Return-Path: 
 <tomcat-dev-return-59803-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org
Received: (qmail 94382 invoked from network); 5 Jun 2005 19:54:09 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 5 Jun 2005 19:54:09 -0000
Received: (qmail 24185 invoked by uid 500); 5 Jun 2005 19:54:02 -0000
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 24138 invoked by uid 500); 5 Jun 2005 19:54:02 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 24118 invoked by uid 99); 5 Jun 2005 19:54:02 -0000
X-ASF-Spam-Status: No, hits=0.2 required=10.0
	tests=NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226)
  by apache.org (qpsmtpd/0.28) with ESMTP; Sun, 05 Jun 2005 12:54:00 -0700
Received: by ajax.apache.org (Postfix, from userid 99)
	id 4CA0117F; Sun,  5 Jun 2005 21:53:58 +0200 (CEST)
From: bugzilla@apache.org
To: tomcat-dev@jakarta.apache.org
Subject: DO NOT REPLY [Bug 35229]  New:  -
    alert user about expired certificates in client cert authentication in an
 understandable way
X-Bugzilla-Reason: AssignedTo
Message-Id: <20050605195358.4CA0117F@ajax.apache.org>
Date: Sun,  5 Jun 2005 21:53:58 +0200 (CEST)
X-Virus-Checked: Checked
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35229>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35229

           Summary: alert user about expired certificates in client cert
                    authentication in an understandable way
           Product: Tomcat 5
           Version: Nightly Build
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: hauser@acm.org


Right now, the user doesn't see anything, just nothing is happening.

In the log, I see
<<Jun 5, 2005 9:27:08 PM org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHandshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateExpiredException: NotAfter: Thu Nov 25 15:02:23
CET 2004
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1098)
        at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
        at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
        at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
        at java.io.InputStream.read(InputStream.java:89)
        at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:87)
        at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
        at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
        at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1077)
        at org.apache.coyote.Request.action(Request.java:364)
        at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:526)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:827)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:731)
        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
        at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Nov 25
15:02:23 CET 2004
        at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
        at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
        at
sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at sun.security.validator.Validator.validate(Validator.java:172)
        at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:142)
        at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(SSLContextImpl.java:303)
        at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1091)
        ... 25 more>>
Suggestion: at least return a http 40X error.

In a similar situation, I went through the exercise to get an error message back
into struts - this entailed:
- changeing the socketfactory to take the below trustmanager
- rewriting the X509TrustManagerImpl to chose a different validator
  since the sun one doesn't appear to be extensible
- rewriting SimpleValidator to not or less strictly execute cert.checkValidity()

For this to arrive at the user via struts, you will first tweak the
SSLAuthenticator to let an expired cert through and then check the same again
once the web-app takes over the control and then present the error

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org