Hi, people. We have Tomcat with two factor authentication when access to /some/pagerequested.
Auth configured with JDBCRealm & Oracle database: <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.driver.OracleDriver" ... SSL-connector: <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/home/keystore.jks" keyAlias="keystore" keystorePass="password" truststoreFile="/home/trustcacerts.jks" truststorePass="password" /> Auth requring via web.xml: <security-constraint>^M <web-resource-collection>^M <web-resource-name>*</web-resource-name>^M <url-pattern>/some/*</url-pattern>^M </web-resource-collection>^M <auth-constraint>^M <role-name>cert</role-name>^M </auth-constraint>^M <user-data-constraint>^M <transport-guarantee>CONFIDENTIAL</transport-guarantee>^M </user-data-constraint>^M </security-constraint>^M <login-config>^M <auth-method>CLIENT-CERT</auth-method>^M </login-config>^M <security-role>^M <role-name>cert</role-name>^M </security-role>^M Client's cert created with keytool: $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12 $ keytool -export -alias somealias -file somefile.cer -keystore somekey.p12 -storetype PKCS12 somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 - to client's browsers. User's present in trustcacerts.jks like: somealias, 30-Jan-2014, trustedCertEntry, Certificate fingerprint (MD5): 60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74 And present in Oracle database, like: USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA ROLE_NAME: cert (not exactly same - but about it) Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0 and Chrome 32.0.1700.76 m. So - we have two issues. 1) Some (!) of users when connecting with Chrome got error: Error code: ERR_SSL_PROTOCOL_ERROR In Catalina-' log: WARNING: Exception getting SSL attributes javax.net.ssl.SSLHandshakeException: renegotiation is not allowed Attempts add lines allowUnsafeLegacyRenegotiation="true" and allowLegacyHelloMessages="true" doesn't give results (was added to Connector or -D(option) to CATALINA_OPTS). What else can be done? All googled tips says only about this two parametrs. 2) Using Firefox - from some machines give error 403, from others - normal auth. It's look like (from Tomcat auth-log): 10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine, C=UA [30/Jan/2014:16:50:29 +0000] "GET /some/page HTTP/1.1" 403 1108 // Got auth failed; 10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev, ST=Unknown, C=UA [30/Jan/2014:16:17:29 +0000] "GET /some/page HTTP/1.1" 200 81 // Normal result. I only think about may be some difference in browser's configs... But which exactly? Or - something another? Unfortunatelly - we haven't access to tcpdump and ssldump now, so I can't check for details. Thanks for any tips/links. <javascript:void 0> powered by nullTranslate <javascript:void 0> <javascript:void 0> username2 <javascript:void 0> — select a translation: null <#> [jˈuːzənɛɪːm tˈuː] username2 <javascript:void 0> 0 . See also: <http://multitran.ru/c/m.exe?CL=1&l1=1&s=username2><http://translate.google.com/#en|ru|username2><http://lingvopro.abbyyonline.com/en/Search/en-ru/username2><http://dictionary.reference.com/browse/username2><http://www.thefreedictionary.com/username2> LinguaLeo