Re: SSL client auth in Tomcat 4.0

[jean-frederic clere]

Clere, Jean-Frederic wrote:
> Steven Bradley wrote:
> 
>> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
>> getting SSL client authentication working (getting SSL server auth 
>> working was a snap).  Here's what I've done so far:
>>
>> * created a self-signed client cert using openSSL (key usage includes 
>> digital signature)
>> * imported client cert (and private key) into Internet Explorer (by 
>> way of a PKCS#12 file)
>> * imported the Tomcat JKS file with the client certificate
> 
> 
> CA file?
> 
>> * configure tomcat server.xml file as follows:
>>
>> > className="org.apache.catalina.connector.http.HttpConnector"
>>port="443"
>>minProcessors="5"
>>maxProcessors="75"
>>enableLookups="true"
>>   acceptCount="10"
>>   debug="0"
>>   scheme="https"
>>   secure="true">
>> > className="org.apache.catalina.net.SSLServerSocketFactory"
>>clientAuth="true"
>>   keystoreFile="conf/server.keystore"
>>   keystorePass="password"
>>protocol="TLS"/>
>> 
>>
>> * stop/start tomcat
>> * point IE browser to https://localhost/index.html
>>
>> What IE tells me is that the page can't be displayed (after some 
>> handshaking attempts).  Unfortunately, there is no log info generated 
>> (even if I increase the debug param in the  element).
> 
> 
> Try with Mozilla or with openssl (something like: openssl s_client -port 
> 8443 -host localhost).
> Does it work when clientAuth="false"?
> 
>>
>> Any clues as to what I may be doing wrong?  Has ANYONE been able to 
>> get SSL client authentication working with Tomcat 4.0 standalone 
>> (Catalina).
> 
> 
> Sure I tested it... It worked ok.

I have found a document that I wrote at that time:
+++
Steps to set up a demoCA and user certificates:

1 - /usr/local/ssl/misc/CA.pl -newca
 This creates a demoCA directory that contains the CA certificates.

2 - /usr/local/ssl/misc/CA.pl -newreq
 This creates a newreq.pem that contains the  private key and request.

3 - separe the request and private key.
 Put the private key is key.pem and the request in newreq.pem

4 - /usr/local/ssl/misc/CA.pl -signreq
 It displays the certificate before signing it.
 The result is in newcert.pem

5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
 -in newcert.pem -out test.p12
 The test.p12 contains a file that can be imported in the browser.

6 - import in the browser the test.p12 file.

7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
 chmod u+w $JAVA_HOME/jre/lib/security/cacerts
 $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
 -keystore $JAVA_HOME/jre/lib/security/cacerts
+++

> Make sure the CA that has signed your certificates is in the CA file 
> ($JAVA_HOME/jre/lib/security/cacerts or something).
> 
>>
>> Thanks in advance
>> -- Steven
>>
>>
>> -- 
>> To unsubscribe, e-mail:   
>> 
>> For additional commands, e-mail: 
>> 
>>
>>
> 
> 
> 
> 
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 




--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: SSL client auth in Tomcat 4.0

[Bob Herrmann]

I have gotten clientAuth=true working with Tomcat 5.

It is important to get the trusted certificates properly defined.  

I did this,

export
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks 
-Djavax.net.ssl.trustStorePassword=changeit"

And sometimes defined this to get extra info.
#  -Djavax.net.debug=ssl,handshake,data,trustmanager"

Cheers,
-bob


On Mon, 2002-10-14 at 20:13, Steven Bradley wrote:
> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
> getting SSL client authentication working (getting SSL server auth working 
> was a snap).  Here's what I've done so far:
> 
> * created a self-signed client cert using openSSL (key usage includes 
> digital signature)
> * imported client cert (and private key) into Internet Explorer (by way of 
> a PKCS#12 file)
> * imported the Tomcat JKS file with the client certificate
> * configure tomcat server.xml file as follows:
> 
>   port="443"
> minProcessors="5"
> maxProcessors="75"
> enableLookups="true"
>  acceptCount="10"
>  debug="0"
>  scheme="https"
>  secure="true">
>clientAuth="true"
>  keystoreFile="conf/server.keystore"
>  keystorePass ="password"
> protocol="TLS"/>
>  
> 
> * stop/start tomcat
> * point IE browser to https://localhost/index.html
> 
> What IE tells me is that the page can't be displayed (after some 
> handshaking attempts).  Unfortunately, there is no log info generated (even 
> if I increase the debug param in the  element).
> 
> Any clues as to what I may be doing wrong?  Has ANYONE been able to get SSL 
> client authentication working with Tomcat 4.0 standalone (Catalina).
> 
> Thanks in advance
> -- Steven
> 
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: SSL client auth in Tomcat 4.0

[Reddy.Thirumal]

Yes, I did it. It worked fine. 

