tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Goo Sam Kong <skgo...@gmail.com>
Subject Re: Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR
Date Tue, 16 Nov 2010 15:38:45 GMT
Hi Mark,

Thank you for the settings. I am not sure what is the APR/native connector
version, I am using the default APR/native connector in 6.0.29 (I do not
set/change APR on my Windows machine).

I am not sure why the client certificate authentication failed when my
client certificate was signed with SHA256 but client certificate
authentication worked perfectly when client certificate was signed with
SHA1.

>From http://old.nabble.com/SHA256-digest-windows-0.9.8k--td26123008.html, it
mentioned developer required to include a call to
OpenSSL_add_all_algorithms()
instead calling SSL_library_init() which only adds the more commonly uses
SSL
algorithms. I am not sure where should I include this.

Can you advice how to solve my problem?

My APR connector settings:
    <Connector port="8443"
               protocol="org.apache.coyote.http11.Http11AprProtocol"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
               SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
               SSLVerifyClient="optional"
               SSLVerifyDepth="1"
               SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
               SSLCACertificateFile="C:\usr-files\client-cert-ca.crt" />

On 13 November 2010 00:38, Mark Thomas <markt@apache.org> wrote:

> On 12/11/2010 16:27, Goo Sam Kong wrote:
> > Hi
> >
> > I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
>
> APR/native connector version? SSL re-negotiation wasn't supported until
> recently and the CVE-2009-3555 fixes further complicate things.
>
> > <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
> >            SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
> >            SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
> >            SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
> >            SSLEnabled="true"
> >            SSLEngine="on"
> >            SSLVerifyClient="optional"
> >            maxThreads="150"
> >            port="8443"
> >            protocol="HTTP/1.1"
> >            scheme="https"
> >            secure="true"
> >            sslProtocol="TLS" />
>
> Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
> SSLVerifyClient="optional" can (should?) be removed.
> Is that SSLCipherSuite compatible with your client? Try removing that
> setting until everything else is working.
>
> The following settings are known to work:
>
> <Connector
>  port="8443"
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
>  SSLEnabled="true"
>  maxThreads="150"
>  scheme="https"
>  secure="true"
>  SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
>  SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
>  SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message