On 24/02/2010 15:03, Christopher Schultz wrote:
So, setting to CLIENT-CERT triggers an SSL renegotiation.
What if the is set to clientAuth="want" or
clientAuth="true"? Will the initial SSL negotiation carry the client
certificate and therefore avoid CVE-2009-355?
Yes. But test carefully as th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> So, with clientAuth="false", how do you get a client certificate to use
>> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
>> trigger
bilité
pour le contenu fourni.
> Date: Tue, 23 Feb 2010 15:07:03 -0800
> Subject: Re: Trouble with CLIENT-CERT authentication method
> From: kevmacmi...@gmail.com
> To: users@tomcat.apache.org
>
> On 2/19/10, Christopher Schultz wrote:
> > So, with clientAuth="false", h
On 2/19/10, Christopher Schultz wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>>> resources require the client cer
On 2/19/10, Christopher Schultz wrote:
> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>> resources require the client certificate.
>
> Gotcha: I thought that "false" would cause the connector to ignore all
> client cert in
On 2/18/10, Christopher Schultz wrote:
>
> Stupid question: don't you want clientAuth="true"?
>
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client certificate authentication on a pe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 2/19/2010 1:48 AM, Jason Brittain wrote:
> Nope. clientAuth="false" means that the webapp's web.xml specifies which
> resources require the client certificate.
Gotcha: I thought that "false" would cause the connector to ignore all
client c
Christopher:
Nope. clientAuth="false" means that the webapp's web.xml specifies which
resources require the client certificate. See the Connector doc page's
description of the accepted values for the clientAuth attribute:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
"clientAuth" is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/17/2010 7:24 PM, Kevin Mills wrote:
> Sure thing - here is my Connector element:
>
> maxThreads="50" scheme="https" secure="true"
>keystoreFile=".../tomcat.keystore" keystorePass="..."
>
On 18/02/2010 16:30, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> CVE-2009-3555?
>
> Now that this is working, I'd like to ask what other options exist for
> using client certificate authentication on a per-webapp basis.
> Requiring my customers to enable a feature
> (allowUnsafeLegacy
On 2/17/10, Mark Thomas wrote:
> CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a potential
man-i
On 2/17/10, Mark Thomas wrote:
> The rules on how security constraints combine are in the Servlet spec.
> It can take a bit of time to get your head around it.
>
> To require a cert for your servlet too, one option would be:
>
>
>
> Everything
> /*
>
On 18/02/2010 00:42, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>>
>>
>>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>>> I see my servlet's output without any sort of authentication.
>>
>> What URL are you requesting? Only index.jsp will prompt for a cert. Your
On 2/17/10, Mark Thomas wrote:
>
>
>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>> I see my servlet's output without any sort of authentication.
>
> What URL are you requesting? Only index.jsp will prompt for a cert. Your
> servlet will just require SSL to be used.
Oo
On 18/02/2010 00:24, Kevin Mills wrote:
>
> MyServlet
> /myServlet
>
>
>
> MyApp
> /index.jsp
>
>
> X509
>
>
>
>
> Everything
>
On 2/17/10, Mark Thomas wrote:
> Then you probably haven't got your config quite right. There are plenty
> of things to go wrong with this but this definitely works - I was using
> it just the other day.
>
> We'll need to see:
> - connector element from server.xml
> - web.xml
> - tomcat-users.xml
On 18/02/2010 00:04, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> On 17/02/2010 23:48, Kevin Mills wrote:
>>> Can anyone tell me what's going on here?
>>
>> CVE-2009-3555?
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>> search for
>> allowUnsafeLegacyRenegotiation
>
>
On 2/17/10, Mark Thomas wrote:
> On 17/02/2010 23:48, Kevin Mills wrote:
>> Can anyone tell me what's going on here?
>
> CVE-2009-3555?
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> search for
> allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option and forg
On 17/02/2010 23:48, Kevin Mills wrote:
> Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Mark
-
To unsubscribe, e-mai
Greetings fellow Tomcat-ers:
I'm trying enable client certificate authentication on a per-webapp
basis using Tomcat 6.0.24. According to the various sources of
documentation I've found, this should be possible by enabling the SSL
Connector (which I've done), getting client certificate authenticat
21 matches
Mail list logo
