https://bz.apache.org/bugzilla/show_bug.cgi?id=66009
Bug ID: 66009
Summary: M-TLS Fails, no user is found because "OID.2.5.4.5" is
used as field name instead of "SERIALNUMBER", in
Subject
Product: Tomcat 9
Version: 9.0.62
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
We upgraded from Tomcat 9.0.60 to 9.0.62 and the Mutual-TLS failed.
Logging from Tomcat 9.0.60 (M-TLS Works)
01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /speer/soap/services/somefunctionality
02 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
03 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
05 org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
09 org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000'
10 org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'CN=cnCA, O=o, C=c'
11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000]
12 org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
13 org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000' with type
'CLIENT_CERT'
14 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
15 org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles
GenericPrincipal[CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000()]
16 org.apache.catalina.realm.RealmBase.hasRole Username [CN=cn, O=o, L=l,
ST=st, C=c, SERIALNUMBER=00000001804415183000] has role [correctUser]
17 org.apache.catalina.realm.RealmBase.hasResourcePermission Role found:
correctUser
18 org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully
passed all security constraints
Logging from Tomcat 9.0.62 (M-TLS fails, no/wrong user found)
01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /speer/soap/services/somefunctionality
02 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
03 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[MijnvfRealm]' against POST
/services/somefunctionality --> true
04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
05 org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [CN=cn, O=o, L=l, ST=st, C=c,
SERIALNUMBER=00000001804415183000] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
09 org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000'
10 org.apache.catalina.realm.RealmBase.authenticate Checking validity for
'CN=cnCA, O=o, C=c'
11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [CN=cn, O=o, L=l, ST=st, C=c, OID.2.5.4.5=00000001804415183000]
12 org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate
user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with
realm [org.apache.catalina.realm.UserDatabaseRealm]
13 org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
If you look at line 11, in both logging you can see that "OID.2.5.4.5" is used
in Tomcat 9.0.62 and "SERIALNUMBER" in Tomcat 9.0.60. While in all other
instances "SERIALNUMBER" is used.
Because of this correct user can not be found.
Possible workaround: is to add the "OID.2.5.4.5" version also to the
"tomcat-users.xml" file (not tested yet, but I expect id to work).
We are running Tomcat in Docker and are using the "tomcat:9-jdk11" container as
base image.
When we reverted to the container using Tomcat 9.0.60 it worked again.
Possible suspect is release 9.0.61, and the change in Coyote,
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
