tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karli Christoph (CSE)" <christoph.ka...@CSE.ch>
Subject RE: achieving a clients (browsers) certificate in a webapp - SOLV ED
Date Wed, 23 Jul 2003 15:16:25 GMT
thanks jay
as i meantioned before, i've already solved it.
4.1.26 is out as an alpha-version and i took the jk-connector
from this release with my tomcat 4.1.24 installation.. 

until now, it works really fine like that..

-----Original Message-----
From: Jay Garala [mailto:JGarala@Conclusive.com] 
Sent: Mittwoch, 23. Juli 2003 17:06
To: 'Tomcat Users List'
Subject: RE: achieving a clients (browsers) certificate in a webapp


The Apache - Tomcat - mod_ssl only works with Tomcat 4.0.6!!
Sorry i totally forgot that i had put this bug in a long time ago.
Wait til 4.1.26 comes out.. it is resolved there!

Jay

-----Original Message-----
From: Karli Christoph (CSE) [mailto:christoph.karli@CSE.ch]
Sent: Wednesday, July 23, 2003 7:27 AM
To: 'Tomcat Users List'
Subject: RE: achieving a clients (browsers) certificate in a webapp


this helped me a lot!!

now i've installed the native jk connector from 
jakarta-tomcat-connectors-4.1.26 (where this bug is fixed) - and 
suddenly i achieve the clients certificate in my webapps..

thanks!

-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com] 
Sent: Mittwoch, 23. Juli 2003 05:48
To: tomcat-user@jakarta.apache.org
Subject: Re: achieving a clients (browsers) certificate in a webapp



"Karli Christoph (CSE)" <christoph.karli@CSE.ch> wrote in message
news:315EE5E5ED25D611905C0002A5DA6180340E44@tijuana.cse.softec.ch...
> we have the ssl-configuration in the file ssl.conf which gets
> included by httpd.conf.
>
> it tells me that the Jk* - entries aren't supposed to be at this
> place.. ?
>
> and if i enter the line
> > SSLVerifyClient require  (or optional)
>

This is the part you were missing.  Unfortunately, the handling of Client
certs in the Jk-Coyote connector is broken in 4.1.24 (see
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790).