* First, let the clientAuth="false" then try.

If it doesn't work, you might going wrong when generating the certificates
stuff.

Here are the steps:

keytool -genkey -keystore client.keystore -alias client1 

keytool -keystore client.keystore -certreq -file client.csr -alias client1

openssl ca -config /openssl.cnf -in client.csr -out client.pem -keyfile
ca.key

openssl x509 -in client.pem -out client.der -outform DER

keytool -keystore -import -file ca.cert -alias root

keytool -keystore -import -file client.der -alias client1

If you strictly follow these steps, you will be able to get it done.

Please try and let me know the feedback to [EMAIL PROTECTED]

Cheers



-Original Message-
From: jean-frederic clere [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 15, 2002 3:53 PM
To: Tomcat Developers List
Subject: Re: SSL client auth in Tomcat 4.0


Steven Bradley wrote:
> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
> getting SSL client authentication working (getting SSL server auth 
> working was a snap).  Here's what I've done so far:
> 
> * created a self-signed client cert using openSSL (key usage includes 
> digital signature)
> * imported client cert (and private key) into Internet Explorer (by way 
> of a PKCS#12 file)
> * imported the Tomcat JKS file with the client certificate

CA file?

> * configure tomcat server.xml file as follows:
> 
> port="443"
>minProcessors="5"
>maxProcessors="75"
>enableLookups="true"
>   acceptCount="10"
>   debug="0"
>   scheme="https"
>   secure="true">
> clientAuth="true"
>   keystoreFile="conf/server.keystore"
>   keystorePass="password"
>protocol="TLS"/>
> 
> 
> * stop/start tomcat
> * point IE browser to https://localhost/index.html
> 
> What IE tells me is that the page can't be displayed (after some 
> handshaking attempts).  Unfortunately, there is no log info generated 
> (even if I increase the debug param in the  element).

Try with Mozilla or with openssl (something like: openssl s_client -port
8443 
-host localhost).
Does it work when clientAuth="false"?

> 
> Any clues as to what I may be doing wrong?  Has ANYONE been able to get 
> SSL client authentication working with Tomcat 4.0 standalone (Catalina).

Sure I tested it... It worked ok.
Make sure the CA that has signed your certificates is in the CA file 
($JAVA_HOME/jre/lib/security/cacerts or something).

> 
> Thanks in advance
> -- Steven
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 
> 




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>


* ** *** ** * ** *** ** * ** *** ** *
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. 
Any views or opinions presented are solely those of the author, and do not necessarily
represent those of ESB. 
If you have received this email in error please notify the sender.

Although ESB scans e-mail and attachments for viruses, it does not guarantee
that either are virus-free and accepts no liability for any damage sustained
as a result of viruses.

* ** *** ** * ** *** ** * ** *** ** *

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: SSL client auth in Tomcat 4.0

[jean-frederic clere]

Steven Bradley wrote:
> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
> getting SSL client authentication working (getting SSL server auth 
> working was a snap).  Here's what I've done so far:
> 
> * created a self-signed client cert using openSSL (key usage includes 
> digital signature)
> * imported client cert (and private key) into Internet Explorer (by way 
> of a PKCS#12 file)
> * imported the Tomcat JKS file with the client certificate

CA file?

> * configure tomcat server.xml file as follows:
> 
> port="443"
>minProcessors="5"
>maxProcessors="75"
>enableLookups="true"
>   acceptCount="10"
>   debug="0"
>   scheme="https"
>   secure="true">
> clientAuth="true"
>   keystoreFile="conf/server.keystore"
>   keystorePass="password"
>protocol="TLS"/>
> 
> 
> * stop/start tomcat
> * point IE browser to https://localhost/index.html
> 
> What IE tells me is that the page can't be displayed (after some 
> handshaking attempts).  Unfortunately, there is no log info generated 
> (even if I increase the debug param in the  element).

Try with Mozilla or with openssl (something like: openssl s_client -port 8443 
-host localhost).
Does it work when clientAuth="false"?

> 
> Any clues as to what I may be doing wrong?  Has ANYONE been able to get 
> SSL client authentication working with Tomcat 4.0 standalone (Catalina).

Sure I tested it... It worked ok.
Make sure the CA that has signed your certificates is in the CA file 
($JAVA_HOME/jre/lib/security/cacerts or something).

> 
> Thanks in advance
> -- Steven
> 
> 
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 




--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

SSL client auth in Tomcat 4.0

[Steven Bradley]

I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
getting SSL client authentication working (getting SSL server auth working 
was a snap).  Here's what I've done so far:

* created a self-signed client cert using openSSL (key usage includes 
digital signature)
* imported client cert (and private key) into Internet Explorer (by way of 
a PKCS#12 file)
* imported the Tomcat JKS file with the client certificate
* configure tomcat server.xml file as follows:

 

 

* stop/start tomcat
* point IE browser to https://localhost/index.html

What IE tells me is that the page can't be displayed (after some 
handshaking attempts).  Unfortunately, there is no log info generated (even 
if I increase the debug param in the  element).

