Re: Firefox SSL with APR - losing client certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 9/17/15 3:06 PM, David Balažic wrote: > Anyone with experience debugging SSL issues (with APR or from > Firefox/Chrome side) ? If you use Wireshark or a similar packet-capture rig, can you see whether the browser is changing the way it sends its data? With Wireshark, you can install the server's private key and then you can read all the encrypted traffic. Wireshark will disassemble all the packets and even give you rich information at the protocol-level about what's in there. You can probably tell the difference between what Firefox or Chrome sends to the server both before and after the "loss" of the certificate. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV/sWUAAoJEBzwKT+lPKRYxUUQAJDcG5Eeku6oTk7H8Wm1kRnl ov5SzXr2r26n65EM6QlQmW1xedniX2CfLa9Hlk+rsC4LnWPsGKU6UGYEDFjlzAiG AH9hHKXLlQpnjmelnngbWCMs5sp7oKeFSYcHwrYTj2UEiuBxIyK2SGKYulLdYy77 hrboWNN6q7d6fSQUwCnDBfbuVYKesvg65aA2BsBUcDLOBopNBAe5IMKMjDo37znJ 4Bt+4H+RBHD0dfYp8+vqcm9Ov6H2WbU5JgULrNnDTu4ytJ6ZdsIvYYlVJeQQZGOs JfaI3cygWUAE3cEpbuUdLMNDC8WQF6PEnCjyrgMXjZDv9GcAuaIbgk/VbjblYV/g cITsDGUtd7LQzm/XYqnJZ7uRXo7rKgPeuHwAlVBAIlvNLRcFF/VDL5jl/ouclNZQ RRnR1aaYDWDqvMMAlXZ5/5qtMBYk20u2bvPULliNrbocmaIKweP+JVDyD1+OWruC ylFNTp76SuJ5AZjqGUOATpRs+xoHtPlXih4LHXNyKd2vRGSvzbvACKtFQknGwqPT Lqv5Czx1X5Jfhx5T5Fod5Tr+rW13HApo6C/lgz4Xipp6a3hSFawGVa6/FFus1zLE wu4uQaU3IrvWAglbQNb7IWKP9rTamJQ0pyJiIWyvznkuoQt/ZpV5bCWW8eb1eDOM +8kMLf1KNvyx3Zvs3pdS =FXKO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Anyone with experience debugging SSL issues (with APR or from Firefox/Chrome side) ? David Balažic > -Original Message- > From: David Balažic [mailto:david.bala...@comtrade.com] > Sent: 10. September 2015 14:58 > To: users@tomcat.apache.org > Subject: RE: Firefox SSL with APR - losing client certificate > Importance: Low > > Reported as Bug 58244 - two way SSL loses client certificate after a few > requests > > https://bz.apache.org/bugzilla/show_bug.cgi?id=58244 > > > David Balažic > > > -Original Message- > > From: David Balažic > > Sent: 7. August 2015 17:38 > > To: users@tomcat.apache.org > > Subject: Firefox SSL with APR - losing client certificate > > Importance: Low > > > > Hi! > > > > I use tomcat 6.0.44 wit APR on Windows x64. > > I set up SSLVerifyClient="optional" and since then encounter the following > > problem with Firefox 39.0.03 (IE works OK): > > > > On first access Firefox shows the client certificate selection dialog. I > > select a > > certificate and continue. The web application "sees" the selected > > certificate > > and show a proper response page. > > But on next access (I click a link) the client certificate is not visible > > to the > > application any more. It gets null from the method call > > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate") > > > > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 > > (similar) > > And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] > > Client certificate gone after 1 minute timeout (SSL, APR)" > > (even more similar, except for me it fails on next access without a minute > of > > waiting) > > As suggested in the second link, clearing cache and authentication in the > > browser is a workaround that works. Kind of as one has to select the > > certificate again and do it before every click on a link. > > > > Strange, just now it worked fine for a few minutes. > > > > Is this some known issue? > > > > Without APR, using JSSE, it works fine (and did so for years). > > > > This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to > > apache-tomcat-6.0.44-windows-x64.zip (with or without APR). > > I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version). > > > > Firefox version 39.0, today updated to 39.0.3 > > > > The Connector line from server.xml: > > > > > SSLCertificateFile="C:/key_public.pem" > > SSLCertificateKeyFile="C:/key_private.pem" > > SSLEnabled="true" SSLPassword="changeit" > > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" > > SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" > > port="8443" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > scheme="https" > > secure="true" /> > > > > > > Regards, > > David Balažic > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
