Thanks for the reply Christopher. The way tomcat has always worked in the past(Before 8.5.15) , is that your trust store is what tomcat uses to decide what certificates the browser should show to the user because it only shows them certificates that are in the certificate chain of whatever you import into your trust store. So if you import a root certificate it will show everything that has that root certificate in its chain but if you import in an intermediate it will only show the certificates that the intermediate accepts. So the way it works for DoD is that on each CAC there are 2 client authentication certificates one Email Cert and one ID cert. They contain different information mainly the email address is only contained in the Email cert. When users are prompted to select a certificate they are only supposed to be given the selection of what certificates are in the trust store because it knows that anything not in that trust store won't be accepted anyways. When you set the clientAuth to true in the connector that is what makes it so Tomcat then asks for a certificate from the user for validation. I have used both IE and Chrome and I get the same results in both. I am pretty sure it is not a browser issue though because I have both Tomcat 8.5.15 and 8.5.14 running on the same server using the same trust store and 8.5.14 asks for only Certificates that are in the Chain of the Intermediates that I imported in and 8.5.15 asks for all of the certificates. Unfortunately I am not able to run openssl as I am on a goverment network and the software we can use is restricted. https://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication The previous link has a pretty good explanation of the way Tomcat has always worked in the past in the comments and explains about the behavior I am expecting.
On Wed, Jun 21, 2017 at 1:16 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Racine, > > On 6/21/17 12:38 PM, Racine Faye wrote: >> I have noticed that in Tomcat 8.5.15 on the Windows Server 2008 >> Operating System that the way that tomcat presents user >> certificates has changed. I have a trust store that I use on the >> tomcat 8.5.14 version that has only DoD intermediate Email >> certificates which makes it so when users go to the site they are >> prompted for only their email cert. >> >> When upgrading to 8.5.15 I used the same trust store and it now >> prompts for all certificates on the computer. > > What prompts for all certificates on the computer? > >> I am not sure if that is intended behavior or an oversight but it >> is kind of confusing to users to be presented certificates that >> they can't use. > I don't believe Tomcat is presenting any certificates to the user, is > it? It's the browser that is showing the certificate selection to the > user. What browser are you using? > >> Another reason for having them only select the email cert is that >> only the email certificate contains the information that we need >> to get their user ID. > This is informative, but not really relevant. Theoretically, the user > can provide any certificate that has been signed by a certificate in > the trust store. So if the user decides to provide a signed > certificate that does *not* have the email address in it, then your > application needs to be the one signalling an error. > >> I want to see if anyone else is having this issue or if anyone has >> noticed that when specifying a trust store in Tomcat 8.5.15 that it >> will present the user with all the certificates they have rather >> than only the ones that the trust store will accept. > >> To rule out an issue with my server xml I have installed both >> 8.5.15 and 8.5.14 on the server and used the exact same server.xml >> file and I see that the 8.5.14 version will ask the user for only 1 >> cert and that the 8.5.15 version will ask the user for all certs. >> If anyone has a fix for this or might know what is going on or if >> there is an extra configuration needed that would be helpful. > > Are you using the same web browser with both Tomcat versions? What > browser(s) are you using? Versions? What OS? > > Are you able to run openssl s_client against your Tomcat server? That > can tell you what the server is providing as part of the TLS > handshake... you may be able to tell the difference between what certs > are being sent back with the handshake. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxfIACgkQHPApP6U8 > pFhKFw//S1RAkI/aB2dJ0jhRM3VuzNBXOW3cvO+LdB0cUA+B2az9VKskPrRSgAPx > Pu4uIcadJrda7PlLHEP/W5MxQRrBBPONybyIM/AUOx3t0halXRXAb+IUKPnZ0IH8 > /cS4vcI4C55mUh393hxVTcNPHh8egHvd1cJSm3nWwx+ZJwmfnjiLlssoMdgs3Lla > 3NvAqVajCrVksgygkXr23qkcfH1utNxXZnTAxRXF4PmLgFk46M3Jnu6cJVhFNO3s > Bc1zI+XYJwsX9fICE4dkmmWJ/ZblWgjG5nh4bSSq3Ons6MJg1anUcy0p7GsNUvaU > 8uPUQiz2Xz4t/qPA2kBfsZUYwm/besLDdSp+CYr9VweT6apAp0Kr6kJu79W40MfR > w4Qpo+8wEkLDjPL/VBBU9yEso4PCGkpFHFsCnfSPf/L+eltyCZkaQfaQK5OehUaa > px1suyhbYe9xbMdq1WD06CSQYTlDuc7XxuNVgr8Nd1q3nQvkLZJAB/jIkEUhZ174 > GXw+Sqzp09YPSKleQuetPvsP1iqmqsikX40Asl70UdEmEvW55KUrzD+DzY68cGjn > dcq6hEKVlLZ+0X96k3UEU8yRN7rCOexvypK0lfX2U0jgB2nZld4F5c0dwvqPy+UZ > xnwJToijUlnCDh4t0+6WEggVizYEEuXZf04aI00WZeC96WfgJG8= > =4E5V > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
