date:20220325

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #7 from Martin Stangl  ---
Hi Mark, 

Just fyi: According to my tests, TLS 1.3 with OpenSSL also does not work. So it
is not limited to JSSE.

You mentioned to output a warning when CLIENT-CERT is used with an unsupported
protocol. Would it be possible to throw an error if PHA is attempted in an
unsupported configuration (TLS 1.3, HTTP2)?
This might be not as good in avoiding the problem in the first place, but much
better in figuring out on what the problem is, if it occurs.

kr
Martin

PS: Mark, how does the bug process work. Should I set the bug to resolved as I
have a solution, or will you do it, once you are done with it?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #8 from Christopher Schultz  ---
(In reply to Martin Stangl from comment #6)
> org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after
> selecting the certificate in the browser. 
> 
> Tested with Chrome, Edge and Postman with identical results.
> 
> I am happy with Nio working. 
> But if you want to look into the issue with
> org.apache.coyote.http11.Http11AprProtocol, I am willing to support with
> testing.
> 
> stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL. 
> Pauses after "Calling authenticate()":

Hmm.

> 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
> org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
> authenticate()
> 24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7]
> org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
> authenticate user [EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl,
> CN=Users, DC=intranet, DC=t-base, DC=pro] with realm
> [org.apache.catalina.realm.UserDatabaseRealm]

/Exactly/ 1 minute delay? Are you using OCSP (does OCSP even work for client
certs)?

Can you snoop outbound network traffic from the server to see if something is
making a network connection at the start of this pause?

At first, I was thinking "entropy problem" but (a) it was repeatable and (b)
it's exactly 1 minute which sounds more like a network timeout than anything
else.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #9 from Martin Stangl  ---
Hi Christopher,

no OCSP, but I noticed that the CRL LDAP URL is invalid: 
URL=ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint
(ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint)

I will try to fix the AD Certificate Service configuration by either fixing the
URL or getting rid of the CRL and try again with a new client certificate.

I agree, looks very much like a network timeout.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #10 from Martin Stangl  ---
Seems this CRL URL is on purpose like this. I will go forward and use a client
cert not issued by my AD CA for testing purposes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #11 from Martin Stangl  ---
I tested with 2 other client certificates. Same result.



Let's encrypt certificate with OSCP. (For some strange reasons javax.net.ssl
decided to print certificate details in this case)

25-Mar-2022 20:17:39.052 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 20:17:39.071
CET|X509TrustManagerImpl.java:247|Found trusted certificate (
  "certificate" : {
"version": "v3",
"serial number"  : "008210CFB0D240E3594463E0BB63828B00",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2015-06-04 13:04:38.000 CEST",
"not  after" : "2035-06-04 13:04:38.000 CEST",
"subject": "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
  {
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen: no limit
]
  },
  {
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
  },
  {
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58 
y.Y..s.X
0010: F6 E9 9B 6E...n
]
]
  }
]}
)
25-Mar-2022 20:18:39.083 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=dev.intranet.t-base.pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]



Self signed certificate:

25-Mar-2022 20:25:56.643 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
25-Mar-2022 20:26:56.666 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=Self-Signed, O=T-base OG, ST=Some-State, C=AT] with realm
[org.apache.catalina.realm.UserDatabaseRealm]



The "server" is a Windows 10 notebook, so unfortunately very noisy. But I can
confirm that no related calls to the internet where done when using the
certificate issued by the Active Directory Certificate Service.

I will try to do some more snooping, but it will take 2 to 3 days until I get
to it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

2022-03-25 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #12 from Martin Stangl  ---
I came  up with another test: I took the server (notebook) offline, because if
no network cable is plugged in, network requests immediately fail and do not
time out.

Still the exact same delay.

So most likely not network related.


stderr excerpt:

25-Mar-2022 22:16:54.202 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 22:16:54.230
CET|X509TrustManagerImpl.java:247|Found trusted certificate (
  "certificate" : {
"version": "v3",
"serial number"  : "008210CFB0D240E3594463E0BB63828B00",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"not before" : "2015-06-04 13:04:38.000 CEST",
"not  after" : "2035-06-04 13:04:38.000 CEST",
"subject": "CN=ISRG Root X1, O=Internet Security Research
Group, C=US",
"subject public key" : "RSA",
"extensions" : [
  {
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen: no limit
]
  },
  {
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]
  },
  {
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58 
y.Y..s.X
0010: F6 E9 9B 6E...n
]
]
  }
]}
)
25-Mar-2022 22:17:54.245 FINE [https-openssl-apr-443-exec-6]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [CN=dev.intranet.t-base.pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

6 matches

Site Navigation

Mail list logo

Footer information