On 06/02/17 13:49, Francesco Leone wrote:
Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59
Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 -
OpenSSL 1.0.2g
We have a client - server communication. The Client certificate is
produced via keytool and we have same problem highlighted here
http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific
and
http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates
What we got reading all flow, is that to solve our problem we should
implement a new X509TrustManager which creates our original instance
in its constructor, implements all methods as calls to the original
instance, and adds a call to checkValidity for each certificate in
certs[] inside checkServerTrusted.
Did we get well ? If yes, it sounds to us as a hole in the security
and so a bug in Tomcat, is there any chance to have this behaviour
(refuse connection at expired certificates) as standard in later
Apache tomcat 7.0.x release ? Any of this community can support us ?
This is not a Tomcat bug.
If you tell Java to trust a certificate, it will do so and ignore the
validity period.
I've looked into this in the past and short of implementing your own
X509TrustManager I haven't yet found an API Tomcat could use to add an
additional check on the trusted cert's validity.
A better general solution is to trust the CA(s) issuing the client
certificates rather than the client certificates. Then, because the
client cert is not in the trust store, Java checks it more thoroughly -
including the validity dates.
It is also worth looking at using an OpenSSL based TLS connector. From
what I recall of my previous testing OpenSSL did check the validity
dates of trusted certs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