Any clues as to what I may be doing wrong?  Has ANYONE been able to get SSL 
client authentication working with Tomcat 4.0 standalone (Catalina).

Thanks in advance
-- Steven


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

SSL Client-Auth

[Bob Herrmann]

Hi.  I have been looking into a problem with Tomcat5, ClientAuth=false,
and JSSE in JDK1.4 and it seems like the JSSE has a problem.

Namely if you build an SSL socket, then later decide you need to
exchange certs with the client (ie. CLIENT-CERT), then the 

SSlSocket.startHandshake()

method is called.  Unfortunately this method is asynchronous, and waits
for a read() or write() to occur before it does it's work.  TC5
processes requests kinda like this; a Request comes in, TC5 checks to
see if the Resource is protected, then a negotiation may start.  However
JSSE won't initiate a cert exchange unless a Read() or a Write() happens
on the socket, but TC5 doesn't have anything it wants to write or read
when the 'startHandshake()' is called 

I have been playing around with using a sendRedirect() back to the same
page, but boy does that seem messy.

Any ideas?
-bob

P.S. I tweaked the JSSE sample programs to demonstrate the problem
outside of Tomcat.  If anyone wants a copy - just ask.





--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: SSL client auth support in TC 3.x and 4.x

[Bill Barker]

TC 3.3.1 at the moment doesn't include a "CertificateRealm" (but
contributions are welcome :).  The certificate chain is made available to a
custom Realm, or servlet that wants this information.  However, Tomcat 3.3.1
doesn't use this information itself.

- Original Message -
From: "Christopher Todd" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 08, 2002 4:52 PM
Subject: SSL client auth support in TC 3.x and 4.x


> Is SSL client auth supported in versions of Tomcat prior to 4.x?  In
looking
> over the source code, I can see that in TC 4.1.10,
> Realm.authenticate(X509Certificate[] certs) authenticates a user based on
> the certiticate chain that is presented.  But in looking through the
source
> for TC 3.3.1, I cannot find any calls to
> java(x).security.cert.X509Certitificate.validate() or verify().
>
> Nonetheless, I can see classes like JSSESuport and PureTLSSupport that
> obtain the chain of certificates via
> javax.net.ssl.SSLSession.getPeerCertificateChain(), but for the life of
me,
> I cannot find any classes that are actually using the array of certs that
is
> returned.  I have looked at the Realm class and it's subclasses, and I
have
> seen some things in the Http10Interceptor related to setting up the SSL
> socket, but it doesn't look to me like TC 3.3.1 supports client auth.
>
> Did I just miss it?  If SSL client auth is supported in TC 3.x, could
> someone please point me to the class and method responsible for verifying
> and validating a clients identity using the certificate chain?
>
> Thanks in advance,
> Chris
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

SSL client auth support in TC 3.x and 4.x

[Christopher Todd]

Is SSL client auth supported in versions of Tomcat prior to 4.x?  In looking
over the source code, I can see that in TC 4.1.10,
Realm.authenticate(X509Certificate[] certs) authenticates a user based on
the certiticate chain that is presented.  But in looking through the source
for TC 3.3.1, I cannot find any calls to
java(x).security.cert.X509Certitificate.validate() or verify().

Nonetheless, I can see classes like JSSESuport and PureTLSSupport that
obtain the chain of certificates via
javax.net.ssl.SSLSession.getPeerCertificateChain(), but for the life of me,
I cannot find any classes that are actually using the array of certs that is
returned.  I have looked at the Realm class and it's subclasses, and I have
seen some things in the Http10Interceptor related to setting up the SSL
socket, but it doesn't look to me like TC 3.3.1 supports client auth.

Did I just miss it?  If SSL client auth is supported in TC 3.x, could
someone please point me to the class and method responsible for verifying
and validating a clients identity using the certificate chain?

Thanks in advance,
Chris


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

SSL Client Auth / Broken Pipe after negotiation

[Matthew MacKenzie]

Hello,

I've been trying to get SSL client auth to work using a simple URL 
client.  The command line looks like the following:

java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol 
-Djavax.net.ssl.trustStore=matt.jks -Djavax.net.debug=all URLClient 
https://akula.geek.ca/ >out 2>&1

The output can be seen at the bottom of this message.  I've searched 
around quite a lot for answers but I couldn't find any.

I have two keystores, one with the certificate being used by Tomcat as 
per the SSL-Howto + a trusted cert entry from the client which is in the 
keystore matt,jks, which has tomcat's certificate imported as a trusted 
cert.

Just as a test, I removed the -Dcom.sun.net.ssl.trustStore variable, and 
predictably, the failure was related to not trusting the server cert, 
which leads me to believe my setup is reasonable.