Reported as Bug 58244 - two way SSL loses client certificate after a few requests https://bz.apache.org/bugzilla/show_bug.cgi?id=58244 David Balažic > -Original Message- > From: David Balažic > Sent: 7. August 2015 17:38 > To: users@tomcat.apache.org > Subject: Firefox SSL with APR - losing client certificate > Importance: Low > > Hi! > > I use tomcat 6.0.44 wit APR on Windows x64. > I set up SSLVerifyClient="optional" and since then encounter the following > problem with Firefox 39.0.03 (IE works OK): > > On first access Firefox shows the client certificate selection dialog. I > select a > certificate and continue. The web application "sees" the selected certificate > and show a proper response page. > But on next access (I click a link) the client certificate is not visible to > the > application any more. It gets null from the method call > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate") > > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 > (similar) > And http://grokbase.com/t/tomcat/users/102pdv412y " [Tomcat-users] > Client certificate gone after 1 minute timeout (SSL, APR)" > (even more similar, except for me it fails on next access without a minute of > waiting) > As suggested in the second link, clearing cache and authentication in the > browser is a workaround that works. Kind of as one has to select the > certificate again and do it before every click on a link. > > Strange, just now it worked fine for a few minutes. > > Is this some known issue? > > Without APR, using JSSE, it works fine (and did so for years). > > This started after upgrading yesterday tomcat from 6.0.35_x64 (no APR) to > apache-tomcat-6.0.44-windows-x64.zip (with or without APR). > I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit version). > > Firefox version 39.0, today updated to 39.0.3 > > The Connector line from server.xml: > >SSLCertificateFile="C:/key_public.pem" > SSLCertificateKeyFile="C:/key_private.pem" > SSLEnabled="true" SSLPassword="changeit" > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" > SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" > port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > scheme="https" > secure="true" /> > > > Regards, > David Balažic > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
I also happens with latest apache-tomcat-8.0.24-windows-x64.zip Using this simple webapp: In the webapps folder create a folder named "cert", there create a file named ccertA.jsp with contents: client cert test - page A User client cert data: <%= ((java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))[0].getSubjectX500Principal().toString()%> Check page B Page served time: <%= new java.util.Date().toString() %> Optionally create nother file"ccertB.jsp" with same content, except the "A" and "B" letter swapped. In server.xml add a line: Then start with startup.bat and open the page https://localhost:8443/cert/ccertA.jsp and refresh it or click the link. After a few click instead of the page an error will be presented: HTTP Status 500 - An exception occurred processing JSP page /ccertA.jsp at line 5 type Exception report message An exception occurred processing JSP page /ccertA.jsp at line 5 description The server encountered an internal error that prevented it from fulfilling this request. exception org.apache.jasper.JasperException: An exception occurred processing JSP page /ccertA.jsp at line 5 2: 3: client cert test - page A 4: User client cert data: 5: <%= ((java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"))[0].getSubjectX500Principal().toString()%> 6: 7: Check page B 8: Stacktrace: org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:574) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) root cause java.lang.NullPointerException org.apache.jsp.ccertA_jsp._jspService(ccertA_jsp.java:93) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) note The full stack trace of the root cause is available in the Apache Tomcat/8.0.24 logs. Apache Tomcat/8.0.24 The error occurs in about 30 seconds after first load (keep refreshing or clicking every few seconds or so). Tested with: - Chrome v44 - Firefox v39.0.3 and v40 The problem does not occur with IE v11. Regards, David Balažic Software Engineer www.comtrade.com > -Original Message- > From: David Balažic [mailto:david.bala...@comtrade.com] > Sent: 10. August 2015 19:30 > To: Tomcat Users List > Subject: RE: Firefox SSL with APR - losing client certificate > Importance: Low > > > From: David Balažic [mailto:david.bala...@comtrade.com] > > > > > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > > > Sent: 8. August 2015 14:33 > > > > > > Quick question: this is with Tomcat only and no httpd out in front, righ > > > t? > > > > Yes. > > It is also the same if run independently (without Eclipse): > - extract apache-tomcat-6.0.44-windows-x64.zip > - set JAVA_HOME,CATALINA_HOME, CATALINA_BASE and CATALINA_OPTS > - copy war file into webapps folder > - copy ojdbc6_g-11.2.0.2.0.jar into lib folder (my WAR uses an Oracle > database) > - execute startup.bat > > Java is again 1.6.0_45 (x64). > > It also happens with java version "1.8.0_51" > Java(TM) SE Runtime Environment (build 1.8.0_51-b16) > Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode) > > > I also tested on another system with 32 bit Windows 7, apache-tomcat- > 6.0.44-windows-x86.zip , with > java version "1.6.0_12" > Java(TM) SE Runtime Environment (build 1.6.0_12-b04) > Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing) > > Same problem (with FF, while IE works fine). > > On the first system I also tried with Chrome: also has the problem. > > Interestingly, on one occasion with FF the problem did not surface for long > time (about 15 minutes of testing). > Then I cleared the "Active Logins" (shift-ctrl-del) in Firefox and tried > again: > the problem occurred right on second HTTP(S) request. > > Regards, > David > >
