgrading server.xml from the JSSE SSL Connector which used
clientAuth="want" and a custom trustManagerClassName in order to do that.

The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
certificateVerification="optionalNoCA". I have done, and also using OpenSSL
implementation now:

    <Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
        <SSLHostConfig certificateVerification="optionalNoCA">
            <Certificate certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
                         certificateFile="/usr/local/ssl/tomcat.cert.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

However, I'm getting an exception that shows my client certificate is
validated and rejected by Tomcat/OpenSSL:

tomcat_1                         | https-openssl-apr-8443-exec-3, handling
exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1                         | https-openssl-apr-8443-exec-3,
IOException in getSession():  javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
tomcat_1                         | https-openssl-apr-8443-exec-3, called
close()
tomcat_1                         | https-openssl-apr-8443-exec-3, called
closeInternal(true)

Am I missing something? certificateVerification="optional" exhibits the
same behaviour.

Thanks.

Martynas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

markt
On 30/07/17 21:35, Martynas Jusevičius wrote:

> Hey list,
>
> I need my webapp to accept all SSL client certificates and do its own
> validation.
>
> I'm upgrading server.xml from the JSSE SSL Connector which used
> clientAuth="want" and a custom trustManagerClassName in order to do that.
>
> The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> certificateVerification="optionalNoCA". I have done, and also using OpenSSL
> implementation now:
>
>     <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>                maxThreads="150" SSLEnabled="true" >
>         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> />
>         <SSLHostConfig certificateVerification="optionalNoCA">
>             <Certificate certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
>                          certificateFile="/usr/local/ssl/tomcat.cert.pem"
>                          type="RSA" />
>         </SSLHostConfig>
>     </Connector>
>
> However, I'm getting an exception that shows my client certificate is
> validated and rejected by Tomcat/OpenSSL:
>
> tomcat_1                         | https-openssl-apr-8443-exec-3, handling
> exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1                         | https-openssl-apr-8443-exec-3,
> IOException in getSession():  javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> tomcat_1                         | https-openssl-apr-8443-exec-3, called
> close()
> tomcat_1                         | https-openssl-apr-8443-exec-3, called
> closeInternal(true)
>
> Am I missing something? certificateVerification="optional" exhibits the
> same behaviour.

How is your tomcat-native binary built? If it has been built with OCSP
support then neither of the optional verification options will work
since OCSP validation will always fail.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Martynas Jusevičius
Actually I am using Tomcat on Docker:
https://hub.docker.com/_/tomcat/

I do not really know the answer to your question :/

On Sun, 30 Jul 2017 at 23.12, Mark Thomas <[hidden email]> wrote:

> On 30/07/17 21:35, Martynas Jusevičius wrote:
> > Hey list,
> >
> > I need my webapp to accept all SSL client certificates and do its own
> > validation.
> >
> > I'm upgrading server.xml from the JSSE SSL Connector which used
> > clientAuth="want" and a custom trustManagerClassName in order to do that.
> >
> > The 8.5.16 docs indicate that this should be replaced with SSLHostConfig
> > certificateVerification="optionalNoCA". I have done, and also using
> OpenSSL
> > implementation now:
> >
> >     <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> >                maxThreads="150" SSLEnabled="true" >
> >         <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol"
> > />
> >         <SSLHostConfig certificateVerification="optionalNoCA">
> >             <Certificate
> certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> >                          certificateFile="/usr/local/ssl/tomcat.cert.pem"
> >                          type="RSA" />
> >         </SSLHostConfig>
> >     </Connector>
> >
> > However, I'm getting an exception that shows my client certificate is
> > validated and rejected by Tomcat/OpenSSL:
> >
> > tomcat_1                         | https-openssl-apr-8443-exec-3,
> handling
> > exception: javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1                         | https-openssl-apr-8443-exec-3,
> > IOException in getSession():  javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> > valid certification path to requested target
> > tomcat_1                         | https-openssl-apr-8443-exec-3, called
> > close()
> > tomcat_1                         | https-openssl-apr-8443-exec-3, called
> > closeInternal(true)
> >
> > Am I missing something? certificateVerification="optional" exhibits the
> > same behaviour.
>
> How is your tomcat-native binary built? If it has been built with OCSP
> support then neither of the optional verification options will work
> since OCSP validation will always fail.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

Christopher Schultz-2
In reply to this post by Martynas Jusevičius
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martynas,

On 7/30/17 4:35 PM, Martynas Jusevičius wrote:

> Hey list,
>
> I need my webapp to accept all SSL client certificates and do its
> own validation.
>
> I'm upgrading server.xml from the JSSE SSL Connector which used
> clientAuth="want" and a custom trustManagerClassName in order to do
> that.
>
> The 8.5.16 docs indicate that this should be replaced with
> SSLHostConfig certificateVerification="optionalNoCA". I have done,
> and also using OpenSSL implementation now:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig
> certificateVerification="optionalNoCA"> <Certificate
> certificateKeyFile="/usr/local/ssl/tomcat.key.pem"
> certificateFile="/usr/local/ssl/tomcat.cert.pem" type="RSA" />
> </SSLHostConfig> </Connector>
>
> However, I'm getting an exception that shows my client certificate
> is validated and rejected by Tomcat/OpenSSL:
>
> tomcat_1                         | https-openssl-apr-8443-exec-3,
> handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> tomcat_1                         | https-openssl-apr-8443-exec-3,
> IOException in getSession():  javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> tomcat_1                         | https-openssl-apr-8443-exec-3,
> called close() tomcat_1                         |
> https-openssl-apr-8443-exec-3, called closeInternal(true)
>
> Am I missing something? certificateVerification="optional" exhibits
> the same behaviour.

Can you please post the complete stack trace?

You don't have a trust store configured. Is that intentional?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZf3xgAAoJEBzwKT+lPKRY7aUP/AtH3vUr3BbkCEDh6xKPtbr/
uy0VLj2obvNa793kuv9l8bWa/GIZZCmcH3X8obmaOA3mgT0N5kFTgwsVLXJHymCg
bNI4LZl1ALJXvepxjz7+Ni4vgyjwybNEN2WE19qkJBjazK6hIRVvAb3YBvHS8F6D
BCNj1ZgmN28DzsbbkP+JQ6IfURBqKm11U/PYZ3hVmefSTvhL/OrclHHfr4gFVM9N
x5xGDZUVVtwvObQYSajyPylZ7t4EB72lzILGpiZ2jRARa9inpGRPQf0JbpzWBTxD
kRCWZ58hfvcYAUXOXCpa0NR1fQpSWUMi/oIR19pebr1hXiNNyXurIHtn5aowZlYm
054G9ynFWEd5cKYGxOv3QrG2GDNkdckUaQKfih7pu7rZ9v31dUkGv5G/tuUh79NP
J25l0p8oguUsK0cDmlS3obDcWTFipzig+l9GJtymp5JW9dPNKvCXJpAtZIl4Ldkh
RO97uYE5T8ax6/svNq7VHM/aJEUXFFccvrtx3EgOGVF2xEBMc2VyYZJfgytqWZsy
qBOQJVcR9O5xyVzboC7YFfSyyA/1TxKvCmjsI/C2Mq4mFFuhdXRy16DYuTiTtLaz
Z8SoxSDiUPt2u0hbQIAf5I2wYjgvF54sXd2IjE2ms+hS9JHah9p3WF1C6U/F+sUQ
962NiU9VCGVGmJuYHVLg
=XNGJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...