tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Coates" <michael.coa...@aspectsecurity.com>
Subject SSL Client Cert Verification
Date Thu, 12 Mar 2009 18:05:21 GMT

All,

I'm looking to issue guidance on Tomcat and verification of client certificates. I'm curious
if Tomcat is performing the following validation actions when a client cert is received. I
took a look through the code and didn't find my answer.

<Connector 
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true";
           clientAuth="true" sslProtocol="TLS"/>


Here's what I hope is happening for client certificate verification:

1. Verify validity of client cert and each cert in client cert chain (this appears to be happening
in RealmBase.java, authenticate)

2. Verify certs in cert chain are actually authorized to issue certificates (ie Subject type
= CA). I didn't see this in the code

3. Verify that none of the certs are on a certificate revocation list. Perhaps this is a configuration
item.


I'm wondering if someone could point me in the right direction. Specifically, is step 2 taking
place somewhere in code that I don't see? Also, if step 3 is a configuration issue, I will
post that question on the appropriate list.


Thanks,

Michael Coates
Senior Application Security Engineer
michael.coates@aspectsecurity.com
(301) 604-4882 (work) 
(630) 207-2567 (cell) 
 
Aspect Security¬ô
http://www.aspectsecurity.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message