[Bug 64141] New: APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64141] New: APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

            Bug ID: 64141
           Summary: APR SSL: Required certificate verification uses
                    -Djavax.net.ssl.trustStore instead of
                    caCertificateFile
           Product: Tomcat 8
           Version: 8.5.51
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Connectors
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ----

I have the followong server.xml configuration to enforce a client certificate
verification:

>    <Connector port="27247" server="Apache" protocol="org.apache.coyote.http11.Http11AprProtocol"
>               connectionTimeout="20000"
>               compression="force"
>               maxThreads="400"
>               scheme="https" secure="true" SSLEnabled="true">
>      <SSLHostConfig caCertificateFile="D:\Program Files\Apache Software Foundation\Tomcat8_BackEnd_Test\cert\ca.pem"
>                     disableCompression ="true" disableSessionTickets="true"
>                     certificateVerification="require" protocols="TLSv1.2">
>        <Certificate certificateFile="D:\Program Files\Apache Software Foundation\Tomcat8_BackEnd_Test\cert\server.pem"
>                     certificateKeyFile="D:\Program Files\Apache Software Foundation\Tomcat8_BackEnd_Test\cert\server.key"
>                     certificateKeyPassword="mysecret" />
>      </SSLHostConfig>
>    </Connector>

The Tomcat Java options contain:

>-Djavax.net.ssl.trustStore=D:\Program Files\Apache Software Foundation\Tomcat8_BackEnd_Test\cert\truststore.jks
>-Djavax.net.ssl.trustStorePassword=mysecret
>-Djavax.net.ssl.trustStoreType=JKS
>-Djavax.net.ssl.keyStore=D:\Program Files\Apache Software Foundation\Tomcat8_BackEnd_Test\cert\client.pfx
>-Djavax.net.ssl.keyStorePassword=mysecret
>-Djavax.net.ssl.keyStoreType=PKCS12

Suppose the ca.pem contains a CA named A, so I would expect that the client
certificate chain must be approved by A.
But here all client certificate chains are accepted which are covered by the
truststore.jks in the Tomcat Java options.

In my opinion only the caCertificateFile from the server.xml should be used as
the trust anchor.

I have not tested if caCertificateFile and -Djavax.net.ssl.trustStore are used
together (mixed) or if -Djavax.net.ssl.trustStore simply overwrites
caCertificateFile.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

Martin Wegner <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                 OS|                            |All

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

Christopher Schultz <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Christopher Schultz <[hidden email]> ---
Are you using OpenSSL? The caCertificateFile configuration option is only
applicable if you are using the OpenSSL crypto engine.

From your description, I believe you have an incorrect configuration. You want
to set:

truststoreFile="D:\Program Files\Apache Software
Foundation\Tomcat8_BackEnd_Test\cert\ca.pem" (but convert this file into a
keystore)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

Remy Maucherat <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #2 from Remy Maucherat <[hidden email]> ---
The configuration looks ok to me in theory as APR will use caCertificateFile.

However, if you look at SSLHostConfig, you can notice that:
private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
So the system property sets truststoreFile, which is then used to get the trust
managers (and caCertificateFile is then not used at all).

IMO: bad luck, this may be a WONTFIX.

The workaround mentioned by Chris by creating a keystore is correct, since
setting truststoreFile will override the value from the system property.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

--- Comment #3 from Martin Wegner <[hidden email]> ---
(In reply to Christopher Schultz from comment #1)
> Are you using OpenSSL? The caCertificateFile configuration option is only
> applicable if you are using the OpenSSL crypto engine.
>
> From your description, I believe you have an incorrect configuration. You
> want to set:
>
> truststoreFile="D:\Program Files\Apache Software
> Foundation\Tomcat8_BackEnd_Test\cert\ca.pem" (but convert this file into a
> keystore)

I use the Windows binaries, so it is Tomcat Native APR and OpenSSL.
This is the reason why I only use OpenSSL configuration parameters and no JSSE
configuration parameters. truststoreFile is a JSSE only configuration parameter
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

--- Comment #4 from Martin Wegner <[hidden email]> ---
(In reply to Remy Maucherat from comment #2)

> The configuration looks ok to me in theory as APR will use caCertificateFile.
>
> However, if you look at SSLHostConfig, you can notice that:
> private String truststoreFile =
> System.getProperty("javax.net.ssl.trustStore");
> So the system property sets truststoreFile, which is then used to get the
> trust managers (and caCertificateFile is then not used at all).
>
> IMO: bad luck, this may be a WONTFIX.
>
> The workaround mentioned by Chris by creating a keystore is correct, since
> setting truststoreFile will override the value from the system property.

I checked the source code and you are right. When the JSSE only parameters
truststoreFile and truststorePassword are set, then the caCertificateFile would
be ignored and the provided truststore would be used. If this is intended, then
the documentation should be updated.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

--- Comment #5 from Remy Maucherat <[hidden email]> ---
(In reply to Martin Wegner from comment #4)
> I checked the source code and you are right. When the JSSE only parameters
> truststoreFile and truststorePassword are set, then the caCertificateFile
> would be ignored and the provided truststore would be used. If this is
> intended, then the documentation should be updated.

This is by accident right now, so we need to decide if this is labelled as
"intended" [I hope you don't have a problem with retcons if your shows, because
we do it here as well :) ] or if it should be fixed. The two attributes
caCertificateFile and truststoreFile could reset the other to null (if it not
null) and WARN about it since they are mutually exclusive.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

Remy Maucherat <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #6 from Remy Maucherat <[hidden email]> ---
Since the TLS configuration types for the properties are not the same, it
seemed possible to fix it. The fix will be in 10.0.0-M2, 9.0.32 and 8.5.52.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64141] APR SSL: Required certificate verification uses -Djavax.net.ssl.trustStore instead of caCertificateFile

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

--- Comment #7 from Martin Wegner <[hidden email]> ---
(In reply to Remy Maucherat from comment #6)
> Since the TLS configuration types for the properties are not the same, it
> seemed possible to fix it. The fix will be in 10.0.0-M2, 9.0.32 and 8.5.52.

Thank you, looks good to me. I will test it after the release of 8.5.52.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]