Tomcat client auth does work when I use Mozilla and a Thawte freemail 
certificate.

Can anyone help?  It sure would be appreciated.

--Matt

-- ssl debug --

keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: matt.jks
trustStore type is : jks
init truststore
adding as trusted cert: [
[
   Version: V1
   Subject: CN=akula.geek.ca, OU=Web Ops, O=The Geek Cartel, L=Vancouver, 
ST=British Columbia, C=CA
   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

   Key:  com.sun.rsajca.JSA_RSAPublicKey@20aea8
   Validity: [From: Wed Jul 17 19:54:05 PDT 2002,
To: Thu Jul 17 19:54:05 PDT 2003]
   Issuer: CN=akula.geek.ca, OU=Web Ops, O=The Geek Cartel, L=Vancouver, 
ST=British Columbia, C=CA
   SerialNumber: [3d362dcd ]

]
   Algorithm: [MD5withRSA]
   Signature:
: 6A 86 D4 89 04 9B 4C CF   BC 15 82 86 F0 63 21 BC  j.L..c!.
0010: 09 B3 6A 69 84 0B 6C 69   E7 DC F1 EC BE 4A E9 BB  ..ji..li.J..
0020: E3 94 BD FF 10 B5 87 45   9C 12 34 8F 61 E5 4E E1  ...E..4.a.N.
0030: 6F E8 44 AD B7 81 60 C7   7E 99 88 54 0E 97 C2 51  o.D...`T...Q
0040: 37 70 83 0C 2D 20 98 41   1B 98 E3 9D 22 82 FF C8  7p..- .A"...
0050: 26 01 73 46 75 5D 3F 8F   60 00 21 41 2E 64 02 97  &.sFu]?.`.!A.d..
0060: 5F D1 44 CF 47 7D 22 AA   99 91 FA BA 02 D2 AD 95  _.D.G.".
0070: BF 80 A4 A9 06 DB B3 7A   CA 0F C0 7D 32 50 54 D0  ...z2PT.

]
adding private entry as trusted cert: [
[
   Version: V1
   Subject: CN=Matt, OU=MattCo, O=MattCo Intl, L=Vancouber, ST=BC, C=CA
   Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

   Key:  Sun DSA Public Key
 Parameters:DSA
p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 
c31e3f80 b6512669
 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f 
f26660b7
 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 
150f04fb
 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d 
d14801c7
q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5
g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 
f9574c0b 3d078267
 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 
8cc8a6e1
 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 
7a01243b
 cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b 
fecf492a

   y:
 8f48952d e95738ee 0a2f626f d4afb579 b5d49f19 c2f7015d 8a8d591b 
cc526cda
 54420f18 95fc8024 ab665942 939f2001 0506f209 46c2e3f3 a59c35fa 
d6ee2610
 ef3f2def edc80a69 89d407fd c8c7e1a1 89644276 12ea915d 57182ce5 
5f7e08b0
 90eb4f3d 22f57351 f1b9ae88 7ce43014 9109b378 71058eac 0107f75d 
b56798f3

   Validity: [From: Wed Jul 17 20:30:01 PDT 2002,
To: Tue Oct 15 20:30:01 PDT 2002]
   Issuer: CN=Matt, OU=MattCo, O=MattCo Intl, L=Vancouber, ST=BC, C=CA
   SerialNumber: [3d363639 ]

]
   Algorithm: [SHA1withDSA]
   Signature:
: 30 2C 02 14 53 FA 7A 1F   37 D8 F8 04 CB 0A 44 18  0,..S.z.7.D.
0010: 3F 1E C8 44 C2 9A 41 53   02 14 41 A9 A7 43 EB 02  ?..D..AS..A..C..
0020: 6A CA EF CB 43 73 63 FA   14 94 12 E5 37 56j...Csc.7V

]
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, v3.1
RandomCookie:  GMT: 1026965420 bytes = { 108, 14, 130, 201, 213, 23, 
156, 175, 170, 32, 66, 108, 200, 212, 161, 31, 154, 113, 99, 220, 220, 
105, 95, 183, 130, 93, 79, 102 }
Session ID:  {}
Cipher Suites:  { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 59
: 01 00 00 37 03 01 3D 36   40 AC 6C 0E 82 C9 D5 17  ...7..=6@.l.
0010: 9C AF AA 20 42 6C C8 D4   A1 1F 9A 71 63 DC DC 69  ... Bl.qc..i
0020: 5F B7 82 5D 4F 66 00 00   10 00 05 00 04 00 09 00  _..]Of..
0030: 0A 00 12 00 13 00 03 00   11 01 00 ...
main, WRITE:  SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes:  len = 77
: 01 03 01 00 24 00 00 00   20 00 00 05 00 00 04 01  $... ...
0010: 00 80