DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35229>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35229 Summary: alert user about expired certificates in client cert authentication in an understandable way Product: Tomcat 5 Version: Nightly Build Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Right now, the user doesn't see anything, just nothing is happening. In the log, I see <<Jun 5, 2005 9:27:08 PM org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Nov 25 15:02:23 CET 2004 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1098) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1077) at org.apache.coyote.Request.action(Request.java:364) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:526) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:827) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:731) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Nov 25 15:02:23 CET 2004 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256) at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123) at sun.security.validator.Validator.validate(Validator.java:203) at sun.security.validator.Validator.validate(Validator.java:172) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:142) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(SSLContextImpl.java:303) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1091) ... 25 more>> Suggestion: at least return a http 40X error. In a similar situation, I went through the exercise to get an error message back into struts - this entailed: - changeing the socketfactory to take the below trustmanager - rewriting the X509TrustManagerImpl to chose a different validator since the sun one doesn't appear to be extensible - rewriting SimpleValidator to not or less strictly execute cert.checkValidity() For this to arrive at the user via struts, you will first tweak the SSLAuthenticator to let an expired cert through and then check the same again once the web-app takes over the control and then present the error -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
