Mark, Apologies for top posting. We have our own trust manager that is attached to the connector because we want client certificates to be passed in the application for validation and authentication rather than the connector. If we switch to the OpenSSL/APR based certificate processing, would the trust manager still work? I presume not, but wanted to ask and if not, what are the options?
-----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, February 06, 2017 7:20 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Apache Tomcat 7.0.59 - Even if a ws certificate stored in the WSkeystore expires, any webclient request is still accepted by server and not refused On 06/02/17 13:49, Francesco Leone wrote: > Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59 > > Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 - > OpenSSL 1.0.2g > > We have a client - server communication. The Client certificate is > produced via keytool and we have same problem highlighted here > > http://stackoverflow.com/questions/33688020/configuring-apache-tomcat- > 7-0-to-reject-connections-with-expired-client-certific > > and > > http://stackoverflow.com/questions/5206859/java-trustmanager-behavior- > on-expired-certificates > > > > What we got reading all flow, is that to solve our problem we should > implement a new X509TrustManager which creates our original instance > in its constructor, implements all methods as calls to the original > instance, and adds a call to checkValidity for each certificate in > certs[] inside checkServerTrusted. > > Did we get well ? If yes, it sounds to us as a hole in the security > and so a bug in Tomcat, is there any chance to have this behaviour > (refuse connection at expired certificates) as standard in later > Apache tomcat 7.0.x release ? Any of this community can support us ? This is not a Tomcat bug. If you tell Java to trust a certificate, it will do so and ignore the validity period. I've looked into this in the past and short of implementing your own X509TrustManager I haven't yet found an API Tomcat could use to add an additional check on the trusted cert's validity. A better general solution is to trust the CA(s) issuing the client certificates rather than the client certificates. Then, because the client cert is not in the trust store, Java checks it more thoroughly - including the validity dates. It is also worth looking at using an OpenSSL based TLS connector. From what I recall of my previous testing OpenSSL did check the validity dates of trusted certs. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