> ..i get an empty page in my browser.. (ajp13 problem?)
>
> it really seems like this is a configuration-war..
>
> i think during the ssl-handshaking of apache and the client-browser,
> apache doesn't ask for the client-certificate (which is in fact
> optional)
>
> hmm.. anyone wanna give another shot?
>
>
> -----Original Message-----
> From: Jay Garala [mailto:JGarala@Conclusive.com]
> Sent: Dienstag, 22. Juli 2003 18:11
> To: 'Tomcat Users List'
> Subject: RE: achieving a clients (browsers) certificate in a webapp
>
>
> Oh I've done this before!!!
>
> In your SSL section in httd.conf
>
>
> // Change accordingly
> #    SSLVerifyClient require
> #    SSLVerifyDepth 1
> ##    SSLOptions +StdEnvVars +ExportCertData
> #
> ##
> # JkOptions +ForwardKeySize +ForwardURICompat
> ## JkExtractSSL On
> # JkHTTPSIndicator HTTPS
> ### JkSESSIONIndicator SSL_SESSION_ID
> # JkCIPHERIndicator SSL_CIPHER
> # JkCERTSIndicator SSL_CLIENT_CERT
> // NEED THIS
> # JkEnvVar SSL_CLIENT_CERT   SSL_CLIENT_CERT
>
> then in ur Servlet do:
>
> String apacheClientCert = (String)
request.getAttribute("SSL_CLIENT_CERT");
> java.security.cert.CertificateFactory cf =
> CertificateFactory.getInstance("X.509");
> String cert = removePEMData(apacheClientCert);
> sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
> byte[] bcert = dec.decodeBuffer(cert);
> ByteArrayInputStream bais = new ByteArrayInputStream(bcert);
> X509Certificate x509 = (X509Certificate) cf.generateCertificate(bais);
> bais.close();
>
> ... Now you got your Client cert... if you want the server cert
> add JkEnvVar SSL_SERVER_CERT SSL_SERVER_CERT in httpd and mirror changes
in
> servlet
>
>  public String removePEMData(String cert)
>   {
>     String begin = "-----BEGIN CERTIFICATE-----";
>     String end = "-----END CERTIFICATE-----";
>     int s = cert.indexOf(begin);
>     if (s >= 0)
>       cert = cert.substring( s+begin.length(),cert.indexOf(end));
>     return cert;
>   }
>
> -----Original Message-----
> From: Karli Christoph (CSE) [mailto:christoph.karli@CSE.ch]
> Sent: Tuesday, July 22, 2003 11:53 AM
> To: 'Tomcat Users List'
> Subject: RE: achieving a clients (browsers) certificate in a webapp
>
>
> that's the point..
>
> with the following code
>
> String certAttribute = "javax.servlet.request.X509Certificate";
> X509Certificate certificate[] = (java.security.cert.X509Certificate[])
> request.getAttribute(certAttribute);
>
> for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) {
>   System.out.println("attribute: " + e.nextElement());
> }
>
>
>
> we just can achieve the following attributes:
>
> attribute: javax.servlet.include.servlet_path
> attribute: javax.servlet.include.context_path
> attribute: javax.servlet.request.cipher_suite
> attribute: javax.servlet.request.key_size
> attribute: javax.servlet.include.request_uri
>
> any other ideas?
>
>
> -----Original Message-----
> From: Bodycombe, Andrew [mailto:andrew.bodycombe@siemens.com]
> Sent: Dienstag, 22. Juli 2003 17:39
> To: 'Tomcat Users List'
> Subject: RE: achieving a clients (browsers) certificate in a webapp
>
>
> The 'javax.servlet.request.X509Certificate' request property will give you
> the client certificate chain. It contains an array of
> java.security.cert.X509Certificate Objects. Element [0] is the client
> certificate, Element [1] is the CA for the client certificate etc.
>
>
>
> -----Original Message-----
> From: Karli Christoph (CSE) [mailto:christoph.karli@CSE.ch]
> Sent: 22 July 2003 16:04
> To: 'Tomcat Users List'
> Subject: achieving a clients (browsers) certificate in a webapp
>
>
> now this seems like a big task!
>
> we've been trying to achieve a clients certificate from the
request-object,
> which
> failed because there is no parameter for achieving the x509Certificate
> installed
> in the browser of the client out of the request-object
> (javax.servlet.ServletRequest).
>
> the certification of the server works fine, except the fact that the
> server-name
> on the certificate doesn't match the actual server-name of the webserver
> (we're about
> to change the server-name)
>
> anyway, we've spend the whole day - but we had no chance to figure out
where
> the
> problem's hidden.
>
> what we use:
> jdk 1.3
> apache 2.0.45 with openssl
> tomcat 4.1.24
> mod_jk connector
>
>
> other hint:
>  - https connection works on the webapp
>
>
> important parts of the configuration files:
>
> ******* configuration of ssl.conf looks like this:
> <IfDefine SSL>
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
>
> SSLPassPhraseDialog  builtin
>
> SSLSessionCache         dbm:logs/ssl_scache
> SSLSessionCacheTimeout  300
>
> SSLMutex  file:logs/ssl_mutex
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
>
> <VirtualHost _default_:443>
> DocumentRoot "/opt/httpd-2.0.45/htdocs"
> #ServerName new.host.name:443
> ServerName servername.is.ok:443
> ServerAdmin you@your.address
> ErrorLog logs/error_log
> TransferLog logs/access_log
>
> #   SSL Engine Switch:
> #   Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /opt/httpd-2.0.45/conf/ssl.crt/server.crt
>
> SSLCertificateKeyFile /opt/httpd-2.0.45/conf/ssl.key/server.key
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
> </Files>
> <Directory "/opt/httpd-2.0.45/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
>
> CustomLog logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
> </IfDefine>
>
>
> ******* configuration of httpd.conf looks like this:
> ...
> #
> # Bring in additional module-specific configurations
> #
> <IfModule mod_ssl.c>
>     Include conf/ssl.conf
> </IfModule>
> ...
>
> JkWorkersFile /opt/jakarta/conf/jk/workers.properties
> JkLogFile /opt/jakarta/logs/mod_jk.log
>
> JkLogLevel debug
>
> JkMount /examples ajp13
> JkMount /examples/* ajp13
> ...
>
>
> ******* configuration of server.xml looks like this:
> ...
>     <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>
>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>                port="8443" minProcessors="5" maxProcessors="75"
>                enableLookups="true"
>        acceptCount="10" debug="0" scheme="https" secure="true"
>                useURIValidationHack="false">
>       <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>                clientAuth="false" protocol="TLS"
>                keystoreFile=".keystore" keystorePass="xxxxx" />
>     </Connector>
>
>     <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>                port="8009" minProcessors="5" maxProcessors="75"
>                enableLookups="true" redirectPort="8443"
>                acceptCount="10" debug="0" connectionTimeout="0"
>                useURIValidationHack="false"
>
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
> ...
>
> ******* just anyone?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message