tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48677] New: SSL with Form fallback authenticator no longer works in 6.0.24
Date Wed, 03 Feb 2010 19:35:11 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48677

           Summary: SSL with Form fallback authenticator no longer works
                    in 6.0.24
           Product: Tomcat 6
           Version: 6.0.24
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: preed@swri.org


For quite a while we've been using Tomcat 6.0.20 with the
SSLWithFormFallbackAuthenticator described here:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

We need to have our server first attempt to do user authentication with SSL
certificates, and if that fails, let the user log in with a form.

This no longer works in Tomcat 6.0.24.  Users with certificates can log in
successfully; if a user does not have a certificate, after the cert check
fails, Tomcat seems to close the connection without sending any data back to
the browser.  Since the user never gets the form page, they can't log in.

This log line in particular appears when a user without a certificate tries to
log in with 6.0.24:
WARN http-443-1 org.apache.tomcat.util.net.jsse.JSSESupport - SSL server
initiated renegotiation is disabled, closing connection

That warning message gets printed out between the logging statements at lines
291 and 303 of SSLWithFormFallbackAuthenticator.java.  (that is, between " No
certificates found in HttpRequest." and "  No certificates included with this
request".  That warning message does not appear when a user without a cert logs
in under Tomcat 6.0.20.

My hunch is that this may be related to the fix for bug 46950, "SSL
renegotiation does not occur when resource with CLIENT-CERT auth is requested",
which was supposedly in the unreleased version 6.0.21.  I'm not sure, though.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message