Re: Client certificate gone after 1 minute timeout (SSL, APR)

2010-02-23 Thread Andrey D 
Hi, Albert.
I do not know how to help you, but you can help me with SSL + Tomcat.
I saw You made an two-sided SSL with default tomcat connector, and I'd like
to ask you about this:
What steps have you done to make it work?
If you can, please help.

Thanks..

On Mon, Feb 22, 2010 at 2:16 PM, Albert Tumanov  wrote:

> Dear colleagues,
>
> I'm chasing a strange problem with Tomcat + SSL + APR + Firefox.
>
> Namely, the setup works perfectly (i.e. the client certificate is sent
> and the servlet application can get it).
> But if I allow the SSL connection to time out (it happens 1 minute
> after the last request), the servlet application does not get the
> client certificate anymore.
>
> The workaround is to clear Firefox cache (Tools - Clear Recent History
> - 1 hour, Active logins).
> After this, the application will work again until the next timeout.
>
> This problem does NOT occur if I use pure Java SSL config (no APR) or
> when I use browser other that Firefox.
>
> From that you can imply that this might be a Firefox problem, but I'm
> not so sure.
> Firefox works perfectly with all other HTTPS sites and also pure Java
> SSL config works with Firefox.
> So obviously this problem occurs because Tomcat libnative fails to
> handle some peculiarities of Firefox SSL packets.
>
> Here is my exact setup:
> - Debian 5 (Lenny)
> - libapr1 1.2.12-5+lenny1
> - openssl  0.9.8g-15+lenny6
> - Tomcat 6.0.24 with tomcat-native-1.1.19
> - server authentication certificates (newcert.pem, newkey-no-password.pem)
> - client authentication certificates (cas.crt and a personal
> certificate signed by that)
> - a simple servlet "ssltest" to get the client cert:
>   writer.println(Arrays.deepToString((X509Certificate[])
> request.getAttribute("javax.servlet.request.X509Certificate")));
> - Firefox 3.6
>
> The only change in server.xml is the connector conf:
>
>   maxThreads="150" scheme="https" secure="true"
>   SSLCertificateFile="${user.home}/newcert.pem"
>   SSLCertificateKeyFile="${user.home}/newkey-no-password.pem"
>   SSLVerifyClient="require"
>   SSLVerifyDepth="2"
>   SSLCACertificateFile="${user.home}/cas.crt"
>   />
>
> Now steps to reproduce:
> 1) go to https://localhost:8443/ssltest, it will show the client
> certificate
> 2) wait 1 minute
> 3) refresh browser - the application will not get the client certificate
>  (request.getAttribute("javax.servlet.request.X509Certificate") returns
> null)
>
> I have traced the SSL packets using "ssltap -sxlp 8444 localhost:8443"
> It shows that 1 minute after the last request, there will be "Read EOF
> on Server socket".
> After that, the problem starts occuring.
>
> I have compared ssltap traces for Firefox and Safari.
> They look pretty similar.
> The only significant difference is that Safari seems to terminate the
> connection by sending SSL alert packet.
> In case of Firefox, it is the Tomcat server who sends the first SSL
> alert packet.
>
> I hope somebody can shed a light on that issue :)
>
> Best Regards,
> Albert
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SSL % tomcat 6.0

2010-02-16 Thread Andrey D 
Sorry, but I can't use apache httpd separately... only tomcat.. :(

someone said me:

> ok, I think the solution is this 
> create a CA ... then, import the CA public key into key-store
> sign each client certificate with CA private key ..
> I believe this will mean that when Tomcat requests client certificate, it
can be checked against the CA public key in keystore ...
> have a look at this ..

what do you think about it?
and if it helps... how to do it
Thanks!

On Tue, Feb 16, 2010 at 1:40 PM, Mikolaj Rydzewski  wrote:

> Andrey D wrote:
>
>> I have a small troubles with SSL certificates integration for tomcat 6.0.
>> Of course I've read the FAQ and SSL tutorial but my situation is not
>> described in that help sheets in details...
>>
>>
> Well, maybe it does not address your problem directly. I found it's much
> easier to work with following configuration:
>
> apache httpd (+ SSL) -> mod_proxy_ajp -> tomcat
>
> AJP connector is aware of SSL being used by apache.
>
> --
> Mikolaj Rydzewski 
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

SSL % tomcat 6.0

2010-02-16 Thread Andrey D 
Hi,
I have a small troubles with SSL certificates integration for tomcat 6.0.
Of course I've read the FAQ and SSL tutorial but my situation is not
described in that help sheets in details...
I enabled SSL on tomcat and can log in onto default page with default
certificate, but I have to make the following:
1) enable SSL on server (tomcat);
2) sign certificate by my company (not to pay for signing on CA for
now);
3) generate certificate for every client and sent them by e-mail etc..
4) on client connect to my server accept client certificate...

I've made this:

added into server.conf


and do the following (java):

a) Process p = Runtime.getRuntime().exec("keytool -genkey -keyalg RSA -dname
\" CN=" + commoname
+ ", OU=" + orzunit
+ ", O=" + organization
+ ", L=" + loc
+ ", S=" + state
+ ", C=" + scontry
+ "\" -alias " + aliasname
+ " -keypass " + keypass
+ " -keystore " + keystore
+ " -storetype PKCS12 -storepass " + keystorepass
+ " -validity " + validity);

b) Process p = Runtime.getRuntime().exec("keytool -export -alias " +
aliasname
+ " -keyalg RSA -keystore " + kystore
+ " -storetype PKCS12 -storepass " + kystorepass
+ " -file " + file);
c) Process p = Runtime.getRuntime().exec("keytool -import -noprompt -alias "
+ aliasname
+ " -keyalg RSA -keystore " + kystore
+ " -storetype JKS -storepass " + kystorepass
+ " -file " + file);

But after adding client certificate, I have to restart tomcat... but it is
impossible!

If Someone knows how to generate and add certificates into keystore for
tomcat and use them without restart it will be great to reply to me:)

Thanks..