-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Florian,
On 5/19/16 12:49 PM, Florian Kleedorfer wrote: > TL;DR: The TLS handshake with client authentication using > self-signed client certificates (using APR/openssl) stopped working > from tomcat 8.0.30 to tomcat 8.0.32. Cause is suspected in a change > of openssl or APR between versions. > > # Context: > > We're using tomcat 8 in a setting where the client has a > self-signed client certificate that is transmitted to the server to > identify the client. The certificate is used to gather > client-specific data in the appliation. We aren't interested in > setting up our own PKI for that, or using official CAs. Self-signed > certs on the client are fine, as far as we're concerned. > > Our code that works in 8.0.30 stops working when switching to > 8.0.32, as documented in this issue on github > https://github.com/researchstudio-sat/webofneeds/issues/547 > > I am suspecting its either an APR or an openssl issue, or > something related to the way we generate our certificates. I looked > up the versions used in the last working and the first non-working > tomcat minor releases: > > tomcat 8.0.30: tcnative version 1.1.33.0, OpenSSL 1.0.1m 19 Mar > 2015 (works for us) tomcat 8.0.32: tcnative version 1.2.4.0 , > OpenSSL 1.0.2e 3 Dec 2015 (doesn't work for us) > > # Config: > > I'm experiencing this on Windows 7, using the -x64 zip downloads. > > Here's the configuration of the tomcat connector: > > <Connector clientAuth="wanted" clientAuth="want"? Note that this is only documented for the JSSE-based connectors, not the APR connector. > port="8443" minSpareThreads="5" enableLookups="true" > disableUploadTimeout="true" acceptCount="100" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > SSLCertificateFile="C:/Users/fkleedorfer/wonkey/t-cert.pem" > SSLCertificateKeyFile="C:/Users/fkleedorfer/wonkey/t-key.pem" > SSLPassword="changeit" SSLVerifyClient="optionalNoCA" This looks okay. > SSLVerifyDepth="2" Why do you bother to specify SSLVerifyDepth if you aren't trying to use CLIENT-CERT authentication? This is just for informational purposes from the client, right? > sslProtocol="TLS"/> > > # Logs: > > Here's the trace of the failing TLS handshake (including the > exception), with -Djavax.net.debug=all > > client side: > > https://gist.github.com/fkleedorfer/8b4c3932a1de4b51617eac5e03c0be29 With > no changes to the client, this works on Tomcat 8.0.30 but fails with Tomcat 8.0.32? Since you presumably have a system with OpenSSL 1.0.1m on it (the "working" system), please install Tomcat 8.0.32 on that system and re-try with Tomcat 8.0.32 + tcnative 1.2.4 + OpenSSL 1.0.1m. Since you presumably have a system with OpenSSL 1.0.2e on it (the "non-working" system), please try installing Tomcat 8.0.30 on the system with OpenSSL 1.0.2e and re-try with Tomcat 8.0.30 + tcnative 1.1.33 + OpenSSL 1.0.2e. This will help narrow-down which component contains the change which is causing these failures. I suspect the problem will be narrowed-down to either a change in OpenSSL, a change in tcnative, or a change in APR. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXYyHSAAoJEBzwKT+lPKRYox8QAKy53z/72jz02P30U8Bf32ig c66drfBiTLmFXC5UrY90v5AgfVFQKS4G0dF9ObP59yzhmsjpen4c17AP2yrfKkbD G69c45cpZkA+2SnV6dL4uowT7gBXVvIHkxUO1S+7pxcV9P3oqVze5KIU9W/XkwMm +CBVeZDI5Kxugzme1lLtbu5N74OJFkSW6CQwmY11AKDb8iC4H4wB77UIb4NuwXu4 M90GG2hRF1dU5DQWhEIGY4veC4DvMlRt4lLap6/Ht/1TM8CsS0hiMPEI6UM1P7ZH CrFIo+nk0lQ+ItSByjT4FOeQUUAVLyWMWNxemxw5eFI0glv8rETuDvSQFFLTK0n3 ELM7NuizTqMYExxXvUUeU5AFrjJtbnCIjYvcd00VweRHhzFx5NgRZmBx4B1cZu4L /DQTIAdyElK5+yODAuAPkQEbQSizzmjsopj8u/6aX5Ce/WWDmQys2nO//rN7k/Pd elqap3NppRavceF4XrgKUEH2C2GL4EfEGLNmr+lL+oadDWc//1/OkjAjEgYQq61L mMugEXYAg1WLKjTJccYhaKC9sVbiCbrrj9FyMKwskdg8Pj6tJhmC8uu8jVZDDwIz yyU2lJ95VWr3HcbAAJ2wLL/JhAbBCJBsHMeRoT95kvNOcBGEOKkFjs5sYqq2IXTE 7HKsE6safnwDuo1iaLPl =niTn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
