Nio Connector and self signed SSL certificate giving "No client certificate chain in this request"

[Parag Thakur]

Hello,

I have tomcat 6.0.30 configured with NIOConnector
(org.apache.coyote.http11.Http11NioProtocol) using latest JRE
(1.6.0_23). The connector has 1 way SSL enabled, except for a URL that
requires 2 way SSL. I do so using following security constraint in
web.xml:

        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Protected</web-resource-name>
                        <url-pattern>/secure/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>secure</role-name>
                </auth-constraint>
                <user-data-constraint>
        
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
        </security-constraint>
        <login-config>
                <auth-method>CLIENT-CERT</auth-method>
        </login-config>
        <security-role>
                <role-name>secure</role-name>
        </security-role>

I have 2 self signed SSL keys:
1) c:\keys\client.keystore
2) c:\keys\webserver.keystore

tomcat-users.xml has been updated properly with a user in "secure" role
that has the same username as the CN for c:\keys\client.keystore.

The connector configuration in server.xml is as follows:

    <Connector SSLEnabled="true" clientAuth="false" 
                keystoreType="JKS"
keystoreFile="C:\keys\webserver.keystore" keystorePass="changeit" 
                truststoreType="JKS"
truststoreFile="C:\keys\client.keystore" truststorePass="changeit"
                port="443" 
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                scheme="https" secure="true" sslProtocol="TLS"
                URIEncoding="UTF-8"
                compression="on"
 
compressableMimeType="text/html,text/xml,text/plain,application/xml,text
/javascript,text/css"
                acceptCount="5000"
                maxThreads="200"
                />

When I try to access a secure URL (e.g. /secure/foo.do) from a java
program using apache httpclient library (where the client is configured
to use "C:\keys\webserver.keystore" as the truststore and
"C:\keys\client.keystore" as the keystore), I get the following response
from the tomcat server:

"This request requires HTTP authentication (No client certificate chain
in this request)."

Tomcat's log shows the following stack trace:

2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception
getting SSL attributes
java.lang.NullPointerException
        at
org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1
50)
        at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSE
Support.java:143)
        at
org.apache.coyote.http11.Http11NioProcessor.action(Http11NioProcessor.ja
va:1213)
        at org.apache.coyote.Request.action(Request.java:350)
        at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe
nticator.java:135)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:528)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:127)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:102)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:2
98)
        at
org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.j
ava:889)
        at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.proce
ss(Http11NioProtocol.java:732)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.j
ava:2262)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
        at java.lang.Thread.run(Unknown Source)


Oddly, the same program works if I use
org.apache.coyote.http11.Http11Protocol instead of
org.apache.coyote.http11.Http11NioProtocol. Any idea what might be
causing the NIO implementation to not work in this case? Does this have
anything to do with SSL renegotiation that was recently addressed in
latest tomcat?

Secondly, for Http11Protocol, I use to be able to specify a list of
"ciphers" in the Connector configuration to prevent weak ciphers being
used. E.g.

ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S
HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH
E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS
S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_
EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB
C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH
_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5"

However, the same does not seem to work with the Http11NioProtocol, and
I get the following in tomcat's logs:

2011-02-04 15:09:12 SEVERE:  #{11} [NioEndpoint.setSocketOptions] 
java.lang.IllegalArgumentException: Cannot support
TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
        at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown
Source)
        at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknow
n Source)
        at
org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:
1141)
        at
org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java
:1096)
        at
org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:131
5)
        at java.lang.Thread.run(Unknown Source)

Is "ciphers" attribute supported with Http11NioProtocol implementation?

thanks in advance!
Parag


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org