Timothy,
On 1/13/25 9:58 AM, Timothy Resh wrote:
This system and configuration I inherited and was told it works and it
should have been working in earlier Tomcat versions like 8. We have
hundreds of installations so having a Dynamic client auth is paramount.
What do you mean when you say "dynamic client auth"?
I have tried several versions of Tomcat 9.079 to 9.089 and nothing seems
to work, unless I put the intermediates in the certificates file, then it
works.
If the intermediates are required, then they are and were ALWAYS
required. Your trust store contains certificates. It can contain either
all the certificates you directly trust (like each individual user), or
one or more intermediate certificates, or both kinds.
But if you need to trust User A and User A's certificate is not in the
trust store, the only way to make it work is to trust the certificate
that signed User A's certificate, or have the user provide a trust chain
that proves they are using a client cert your server's trust store
trusts... eventually, following the chain.
What I'm trying to do is have the intermediates for client
authorization use the path to get the intermediates. This way we just send
a single certificate out to the remote and they drop it in the
caCertificatePath and it should work. I have also tried the
caCertificateFile as the intermediate for client auth and it does not seem
to work. In your configuration does the caCertificateFile file hold the
intermediates for client auth?
Neither caCertificatePath nor caCertificateFile are "for intermediates"
per se. You can put any number of certs in there. Using the
intermediates is very very common, though.
Note that when using trusted intermediates, it is of critical importance
that you configure and test that your certificate revocation list (not
specified in your original configuration!) using
SSLCARevocationFile/SSLCARevocationPath or SSLHostConfig's
certificateRevocationListFile/certificateRevocationListPath.
I assume that the Certificate section is only for SSL and not client auth?
Correct, the <Certificate>s are for server certificates. You want to use
<SSLHostConfig> attributes like truststoreFile, etc. to configure your
trust store for client certificates.
Your configuration uses the <Connector> sslCACertificatePath attribute,
which is used with the APR connector to specify a directory containing
files. To move that to <SSLHostConfig> (recommended), you can move it to
SSLHostConfig.caCertificatePath.
On 1/9/25 11:15 AM, Timothy Resh wrote:
> The only way to get it to work is to put it in the TrustStore/Keystore.
During your upgrade, did you happen to remove the APR connector? The
settings you have in your original post are only applicable to the
OpenSSL-based APR connector where the libtcnative library is in use.
When you start Tomcat, do you get any warning in the log file about APR
and/or native not being supported? When the TLS/SSL connector becomes
available, it should log what kind of cryptographic library is in use
under the hood.
If you have dropped libtcnative, then you may need to change your
configuration slightly, including packaging your certificates
differently (into a truststore file instead of a directory of PEM files).
-chris
On Fri, Jan 10, 2025 at 5:33 PM <l...@kreuser.name> wrote:
Timothy
Am 09.01.2025 um 17:15 schrieb Timothy Resh <mresh1...@gmail.com>:
The following is a configuration that we have used to set up the Client
Authorization to work in Tomcat. We use introspection
the IntrospectionUtils.PropertySource to decipher the password and set
the
following environment variables
System.setProperty("javax.net.ssl.keyStore", keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", clearText);
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", clearText);
and then we use this connector configuration.
<Connector URIEncoding="UTF-8"
port="8443"
address="10.2.110.235"
maxThreads="300"
maxConnections="300"
protocol="org.apache.coyote.http11.Http11AprProtocol"
scheme="https" secure="true" SSLEnabled="true"
SSLProtocol="TLSv1.2"
SSLCipherSuite="-ALL ..... this has all the ciphers"
SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
C:\Certificate\Keystore\Tomcat xxx Vessel.p12)}"
SSLCertificateChainFile="C:\Certificate\Public
Key\WSD-2DNX4M3.xxx.com.cer"
SSLCertificateFile="C:\Certificate\Public
Key\WSD-2DNX4M3.xxx.com.cer"
SSLCertificateKeyFile="C:\Certificate\Private
Key\WSD-2DNX4M3.xxx.com.key"
SSLVerifyClient="optional"
SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
SSLCACertificatePath="C:\Certificates\CA\"
/>
I'm not sure that all these parameters are available.
Which version of Tomcat do you use?
I have switched to the new config with SSLHostConfig long time ago.
I also use client auth and this works:
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="tomcat.xxxx.xxx"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="required"
caCertificateFile="${catalina.base}/conf/ssl/chain.xxx.crt.pem"
disableCompression="true"
disableSessionTickets="true"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl">
<Certificate
certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key"
certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
certificateChainFile="${catalina.base}/conf/ssl/int.xxx.crt.pem"
type="RSA" />
</SSLHostConfig>
I guess the most significant config is caCertificateFile that contains the
complete chain (Intermediates before ROOT). I do use pem certificate files
but in another connector I also use jks/p12 - yet without client auth.
HTH
Peter
The last two settings SSLCACertificateFile and SSLCACertificatePath
appear
to not work. We have a Certificate "DODxxx" intermediate in the
SSLCACertificatePath directory and it does not present itself to the
client.
We have also tried putting it in the SSLCACertificateFile and that does
not
work either.
The only way to get it to work is to put it in the TrustStore/Keystore.
Did this type of configuration work on Tomcat? What changes do you
suggest
to get this to work with at least an external "intermediate.ca" file
with
all the"DODxxx" intermediates concatenated in the file.
Regards
Tnmothy Resh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
