-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Racine,
On 6/21/17 3:53 PM, Racine Faye wrote: > Thanks for the reply Christopher. The way tomcat has always worked > in the past(Before 8.5.15) , is that your trust store is what > tomcat uses to decide what certificates the browser should show to > the user because it only shows them certificates that are in the > certificate chain of whatever you import into your trust store. So > if you import a root certificate it will show everything that has > that root certificate in its chain but if you import in an > intermediate it will only show the certificates that the > intermediate accepts. I understand all that. But what is important is that the client (browser) determines which certificates are acceptable based upon what the server provides. > So the way it works for DoD is that on each CAC there are 2 client > authentication certificates one Email Cert and one ID cert. They > contain different information mainly the email address is only > contained in the Email cert. When users are prompted to select a > certificate they are only supposed to be given the selection of > what certificates are in the trust store because it knows that > anything not in that trust store won't be accepted anyways. Right. > When you set the clientAuth to true in the connector that is what > makes it so Tomcat then asks for a certificate from the user for > validation. Correct. > I have used both IE and Chrome and I get the same results in both. > I am pretty sure it is not a browser issue though because I have > both Tomcat 8.5.15 and 8.5.14 running on the same server using the > same trust store and 8.5.14 asks for only Certificates that are in > the Chain of the Intermediates that I imported in and 8.5.15 asks > for all of the certificates. Okay, that's good that you have eliminated some variables. I'm still interested in what the differences are... there shouldn't be much change between the two versions. > Unfortunately I am not able to run openssl as I am on a goverment > network and the software we can use is restricted. Can you connect from another host where your software is less restricted? What software CAN you run? You can write a Java-based program that will connect to the server, and run it in debug mode so the JVM is dumping tons of stuff to the console. Are you allowed to compile and run some Java code? > https://stackoverflow.com/questions/1666052/java-https-client-certific ate-authentication > > The previous link has a pretty good explanation of the way Tomcat > has always worked in the past in the comments and explains about > the behavior I am expecting. I thoroughly understand what you are expecting. What you are experiencing is .. unexpected. Can you share your <Connector> configuration from both versions of Tomcat? Remember to remove any secrets that may be in that configuration . Which connector are you actually using? You say "trust store" so I would normally expect that you are using a Java-based connector with JSSE. But since Tomcat 8.5.x you can use OpenSSL with Java-base connectors, and the crypto is handled by a different subsystem (OpenSSL instead of JSSE). Also, are you running on Windows or some Unix-like system? In either case, do you have libtcnative or tcnative.dll active? If so, what version? - -chris > On Wed, Jun 21, 2017 at 1:16 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: Racine, > > On 6/21/17 12:38 PM, Racine Faye wrote: >>>> I have noticed that in Tomcat 8.5.15 on the Windows Server >>>> 2008 Operating System that the way that tomcat presents user >>>> certificates has changed. I have a trust store that I use on >>>> the tomcat 8.5.14 version that has only DoD intermediate >>>> Email certificates which makes it so when users go to the >>>> site they are prompted for only their email cert. >>>> >>>> When upgrading to 8.5.15 I used the same trust store and it >>>> now prompts for all certificates on the computer. > > What prompts for all certificates on the computer? > >>>> I am not sure if that is intended behavior or an oversight >>>> but it is kind of confusing to users to be presented >>>> certificates that they can't use. > I don't believe Tomcat is presenting any certificates to the user, > is it? It's the browser that is showing the certificate selection > to the user. What browser are you using? > >>>> Another reason for having them only select the email cert is >>>> that only the email certificate contains the information that >>>> we need to get their user ID. > This is informative, but not really relevant. Theoretically, the > user can provide any certificate that has been signed by a > certificate in the trust store. So if the user decides to provide a > signed certificate that does *not* have the email address in it, > then your application needs to be the one signalling an error. > >>>> I want to see if anyone else is having this issue or if >>>> anyone has noticed that when specifying a trust store in >>>> Tomcat 8.5.15 that it will present the user with all the >>>> certificates they have rather than only the ones that the >>>> trust store will accept. > >>>> To rule out an issue with my server xml I have installed >>>> both 8.5.15 and 8.5.14 on the server and used the exact same >>>> server.xml file and I see that the 8.5.14 version will ask >>>> the user for only 1 cert and that the 8.5.15 version will ask >>>> the user for all certs. If anyone has a fix for this or might >>>> know what is going on or if there is an extra configuration >>>> needed that would be helpful. > > Are you using the same web browser with both Tomcat versions? What > browser(s) are you using? Versions? What OS? > > Are you able to run openssl s_client against your Tomcat server? > That can tell you what the server is providing as part of the TLS > handshake... you may be able to tell the difference between what > certs are being sent back with the handshake. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllMU34ACgkQHPApP6U8 pFgogw/+PGKI8A3T3ppULrQ4pn/kP5XFEPey/TBgihB5GgYiTSlAHydlWLoQD46Y apE0GQ4QxQUfLJ8zIRtIg5wnIdizGeVK9ftsmESHHaRQrip+A6kZz1690abZPdMs mO+S0taJFP2hW+Z2GQb0Deqktl11tsEgtFa00ue5RkCAiz7PyCJh+E9mpUu5t6Xp HfVtfqw1Rjy7Yg2MYMmYNNAcriavn2rDClCIXyiEiwOsSg+E21KJHeE/lF97rhA/ tUAB0LcGWP+Uji1xwUYvgQ8q9fHXFUvQTP8OJlbKKFSo9nTDB0qdChqfzWVJ96u9 KO3DAsbT/JQdxYMvrtWFO/VVexFzL3+9Wq9QKQ7e08ZQ7wHFmRQPEdIzgauQ+Z3H xsQN1tOPQ9o5DVXEQgQ2JMJEQHEf+Rb8EOcrbu0gjNBg131b2j+/0JHghW1ybSh0 wyTwu9Rmb89NyqGBdDX1YFrY6iB7XlxgydF2FXGW4yWxH3Y27oIBgS80t0WcB6Fk JVT84EUmZBZ0TCJRzxNIjh1hZC3wOLLQL+Eomp4p4uFd8IibXNorpNFlYP6nuBKi 9SSoaLDT3t18oKwBiQZyA/SBn/tBcIncgri0+cB6Bi46ODMhOGuPEVbo2hT50DpR 76zmlpOnN0rmSx304HY9/KgVXfyvOD4ik/UkZmtWKg6padVITEo= =PM0Q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
