Trouble with CLIENT-CERT authentication method

2010-02-17 Thread Kevin Mills
Greetings fellow Tomcat-ers: I'm trying enable client certificate authentication on a per-webapp basis using Tomcat 6.0.24. According to the various sources of documentation I've found, this should be possible by enabling the SSL Connector (which I've done), getting client certificate authenticat

Re: Trouble with CLIENT-CERT authentication method

2010-02-17 Thread Kevin Mills
On 2/17/10, Mark Thomas wrote: > On 17/02/2010 23:48, Kevin Mills wrote: >> Can anyone tell me what's going on here? > > CVE-2009-3555? > > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > search for > allowUnsafeLegacyRenegotiation Thanks for your r

Re: Trouble with CLIENT-CERT authentication method

2010-02-17 Thread Kevin Mills
On 2/17/10, Mark Thomas wrote: > Then you probably haven't got your config quite right. There are plenty > of things to go wrong with this but this definitely works - I was using > it just the other day. > > We'll need to see: > - connector element from server.xml > - web.xml > - tomcat-users.xml

Re: Trouble with CLIENT-CERT authentication method

2010-02-17 Thread Kevin Mills
On 2/17/10, Mark Thomas wrote: > > >> :-) "Doesn't work", meaning I don't get prompted for my certificate. >> I see my servlet's output without any sort of authentication. > > What URL are you requesting? Only index.jsp will prompt for a cert. Your > servlet will just require SSL to be used. Oo

Re: Trouble with CLIENT-CERT authentication method

2010-02-17 Thread Kevin Mills
On 2/17/10, Mark Thomas wrote: > The rules on how security constraints combine are in the Servlet spec. > It can take a bit of time to get your head around it. > > To require a cert for your servlet too, one option would be: > > > > Everything > /* >

Re: Trouble with CLIENT-CERT authentication method

2010-02-18 Thread Kevin Mills
On 2/17/10, Mark Thomas wrote: > CVE-2009-3555? Now that this is working, I'd like to ask what other options exist for using client certificate authentication on a per-webapp basis. Requiring my customers to enable a feature (allowUnsafeLegacyRenegotiation) that exposes them to a potential man-i

Re: Trouble with CLIENT-CERT authentication method

2010-02-19 Thread Kevin Mills
On 2/18/10, Christopher Schultz wrote: > > Stupid question: don't you want clientAuth="true"? > In this particular case, no. I don't want to force client certificate authentication for all SSL connections coming to port 8443. Instead, I am looking to do client certificate authentication on a pe

Re: Trouble with CLIENT-CERT authentication method

2010-02-19 Thread Kevin Mills
On 2/19/10, Christopher Schultz wrote: > On 2/19/2010 1:48 AM, Jason Brittain wrote: >> Nope. clientAuth="false" means that the webapp's web.xml specifies which >> resources require the client certificate. > > Gotcha: I thought that "false" would cause the connector to ignore all > client cert in

Re: Trouble with CLIENT-CERT authentication method

2010-02-23 Thread Kevin Mills
On 2/19/10, Christopher Schultz wrote: > So, with clientAuth="false", how do you get a client certificate to use > for authentication? Or, does the presence of the CLIENT-CERT in web.xml > trigger an SSL-renegotiation where the client cert /is/ requested from > the client. The presence of CLIENT-