DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #13 from Mark Thomas ma...@apache.org 2009-11-30 16:33:37 GMT --- This has been applied to 5.5.x and will be included in 5.5.29 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||FIXED --- Comment #13 from Mark Thomas ma...@apache.org 2009-11-27 11:16:10 GMT --- This has been applied to 5.5.x and will be included in 5.5.29 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #12 from Andre Cruz an...@cabine.org 2009-11-03 02:54:46 UTC --- Thanks! -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #10 from Mark Thomas ma...@apache.org 2009-09-15 18:59:35 BST --- The native fixes have been applied to the 1.1.x branch and trunk (1.2.x) The Tomcat fixes have been applied to trunk (7.0.x) and proposed for 6.0.x and 5.5.x. Note that the 6.0.x/5.5.x patch depends on there being a new tc-native release -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #9 from Mark Thomas ma...@apache.org 2009-05-27 06:08:48 PST --- The proposed patch does not work exactly as intended. It does not trigger renegotiation, rather it sets SSLVerifyClient for the all future SSL sessions created by that request processor. The side effects of this are: - cert still not prompted for when transitioning from resource that doesn't require cert to one that does - subsequent SSL requests handled by that processor will prompt for a cert, even when not required. As per comment #7, a fix for this that aligns the APR/native connector behaviour with the Java connectors will require a change to the native component of the native connector (to enable the connection to be renegotiated for the current connection). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Alexey li...@liosa.net changed: What|Removed |Added CC||li...@liosa.net -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #8 from Andr an...@cabine.org 2009-05-14 04:17:52 PST --- Created an attachment (id=23663) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23663) Patch that makes the Apr connector behave like the non-Apr This patch will turn on the SSL Client requirement prior to the SSL renegotiation prompting the browser for one. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #7 from Mark Thomas ma...@apache.org 2009-04-16 12:37:33 PST --- This is going to require a change to the APR/native connector. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #5 from Mark Thomas ma...@apache.org 2009-04-15 04:38:10 PST --- (In reply to comment #4) What works for you? The security constraint and login configuration I posted which requires SSL for the entire context but only requires user authentication for a single JSP. If I browse to any resource except the one that requires auth using http I get switched to https as expected. If I then request the protected resource I get prompted for my certificate. Did you even read what I said? Yes I did. Quite carefully. Taking that attitude is not going to induce people to help you. How can the browser know if a server trusts a certain certificate or not without even asking for it? This is the way the SSL handshake works. The server provides a client with a list of trusted certs. If the client doesn't have a user cert issued by one of the trysted certs the client doesn't waste time prompting the user to select one. Let me explain the problem better. Most of my site runs without client cert checking, so I have SSLVerifyClient=none on the connector. That is new information. Your original bug report made no mention of using the APR/native connector. I'd expect the behaviour to remain the same but I'll re-test with the native and see. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Andr an...@cabine.org changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WORKSFORME | --- Comment #4 from Andr an...@cabine.org 2009-04-15 04:03:39 PST --- What works for you? Did you even read what I said? How can the browser know if a server trusts a certain certificate or not without even asking for it? Let me explain the problem better. Most of my site runs without client cert checking, so I have SSLVerifyClient=none on the connector. But I have one servlet that DOES want a client certificate and so I configured the security restriction accordingly in the deployment descriptor. Just that one resource, not the entire site. It's in these cases that a SSL renegotiation does not occur to ask for the client certificate. Tomcat only knows that I want a client certificate after the client sends the http request. Apache httpd has this feature and someone at the tomcat user's list asked me to file this as a bug. Maybe it's just a missing feature. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 --- Comment #6 from Mark Thomas ma...@apache.org 2009-04-15 05:21:57 PST --- OK, I can confirm this when I test with the APR/native connector. Looking for a fix now... -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||WORKSFORME --- Comment #3 from Mark Thomas ma...@apache.org 2009-04-14 16:15:31 PST --- The following configuration works for me. At a guess, you haven't configured Tomcat to trust the issuer of your client certificate. The browser only prompts you to select a cert if it has one that the server will trust. Please use the users list if you need further help configuring your SSL certs. security-constraint web-resource-collection web-resource-nameBug46950/web-resource-name url-pattern/bug46381.jsp/url-pattern /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameEverything/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Andr an...@cabine.org changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID | --- Comment #2 from Andr an...@cabine.org 2009-04-02 03:00:48 PST --- Ok. So now I changed the security-constraint to: security-constraint id=SecurityConstraint_1 web-resource-collection id=WebResourceCollection_1 web-resource-name/ url-pattern/LoginWithCert.do/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodHEAD/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint id=UserDataConstraint_4 transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Now I get this error when I access the resource: HTTP Status 400 - No client certificate chain in this request BUT no certificate was asked in the SSL (re-)negotiation. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46950] SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested
https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 william.bar...@wilshire.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Comment #1 from william.bar...@wilshire.com 2009-04-01 11:43:50 PST --- There is no auth-constraint in the configuration, so of course Tomcat doesn't ask for a certificate. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