RE: Firefox SSL with APR - losing client certificate
> From: David Balažic [mailto:david.bala...@comtrade.com] > > > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > > Sent: 8. August 2015 14:33 > > > > Quick question: this is with Tomcat only and no httpd out in front, righ > > t? > > Yes. It is also the same if run independently (without Eclipse): - extract apache-tomcat-6.0.44-windows-x64.zip - set JAVA_HOME,CATALINA_HOME, CATALINA_BASE and CATALINA_OPTS - copy war file into webapps folder - copy ojdbc6_g-11.2.0.2.0.jar into lib folder (my WAR uses an Oracle database) - execute startup.bat Java is again 1.6.0_45 (x64). It also happens with java version "1.8.0_51" Java(TM) SE Runtime Environment (build 1.8.0_51-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode) I also tested on another system with 32 bit Windows 7, apache-tomcat-6.0.44-windows-x86.zip , with java version "1.6.0_12" Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Client VM (build 11.2-b01, mixed mode, sharing) Same problem (with FF, while IE works fine). On the first system I also tried with Chrome: also has the problem. Interestingly, on one occasion with FF the problem did not surface for long time (about 15 minutes of testing). Then I cleared the "Active Logins" (shift-ctrl-del) in Firefox and tried again: the problem occurred right on second HTTP(S) request. Regards, David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Firefox SSL with APR - losing client certificate
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: 8. August 2015 14:33 > > Quick question: this is with Tomcat only and no httpd out in front, righ > t? Yes. David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Firefox SSL with APR - losing client certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David, On 8/7/15 11:37 AM, David Balažic wrote: > I use tomcat 6.0.44 wit APR on Windows x64. I set up > SSLVerifyClient="optional" and since then encounter the following > problem with Firefox 39.0.03 (IE works OK): > > On first access Firefox shows the client certificate selection > dialog. I select a certificate and continue. The web application > "sees" the selected certificate and show a proper response page. > But on next access (I click a link) the client certificate is not > visible to the application any more. It gets null from the method > call > HttpServletRequest.getAttribute("javax.servlet.request.X509Certificate ") > > Goggole found https://bz.apache.org/bugzilla/show_bug.cgi?id=37869 > (similar) And http://grokbase.com/t/tomcat/users/102pdv412y " > [Tomcat-users] Client certificate gone after 1 minute timeout (SSL, > APR)" (even more similar, except for me it fails on next access > without a minute of waiting) As suggested in the second link, > clearing cache and authentication in the browser is a workaround > that works. Kind of as one has to select the certificate again and > do it before every click on a link. > > Strange, just now it worked fine for a few minutes. > > Is this some known issue? > > Without APR, using JSSE, it works fine (and did so for years). > > This started after upgrading yesterday tomcat from 6.0.35_x64 (no > APR) to apache-tomcat-6.0.44-windows-x64.zip (with or without > APR). I start tomcat from Eclipse, using JRE 1.6.0_45 (each 64 bit > version). > > Firefox version 39.0, today updated to 39.0.3 > > The Connector line from server.xml: > > SSLCertificateFile="C:/key_public.pem" > SSLCertificateKeyFile="C:/key_private.pem" SSLEnabled="true" > SSLPassword="changeit" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" > SSLVerifyClient="optional" URIEncoding="UTF-8" maxThreads="150" > port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" > scheme="https" secure="true" /> Quick question: this is with Tomcat only and no httpd out in front, righ t? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVxfcMAAoJEBzwKT+lPKRYSyUQAK+mRJXFuRE2snlnMI+AqkKw R9gDYJ033fCr25ltrrF6a4kft8q4GkjzHyKHiffe6T9iYnSjiZJMNGRwVz/StIqV ri5UQ8DxEg3TjC3x1NLzbyyzkCGaCNT6fUW1esjFehtQbsbvXezDQbLKy+c1UR39 38mjXEaurMnfLt/yCkssoluFRqmToyHbTALBZzcivKo1FkMTDRB/+zL/CbGv+beX Nmse1nt9MNN3s3THAhp8GI3Zd6CHmzYDYBHVMXUol3EA8RexhuKP+tCd4MJ9H1cz /dPG2RxjbXjYKmu27K/n0IBVpzS+IxenT6CVZrwUArB5MqEVcar4OVNqi6N7zDBU dlR9rK5PKWk+EcavINoBTDeA/e5A8gfnjJGcGCXgtNVWYTFcXFztN9KsfWFytmJA +xkrLqg+2KX8Dd/1Ez/3lI2MY/gTLXOdSxDFncloG7jS10D8ccnhnth6c+Ngf1IJ fEQk+SaxHg/Er92/bAGVXoPLDeZk+dIcOnbaBVrncvuGmuXM0q4q/CGgTJSGk3RE BAHd+r8S1nTLfOTYKNSFxk6Lbs5EU2PgCMFa8VFOd1OeM0PrgGwWoqpgbK3NPhw/ PBXa23Fxp9jHUVLtnr6QWn8Wmuq5blKVnkKyMTgSe+gnGLb+TUIHZCTkkoWvsEhg Vy5GFQ2jLYPkGRa46xk2 =h7QZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org