Hi
Tomcat version : 8.5.70
Attached my self -signed client cert(ecdsatestclient.crt_txt), self signed CA
(rsatestca_original.crt_txt)output from openssl (defaultciphersuite.txt) my
connector configuration(connector.txt)
Problem: We have a client that is connecting to tomcat with an ECC cert signed
by a RSA signer. Client authentication is enabled in tomcat. They are seeing
handshake failures in ClientKeyExchange/Certificate Verify stage. To emulate
their failure I generated self signed certs and tested with tomcat. I was able
to make a successful connection. I attached my self signed certs ,connector
configuration and openssl output from my successful test. I don't have the
actual logs or client cert but I do have a packet capture during failure. I see
in "CertificateRequest" message sent by server(tomcat) it is sending a list of
"certificate types, supported signature algorithms and certificate
authorities". I get that "certificate authorities" come from tomcat's
truststore. I was comparing the packet capture and tomcat log from successful
case and noticed that "certificate types and supported signature algorithms"
are different between successful and failure cases. Why is there difference
between the "certificate types" and "signature algorithms"? Where/how does
tomcat get the values for "certificate types" and "supported signature
algorithms" ?
We don't enable/disable/define any certificate types or signature algorithms in
Catalina.policy or in the java.security or java.policy files(java that tomcat
is pointing to). We have unlimited strength cryptography policy files.
I added client certificate issuer's CA into server's trust store and vice versa
before I ran the openssl command.
The command I used to test is
openssl s_client -connect X.X.X.X:XX -cert ecdsatestclient.crt -key
myselfsigned.key -CAfile rsatestca.crt -msg -state -showcerts -debug
CertificateRequest in successful case
javax.net.ssl|FINE|1F|https-jsse-nio2-X.X.X.X:XXX-exec-2|2021-09-22
01:29:05.176 UTC|CertificateRequest.java:618|Produced CertificateRequest
handshake message (
"CertificateRequest": {
"certificate types": [ecdsa_sign, rsa_sign, dss_sign]
"supported signature algorithms": [ecdsa_secp256r1_sha256,
ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
"certificate authorities": []
}
CertificateRequest in failure case:
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 3316
Certificate types count: 2
Certificate types (2 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Algorithm: SHA224 RSA (0x0301)
Signature Algorithm: SHA224 DSA (0x0302)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Algorithm: MD5 RSA (0x0101)
Thanks
Sreevidya
CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the
use of the intended recipient and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If you are not the
intended recipient, any disclosure, distribution or other use of this e-mail
message or attachments is prohibited. If you have received this e-mail message
in error, please delete and notify the sender immediately. Thank you.
CONNECTED(0003)
---
Certificate chain
0 s:/C=US/ST=Missouri/L=St Louis/O=Testing/OU=Server/CN=4e820814131f
i:/C=BE/O=MasterCard Worldwide/OU=Corporate Security/CN=MasterCard DEV
Generic Sub CA1 G2
1 s:/C=BE/O=MasterCard Worldwide/OU=Corporate Security/CN=MasterCard DEV
Generic Sub CA1 G2
i:/C=BE/O=MasterCard Worldwide/OU=Corporate Security/CN=MasterCard DEV
Generic Root CA1 G2
2 s:/C=BE/O=MasterCard Worldwide/OU=Corporate Security/CN=MasterCard DEV
Generic Root CA1 G2
i:/C=BE/O=MasterCard Worldwi