Tomcat 9: Client Certificate verification setting with optional is not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 9: Client Certificate verification setting with optional is not working

Palod, Manish-2
Hi,

We are in process of migrating from Tomcat 7 to Tomcat 9.
We use cert-based client authentication in our application,  support password-based and cert-based authentication.

For this purpose, we are setting certificateVerification="optional" attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were setting clientAuth="want" ]


<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
                   address="0.0.0.0"
                   maxPostSize="10485760"
                   URIEncoding="UTF-8" server=" ">
            <SSLHostConfig
                    truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                    certificateVerification="optional" sslProtocol="TLS"
                    protocols="TLSv1.2">
                <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
                             type="RSA" />
            </SSLHostConfig>
</Connector>

When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.


Can someone help in understanding why Tomcat 9, setting with "optional" value not working.

As per Tomcat 9 SSLHostConfig documentation<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>, client authentication with optional setting should work?

certificateVerification
Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.


Regards
Manish
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 9: Client Certificate verification setting with optional is not working

Mark Thomas-2
On 04/05/2021 18:17, Palod, Manish wrote:

> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application,  support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional" attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                     maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
>                     address="0.0.0.0"
>                     maxPostSize="10485760"
>                     URIEncoding="UTF-8" server=" ">
>              <SSLHostConfig
>                      truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
>                      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>                      certificateVerification="optional" sslProtocol="TLS"
>                      protocols="TLSv1.2">
>                  <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
>                               type="RSA" />
>              </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.

I've just tested this locally and certificateVerification="optional" is
working as expected.

Are you testing with a private browsing window? Browsers can sometimes
be "helpful" and cache things between sessions. After opting not to
provide a certificate once, I wasn't prompted gain until I used a
private window or cleared out the cache.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat 9: Client Certificate verification setting with optional is not working

Palod, Manish-2
Hi Mark,

Thank you for your suggestion. We will try with private browsing mode.
No, we tried in normal browsing mode only. Our issue with optional applies to very first-time access only.
When we tried with certificateVerification="required" first, we were prompted with Client certificate, after that we changed the settings back to "optional" and still application is working with client certificate, and that is due to client certificate is available in cache.

Regards
Manish
-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Wednesday, May 5, 2021 1:47 AM
To: [hidden email]
Subject: Re: Tomcat 9: Client Certificate verification setting with optional is not working

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 04/05/2021 18:17, Palod, Manish wrote:

> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application,  support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional"
> attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were
> setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                     maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
>                     address="0.0.0.0"
>                     maxPostSize="10485760"
>                     URIEncoding="UTF-8" server=" ">
>              <SSLHostConfig
>                      truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
>                      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>                      certificateVerification="optional" sslProtocol="TLS"
>                      protocols="TLSv1.2">
>                  <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
>                               type="RSA" />
>              </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.

I've just tested this locally and certificateVerification="optional" is working as expected.

Are you testing with a private browsing window? Browsers can sometimes be "helpful" and cache things between sessions. After opting not to provide a certificate once, I wasn't prompted gain until I used a private window or cleared out the cache.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat 9: Client Certificate verification setting with optional is not working

Palod, Manish-2
Hi,

We further debugged the issue and narrowed down the issue to dynamic update of Truststore. We add certificate into TrustStore dynamically. We have to restart the server to use the newly added certificate.
This was working fine with Tomcat 7.

Are we missing any configuration detail or any other details required by Tomcat 9 for this use case?

Regards
Manish

-----Original Message-----
From: Palod, Manish
Sent: Wednesday, May 5, 2021 9:21 AM
To: Tomcat Users List <[hidden email]>
Subject: RE: Tomcat 9: Client Certificate verification setting with optional is not working

Hi Mark,

Thank you for your suggestion. We will try with private browsing mode.
No, we tried in normal browsing mode only. Our issue with optional applies to very first-time access only.
When we tried with certificateVerification="required" first, we were prompted with Client certificate, after that we changed the settings back to "optional" and still application is working with client certificate, and that is due to client certificate is available in cache.

Regards
Manish
-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Wednesday, May 5, 2021 1:47 AM
To: [hidden email]
Subject: Re: Tomcat 9: Client Certificate verification setting with optional is not working

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 04/05/2021 18:17, Palod, Manish wrote:

> Hi,
>
> We are in process of migrating from Tomcat 7 to Tomcat 9.
> We use cert-based client authentication in our application,  support password-based and cert-based authentication.
>
> For this purpose, we are setting certificateVerification="optional"
> attribute in SSLHostConfig Element of Server.xml [in Tomcat 7, we were
> setting clientAuth="want" ]
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                     maxThreads="150" SSLEnabled="true" scheme="https" secure="true" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
>                     address="0.0.0.0"
>                     maxPostSize="10485760"
>                     URIEncoding="UTF-8" server=" ">
>              <SSLHostConfig
>                      truststoreFile="${tomcat.bind.truststore}" truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
>                      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
>                      certificateVerification="optional" sslProtocol="TLS"
>                      protocols="TLSv1.2">
>                  <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" certificateKeystorePassword ="${tomcat.bind.keystorepass}"
>                               type="RSA" />
>              </SSLHostConfig>
> </Connector>
>
> When I am trying to access application from browser, where client certificate is available, this use case is not working with setting(certificateVerification="optional"), Tomcat is not requesting for client cert.
> If I change this setting to certificateVerification="required", then this functionality is working as it was working with Tomcat 7.
>
>
> Can someone help in understanding why Tomcat 9, setting with "optional" value not working.

I've just tested this locally and certificateVerification="optional" is working as expected.

Are you testing with a private browsing window? Browsers can sometimes be "helpful" and cache things between sessions. After opting not to provide a certificate once, I wasn't prompted gain until I used a private window or cleared out the cache.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 9: Client Certificate verification setting with optional is not working

Mark Thomas-2
On 08/05/2021 18:26, Palod, Manish wrote:
> Hi,
>
> We further debugged the issue and narrowed down the issue to dynamic update of Truststore. We add certificate into TrustStore dynamically. We have to restart the server to use the newly added certificate.
> This was working fine with Tomcat 7.

I'm surprised that worked.

> Are we missing any configuration detail or any other details required by Tomcat 9 for this use case?

I'd expect you top have to reload the TLS config to pickup the changes.
You can do that via JMX or the Manager app.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 9: Client Certificate verification setting with optional is not working

Christopher Schultz-2
Mark and Manish,

On 5/10/21 13:11, Mark Thomas wrote:

> On 08/05/2021 18:26, Palod, Manish wrote:
>> Hi,
>>
>> We further debugged the issue and narrowed down the issue to dynamic
>> update of Truststore. We add certificate into TrustStore dynamically.
>> We have to restart the server to use the newly added certificate.
>> This was working fine with Tomcat 7.
>
> I'm surprised that worked.
>
>> Are we missing any configuration detail or any other details required
>> by Tomcat 9 for this use case?
>
> I'd expect you top have to reload the TLS config to pickup the changes.
> You can do that via JMX or the Manager app.

... without having to restart Tomcat. :)

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]