Hi.
Faced with very odd behavior of Tomcat 7...
Have two instances on same box - Tomcat 5.5 and Tomcat 7.
Both have same configuration - first from 5.5:
<Connector port="${port.https}" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/.ssl/tomcat.jks"
keyAlias="tomcat"
keystorePass="pass"
truststoreFile="conf/.ssl/trustcacerts.jks"
truststorePass="pass" />
Next - from 7.0:
<Connector
port="${port.https}"
protocol="HTTP/1.1"
SSLEnabled="true"
enableLookups="false"
disableUploadTimeout="true"
scheme="https"
secure="true"
clientAuth="want"
sslProtocol="TLS"
keystoreFile="conf/.ssl/tomcat.jks"
keyAlias="tomcat"
keystorePass="pass"
truststoreFile="conf/.ssl/trustcacerts.jks"
truststorePass="pass"
/>
Also - both configured for CLIENT-CERT authentification (same applicaion
with same web.xml).
In browser installed cert, but - when I'm trying open connection to 7
Tomcat - I got 401 - Cannot authenticate with the provided credentials and
no authentification attempt in log:
10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/ HTTP/1.1" 401
1049
But connection to 5.5 - succsessfull with same browser && certificate.
Also, in ssldump I see that browser can't make "handshake" with 7.0 server:
1 2 0.0317 (0.0308) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3
cb 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod NULL
Certificate
ServerKeyExchange
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_authority
30 62 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77
6e 31 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76
31 0f 30 0d 06 03 55 04 0a 13 06 4c 75 78 6f 66
74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d 53 31
13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68
65 6e 6b 6f
certificate_authority
30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
// and that's all
But on 5.5 - everyting OK:
1 2 0.0213 (0.0195) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68
0d 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod NULL
Certificate
ServerKeyExchange
ServerHelloDone
1 3 0.0256 (0.0042) C>S Handshake
ClientKeyExchange
DiffieHellmanClientPublicValue[96]=
4a 39 5e f5 2a c1 58 13 6b 7c 98 0b 44 d7 9a 42
bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67
1f 4e 18 01 db f2 9d 07 0b 81 12 39 64 62 83 84
78 dc 36 9b 00 34 f5 34 44 2d 92 eb d9 f6 b0 7e
c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e
What I'm doing wrong?
Thanks.