https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
Bug ID: 58244
Summary: two way SSL loses client certificate after a few
requests
Product: Tomcat Native
Version: 1.1.33
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: david.bala...@comtrade.com
When accessing a web application that uses client certificate authentication
run on Tomcat/APR (on Windows) with Firefox or Chrome, the client cert is
"lost" after a short while. To the app it appears the client certificate was
not sent.
Example code (JSP fragment, can be the only content of a JSP file):
User client cert data:
<%= ((java.security.cert.X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate"))[0].
getSubjectX500Principal().toString()%>
After a few refreshes of the page (where it will show the client certificate
DN) the page will fail with a NullPointerException as request.getAttribute will
return null. It usually happens in less than a minute. To be more precise: when
reloading about once per second, the problem occurs almost every time after 30
seconds. After that each request will fail the same way, until I restart
tomcat.
This happens with Firefox (v39 and v40) and Chrome (v44), but not with IE v11.
It also occurs with different versions of tomcat and Java (and OS bitness) -
see below for a list.
A simple test case using latest versions is:
download and extract apache-tomcat-8.0.24-windows-x64.zip
in the webapps folder create a folder named cert, there create a file named
ccertA.jsp that contains the above code snippet
in server.xml add a line:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol" secure="true"
scheme="https" maxThreads="150" URIEncoding="UTF-8" SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLPassword="testing" SSLEnabled="true"
SSLCertificateKeyFile="C:/your_server_key_private.pem" SSLCertificateFile="C:/
your_server_key _public.pem" SSLCACertificateFile="C:/supported_client_CAs.pem"
/>
start tomcat by executing startup.bat
open the page https://localhost:8443/cert/ccertA.jsp and keep refreshing it
every few seconds
After about 30 seconds it will show a NPE exception error page.
If I don't use APR (by deleting the tcnative-1.dll file and adapting the
connector syntax for JSSE) the problem does not happen.
Tried versions, all having the issue:
apache-tomcat-8.0.24-windows-x64 (also 32 bit version) - has APR 1.5.1 and
TCN 1.1.33
apache-tomcat-6.0.44-windows-x64
Java 1.6.0 Updates 12 and 45
Java 1.8 Update 51
Windows 7 Pro SP1 64 bit
Windows 7 Pro SP1 32 bit
Window 8.1 Pro 64 bit
Windows 10 Home 64 bit
Firefox versions 39.0 39.0.3 and 44
Chrome v44
Ubuntu 14.04 LTS 64 bit / tomcat 7.0.52-1ubuntu0.3 / libapr1:amd64 1.5.0-1
/ libtcnative-1:amd64 1.1.29-1
A similar issue was discussed on the tomcat-users mailing list in 2010: "Client
certificate gone after 1 minute timeout (SSL, APR)" [1] but with no solution. I
posted there myself recently ( "Firefox SSL with APR - losing client
certificate" [2] has a bit more details), but it is basically just my
monologue.
Originally I tested with a server certificate issued by my private testing CA.
Now I also tried with a "real" certificate issued by trusted CA. (I used my
personal certificate. The browser complained about the hostname mitmatch which
I clicked away).
Can upload test CA, server-cert/key and client cert/key for test if requiered.
[1]
http://grokbase.com/t/tomcat/users/102pdv412y/client-certificate-gone-after-1-minute-timeout-ssl-apr
[2] http://www.mail-archive.com/users@tomcat.apache.org/msg118902.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
