https://bz.apache.org/bugzilla/show_bug.cgi?id=65848
Bug ID: 65848
Summary: 3a4c7bf2513a6f3e52d9608f3855d5f8148fef48 introduces
regression with cert-based authentication
Product: Tomcat 8
Version: 8.5.75
Hardware: All
OS: All
Status: NEW
Severity: regression
Priority: P2
Component: Util
Assignee: dev@tomcat.apache.org
Reporter: micha...@apache.org
Target Milestone: ----
Pure Tomcat upgrade from 8.5.73 to .75 rejects all client certificates with the
following configuration:
> <Connector port="18444" connectionTimeout="20000"
> keepAliveTimeout="7200000"
> maxHttpHeaderSize="24576" maxThreads="250"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="deblndw028v.ad001.siemens.net">
> <SSLHostConfig hostName="deblndw028v.ad001.siemens.net"
> protocols="TLSv1.2+TLSv1.3"
> honorCipherOrder="true" disableSessionTickets="true"
> certificateVerification="optional"
> certificateVerificationDepth="5"
>
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
> <Certificate
> certificateFile="/opt/openssl/deblndw028v.ad001.siemens.net/cert.crt"
>
> certificateKeyFile="/opt/openssl/deblndw028v.ad001.siemens.net/key.crt"
> certificateKeyPassword="..." type="RSA" />
> <OpenSSLConf>
> <OpenSSLConfCmd name="VerifyCAPath"
> value="/opt/openssl/certs" />
> <OpenSSLConfCmd name="RequestCAFile"
> value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
> </OpenSSLConf>
> </SSLHostConfig>
> </Connector>
I am using the conf command for consistency reasons because our OpenSSL wrapper
does not offer SSLCADNRequestFile/SSLCADNRequestPath and did not want to mix
config styles.
Now 3a4c7bf2513a6f3e52d9608f3855d5f8148fef48 does:
> + if (sslHostConfig.getCaCertificateFile() == null &&
> sslHostConfig.getCaCertificatePath(
> ) == null) {
> + // No CA certificates configured. Reject all client
> certificates.
> + SSLContext.setCertVerifyCallback(ctx, new
> CertificateVerifier() {
> + @Override
> + public boolean verify(long ssl, byte[][] chain,
> String auth) {
> + return false;
> + }
> + });
This is too shortsighted since it does not take the conf command into account.
Another issue is that this is inconsistent. I have set up the same case with
HTTPd and mod_ssl and both Schannel and NSS give me the follwing:
* Schannel: curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - Die
Zertifikatkette wurde von einer nicht vertrauenswürdigen Zertifizierungsstelle
ausgestellt.
* NSS: SSL_ERROR_UNKNOWN_CA_ALERT
I haven't yet checked mod_ssl code for this.
Error log:
> 66233 [Wed Jan 26 14:28:43.071310 2022] [ssl:error] [pid 61976] [client
> 139.21.146.172:33249] AH02039: Certificate Verification: Error (20): unable
> to get local issuer certificate
> 66234 [Wed Jan 26 14:28:43.071442 2022] [ssl:warn] [pid 61976] [client
> 139.21.146.172:33249] AH02227: Failed to set r->user to
> 'SSL_CLIENT_SAN_OTHER_msUPN_0'
> 66235 [Wed Jan 26 14:28:43.071487 2022] [core:error] [pid 61976] [client
> 139.21.146.172:33249] AH00027: No authentication done but request not allowed
> without authentication for /~osipovmi/tls-auth/index.php. Au
> 66240 [Wed Jan 26 14:30:45.391914 2022] [ssl:error] [pid 62030] [client
> 139.21.146.172:42111] AH02039: Certificate Verification: Error (20): unable
> to get local issuer certificate
> 66241 [Wed Jan 26 14:30:45.392025 2022] [ssl:error] [pid 62030] [client
> 139.21.146.172:42111] AH02261: Re-negotiation handshake failed
with new broken setup I get:
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE
(0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received
(e.g. handshake failed). More detail may be available in the Windows System
event log.
* NSS: SSL_ERROR_UNKNOWN_CA_ALERT
I need to check Wireshark packets and compare.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
