Tomcat 9: Client Certificate verification setting with optional is not working

Tue, 04 May 2021 10:18:09 -0700 

Hi,

We are in process of migrating from Tomcat 7 to Tomcat 9.
We use cert-based client authentication in our application,  support 
password-based and cert-based authentication.

For this purpose, we are setting certificateVerification="optional" attribute 
in SSLHostConfig Element of Server.xml [in Tomcat 7, we were setting 
clientAuth="want" ]


<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" 
secure="true" compression="on" 
compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript"
                   address="0.0.0.0"
                   maxPostSize="10485760"
                   URIEncoding="UTF-8" server=" ">
            <SSLHostConfig
                    truststoreFile="${tomcat.bind.truststore}" 
truststorePassword="${tomcat.bind.truststorepass}" truststoreType="jks"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                    certificateVerification="optional" sslProtocol="TLS"
                    protocols="TLSv1.2">
                <Certificate certificateKeystoreFile="${tomcat.bind.keystore}" 
certificateKeystorePassword ="${tomcat.bind.keystorepass}"
                             type="RSA" />
            </SSLHostConfig>
</Connector>

When I am trying to access application from browser, where client certificate 
is available, this use case is not working with 
setting(certificateVerification="optional"), Tomcat is not requesting for 
client cert.
If I change this setting to certificateVerification="required", then this 
functionality is working as it was working with Tomcat 7.


Can someone help in understanding why Tomcat 9, setting with "optional" value 
not working.

As per Tomcat 9 SSLHostConfig 
documentation<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>,
 client authentication with optional setting should work?

certificateVerification
Set to required if you want the SSL stack to require a valid certificate chain 
from the client before accepting a connection. Set to optional if you want the 
SSL stack to request a client Certificate, but not fail if one isn't presented. 
Set to optionalNoCA if you want client certificates to be optional and you 
don't want Tomcat to check them against the list of trusted CAs. If the TLS 
provider doesn't support this option (OpenSSL does, JSSE does not) it is 
treated as if optional was specified. A none value (which is the default) will 
not require a certificate chain unless the client requests a resource protected 
by a security constraint that uses CLIENT-CERT authentication.


Regards
Manish

Reply via email to