All,
I'm looking to issue guidance on Tomcat and verification of client
certificates. I'm curious if Tomcat is performing the following validation
actions when a client cert is received. I took a look through the code and
didn't find my answer.
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="true" sslProtocol="TLS"/>
Here's what I hope is happening for client certificate verification:
1. Verify validity of client cert and each cert in client cert chain (this
appears to be happening in RealmBase.java, authenticate)
2. Verify certs in cert chain are actually authorized to issue certificates (ie
Subject type = CA). I didn't see this in the code
3. Verify that none of the certs are on a certificate revocation list. Perhaps
this is a configuration item.
I'm wondering if someone could point me in the right direction. Specifically,
is step 2 taking place somewhere in code that I don't see? Also, if step 3 is a
configuration issue, I will post that question on the appropriate list.
Thanks,
Michael Coates
Senior Application Security Engineer
michael.coa...@aspectsecurity.com
(301) 604-4882 (work)
(630) 207-2567 (cell)
Aspect Security
http://www.aspectsecurity.com
