Re: Regression in mutual authentication in 9.0.86+?
On 21/03/2024 16:12, Amit Pande wrote:
Thank you Mark for your inputs.
Upon further debugging, it looks like the issue we ran into is also with the
reloading of SSL context.
Test execution sequence:
1. Add a trusted CA in Tomcat's trust store.
2. The SSL context is reloaded if any of the trust/key store has changes.
3. Perform a mutual client authentication using a client certificate signed by
the CA used in step 1.
Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat
level but request made it to application and failed (due to empty
javax.servlet.request.X509Certificate).
It sounds like you have optional certificate verification enabled.
One follow-up question:
Are we planning to have an immediate 9.0.88 release, or it will be regular
cadence? Asking because the versions until 9.0.85 have vulnerabilities reported
and this regression might potentially block the upgrade to 9.0.86/87.
This fix will be picked up in the April release round.
Mark
Lastly, I wholeheartedly echo the gratitude many have expressed around the
awesome Tomcat leads.
Thanks,
Amit
-Original Message-
From: Mark Thomas
Sent: Monday, March 18, 2024 4:41 AM
To: users@tomcat.apache.org
Subject: Re: Regression in mutual authentication in 9.0.86+?
CAUTION: This email originated from outside the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe. If you believe this is a phishing email, use the Report to
Cybersecurity icon in Outlook.
I've just tested 9.0.x and mutual TLS authentication appears to be working as
expected.
I suggest starting with testing a simple JSP that echoes that attribute and if
you still see the issue, provide us with your configuration. Note that the
issue may be related to the certs you are using so the configuration
information should include steps to recreate the TLS certs with keystore,
OpenSSL or similar.
On 15/03/2024 00:48, Amit Pande wrote:
Hello all,
I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87
too).
Some of our tests which involve on mutual authentication ("certificateVerification =
optional") have started to fail.
In tests where the client does pass the certificate, I didn't see any SSL handshake
errors (with SSL handshake debugging enabled) but
"javax.servlet.request.X509Certificate" attribute wasn't set. This is the
attribute the application needs for further validations.
Have you confirmed that the certificate was sent from the client?
Could anyone please give pointers on how to debug this further?
Any code pointers where Tomcat sets this
"javax.servlet.request.X509Certificate" attribute?
git clone
grep
Also, one more question - with optional certificate verification, the
connection doesn't fail if certificate is not passed. But connection will fail
if SSL handshake fails when a certificate is passed by client, is that correct
understanding?
Yes, that is what I would expect.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Regression in mutual authentication in 9.0.86+?
Thank you Mark for your inputs.
Upon further debugging, it looks like the issue we ran into is also with the
reloading of SSL context.
Test execution sequence:
1. Add a trusted CA in Tomcat's trust store.
2. The SSL context is reloaded if any of the trust/key store has changes.
3. Perform a mutual client authentication using a client certificate signed by
the CA used in step 1.
Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat
level but request made it to application and failed (due to empty
javax.servlet.request.X509Certificate).
One follow-up question:
Are we planning to have an immediate 9.0.88 release, or it will be regular
cadence? Asking because the versions until 9.0.85 have vulnerabilities reported
and this regression might potentially block the upgrade to 9.0.86/87.
Lastly, I wholeheartedly echo the gratitude many have expressed around the
awesome Tomcat leads.
Thanks,
Amit
-Original Message-
From: Mark Thomas
Sent: Monday, March 18, 2024 4:41 AM
To: users@tomcat.apache.org
Subject: Re: Regression in mutual authentication in 9.0.86+?
CAUTION: This email originated from outside the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe. If you believe this is a phishing email, use the Report to
Cybersecurity icon in Outlook.
I've just tested 9.0.x and mutual TLS authentication appears to be working as
expected.
I suggest starting with testing a simple JSP that echoes that attribute and if
you still see the issue, provide us with your configuration. Note that the
issue may be related to the certs you are using so the configuration
information should include steps to recreate the TLS certs with keystore,
OpenSSL or similar.
On 15/03/2024 00:48, Amit Pande wrote:
> Hello all,
>
> I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with
> 9.0.87 too).
>
> Some of our tests which involve on mutual authentication
> ("certificateVerification = optional") have started to fail.
>
> In tests where the client does pass the certificate, I didn't see any SSL
> handshake errors (with SSL handshake debugging enabled) but
> "javax.servlet.request.X509Certificate" attribute wasn't set. This is the
> attribute the application needs for further validations.
Have you confirmed that the certificate was sent from the client?
> Could anyone please give pointers on how to debug this further?
>
> Any code pointers where Tomcat sets this
> "javax.servlet.request.X509Certificate" attribute?
git clone
grep
> Also, one more question - with optional certificate verification, the
> connection doesn't fail if certificate is not passed. But connection will
> fail if SSL handshake fails when a certificate is passed by client, is that
> correct understanding?
Yes, that is what I would expect.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Regression in mutual authentication in 9.0.86+?
I've just tested 9.0.x and mutual TLS authentication appears to be
working as expected.
I suggest starting with testing a simple JSP that echoes that attribute
and if you still see the issue, provide us with your configuration. Note
that the issue may be related to the certs you are using so the
configuration information should include steps to recreate the TLS certs
with keystore, OpenSSL or similar.
On 15/03/2024 00:48, Amit Pande wrote:
Hello all,
I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87
too).
Some of our tests which involve on mutual authentication ("certificateVerification =
optional") have started to fail.
In tests where the client does pass the certificate, I didn't see any SSL handshake
errors (with SSL handshake debugging enabled) but
"javax.servlet.request.X509Certificate" attribute wasn't set. This is the
attribute the application needs for further validations.
Have you confirmed that the certificate was sent from the client?
Could anyone please give pointers on how to debug this further?
Any code pointers where Tomcat sets this
"javax.servlet.request.X509Certificate" attribute?
git clone
grep
Also, one more question - with optional certificate verification, the
connection doesn't fail if certificate is not passed. But connection will fail
if SSL handshake fails when a certificate is passed by client, is that correct
understanding?
Yes, that is what I would expect.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
