Re: Openssl Connector configuration for Dynamic Client Authorization does not work.

[Christopher Schultz]

Timothy,

On 1/14/25 4:58 PM, Timothy Resh wrote:
What do you mean when you say "dynamic client auth"?
>
Dynamic in so far as you drop an intermediate ca and hash link into a
directory, to allow tomcat to recognise the new client.  Ex.. DOD CAC
cards. I believe you indicated using the caCertificatePath or
caCertificateFile for this.

You will likely need to reload the configuration each time you make a 
change. You can trigger this with a JMX notification for sure. I think 
there were some changes "recently" (last 2-3 years?) that allow 
automatic detection of configuration changes to trigger a reload, but 
that may be limited to the server's key store. I'll have to double-check.

I'm trying to change my configuration to using the SSLHostConfig.

This is what I have but it does not work. I get an error (see below)

<Connector
         port="8443"
         protocol="org.apache.coyote.http11.Http11AprProtocol"
         SSLEnabled="true"
         maxPostSize="-1"
         scheme="https"
         secure="true"
         defaultSSLHostConfigName="WSD-2DNX4M3.xxxx.com"


   <SSLHostConfig hostName="WSD-2DNX4M3.xxxx.com"
                  ciphers="-ALL
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                  honorCipherOrder="true"
                  sslProtocol="TLSv1.2"
                  protocols="TLSv1.2"
                  caCertificateFile="C:\Certificates\CA\intermediate.ca"
                  caCertificatePath="C:\Certificates\CA\"
                  certificateVerification="optional"
                  truststoreFile="C:\Certificate\Keystore\Tomcat SAMM 
Vessel.p12"
                  truststorePassword="Emprise#1"
                  truststoreType="PKCS12"
   >

You are mixing configurations, here.

These configuration options are documented to be for OpenSSL only:
caCertificateFile
caCertificatePath

These configuration options are documented to be for JSSE only:
sslProtocol
truststoreFile
truststoreType
truststorePassword

That's why I asked which kind of connector you are using. Your 
<Connector> configuration above shows that you are using the APR 
connector, which meant libtcnative, APR, and OpenSSL should all be in 
use. Indeed, your log confirms this:

> 14-Jan-2025 16:35:24.262 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded 
Apache
> Tomcat Native library [1.2.26] using APR version [1.7.0].
> 14-Jan-2025 16:35:24.262 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], 
random
> [true], UDS [true].
> 14-Jan-2025 16:35:24.262 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> configuration: useAprConnector [false], useOpenSSL [true]

There are a bunch of warnings about your configuration in the log file. 
Did you read them?

     <Certificate
             certificateKeyFile="C:\Certificate\Private
Key\WSD-2DNX4M3.xxxx.com.key"
             certificateFile="C:\Certificate\Public 
Key\WSD-2DNX4M3.xxxx.com.cer"
             certificateChainFile="C:\Certificates\CA\intermediate.ca"
             type="RSA" certificateKeystoreType="PKCS12"

     />
   </SSLHostConfig>
</Connector>


The "intermediate.ca" file is a list of DOD intermediates.

This is the error log.  When we upgraded from Tomcat 9.075 to 9.0.83 I had
to add to my original config keystoreType="PKCS12" in order to get it to
recognize the pem file with the "PKCS#8 encryption algorithm with DER
encoded OID of [2a864886f70d010c0103]" which worked for 9.0.83.  The config
I have show above is now creating the same error again.

Something is definitely missing from your report and/or your 
configuration. You are not configuring a keystore. You are configuring a 
certificate file and certificate key file.

This all sounds very familiar. Oh, right, this is why:

https://lists.apache.org/thread/v9w8swz73w2ss6jslppwq6b6ldto089k

Can you tell me why it will not recognise the certs now?

It's failing to read the key, not the certificate. The key file 
C:\Certificate\Private Key\WSD-2DNX4M3.xxxx.com.key is in a format this 
version of Tomcat doesn't understand.

It looks like your key-generator is writing the key to a file in an 
obscure encrypted format (OID 1.2.840.113549.1.12.1.3, 
pbeWithSHAAnd3-KeyTripleDES-CBC). Can you export the key in a different 
format?

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org