[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

Fri, 25 Mar 2022 14:16:03 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #11 from Martin Stangl <martin.sta...@t-base.pro> ---
I tested with 2 other client certificates. Same result.



Let's encrypt certificate with OSCP. (For some strange reasons javax.net.ssl
decided to print certificate details in this case)

25-Mar-2022 20:17:39.052 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 20:17:39.071
CET|X509TrustManagerImpl.java:247|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "008210CFB0D240E3594463E0BB63828B00",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
    "not before"         : "2015-06-04 13:04:38.000 CEST",
    "not  after"         : "2035-06-04 13:04:38.000 CEST",
    "subject"            : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen: no limit
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58 
y.Y......s.....X
        0010: F6 E9 9B 6E                                        ...n
        ]
        ]
      }
    ]}
)
25-Mar-2022 20:18:39.083 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=dev.intranet.t-base.pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]



Self signed certificate:

25-Mar-2022 20:25:56.643 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
25-Mar-2022 20:26:56.666 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=Self-Signed, O=T-base OG, ST=Some-State, C=AT] with realm
[org.apache.catalina.realm.UserDatabaseRealm]



The "server" is a Windows 10 notebook, so unfortunately very noisy. But I can
confirm that no related calls to the internet where done when using the
certificate issued by the Active Directory Certificate Service.

I will try to do some more snooping, but it will take 2 to 3 days until I get
to it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to