On 24/02/2010 15:03, Christopher Schultz wrote:
So, setting to CLIENT-CERT triggers an SSL renegotiation.
What if the is set to clientAuth="want" or
clientAuth="true"? Will the initial SSL negotiation carry the client
certificate and therefore avoid CVE-2009-355?
Yes. But test carefully as th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> So, with clientAuth="false", how do you get a client certificate to use
>> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
>> trigger
bilité
pour le contenu fourni.
> Date: Tue, 23 Feb 2010 15:07:03 -0800
> Subject: Re: Trouble with CLIENT-CERT authentication method
> From: kevmacmi...@gmail.com
> To: users@tomcat.apache.org
>
> On 2/19/10, Christopher Schultz wrote:
> > So, with clientAuth="false", h
On 2/19/10, Christopher Schultz wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>>> resources require the client cer
On 2/19/10, Christopher Schultz wrote:
> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>> resources require the client certificate.
>
> Gotcha: I thought that "false" would cause the connector to ignore all
> client cert in
On 2/18/10, Christopher Schultz wrote:
>
> Stupid question: don't you want clientAuth="true"?
>
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client certificate authentication on a pe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 2/19/2010 1:48 AM, Jason Brittain wrote:
> Nope. clientAuth="false" means that the webapp's web.xml specifies which
> resources require the client certificate.
Gotcha: I thought that "false" would cause the connector to ignore all
client c
Christopher:
Nope. clientAuth="false" means that the webapp's web.xml specifies which
resources require the client certificate. See the Connector doc page's
description of the accepted values for the clientAuth attribute:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
"clientAuth" is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/17/2010 7:24 PM, Kevin Mills wrote:
> Sure thing - here is my Connector element:
>
> maxThreads="50" scheme="https" secure="true"
>keystoreFile=".../tomcat.keystore" keystorePass="..."
>
On 18/02/2010 16:30, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> CVE-2009-3555?
>
> Now that this is working, I'd like to ask what other options exist for
> using client certificate authentication on a per-webapp basis.
> Requiring my customers to enable a feature
> (allowUnsafeLegacy
On 2/17/10, Mark Thomas wrote:
> CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a potential
man-i
On 2/17/10, Mark Thomas wrote:
> The rules on how security constraints combine are in the Servlet spec.
> It can take a bit of time to get your head around it.
>
> To require a cert for your servlet too, one option would be:
>
>
>
> Everything
> /*
>
On 18/02/2010 00:42, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>>
>>
>>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>>> I see my servlet's output without any sort of authentication.
>>
>> What URL are you requesting? Only index.jsp will prompt for a cert. Your
On 2/17/10, Mark Thomas wrote:
>
>
>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>> I see my servlet's output without any sort of authentication.
>
> What URL are you requesting? Only index.jsp will prompt for a cert. Your
> servlet will just require SSL to be used.
Oo
On 18/02/2010 00:24, Kevin Mills wrote:
>
> MyServlet
> /myServlet
>
>
>
> MyApp
> /index.jsp
>
>
> X509
>
>
>
>
> Everything
>
On 2/17/10, Mark Thomas wrote:
> Then you probably haven't got your config quite right. There are plenty
> of things to go wrong with this but this definitely works - I was using
> it just the other day.
>
> We'll need to see:
> - connector element from server.xml
> - web.xml
> - tomcat-users.xml
On 18/02/2010 00:04, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> On 17/02/2010 23:48, Kevin Mills wrote:
>>> Can anyone tell me what's going on here?
>>
>> CVE-2009-3555?
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>> search for
>> allowUnsafeLegacyRenegotiation
>
>
On 2/17/10, Mark Thomas wrote:
> On 17/02/2010 23:48, Kevin Mills wrote:
>> Can anyone tell me what's going on here?
>
> CVE-2009-3555?
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> search for
> allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option and forg
On 17/02/2010 23:48, Kevin Mills wrote:
> Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Mark
-
To unsubscribe, e-mai
20 matches
Mail list logo
