tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Арсений Зинченко <>
Subject Tomcat && SSL: two issues
Date Fri, 31 Jan 2014 10:15:15 GMT
Hi, people.

We have Tomcat with two factor authentication when access to

Auth configured with JDBCRealm & Oracle database:

  <Realm  className="org.apache.catalina.realm.JDBCRealm"


    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="want" sslProtocol="TLS"
               truststorePass="password" />

Auth requring via web.xml:


 Client's cert created with keytool:

    $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12
    $ keytool -export -alias somealias -file somefile.cer -keystore
somekey.p12 -storetype PKCS12

somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 -
to client's browsers.

User's present in trustcacerts.jks like:

    somealias, 30-Jan-2014, trustedCertEntry,
    Certificate fingerprint (MD5):

And present in Oracle database, like:

    USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA

    ROLE_NAME: cert

(not exactly same - but about it)

Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0
and Chrome 32.0.1700.76 m.

So - we have two issues.

1) Some (!) of users when connecting with Chrome got error:


In Catalina-' log:

    WARNING: Exception getting SSL attributes renegotiation is not allowed

Attempts add lines allowUnsafeLegacyRenegotiation="true" and
allowLegacyHelloMessages="true" doesn't give results (was added to
Connector or -D(option) to CATALINA_OPTS).

What else can be done? All googled tips says only about this two parametrs.

2) Using Firefox - from some machines give error 403, from others -
normal auth. It's look like (from Tomcat auth-log):

    10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine,
C=UA [30/Jan/2014:16:50:29 +0000] "GET /some/page HTTP/1.1" 403 1108
// Got auth failed;
    10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev,
ST=Unknown, C=UA [30/Jan/2014:16:17:29 +0000] "GET /some/page
HTTP/1.1" 200 81 // Normal result.

I only think about may be some difference in browser's configs... But
which exactly? Or - something another?

Unfortunatelly - we haven't access to tcpdump and ssldump now, so I
can't check for details.

Thanks for any tips/links.

 <javascript:void 0>
 powered by
nullTranslate <javascript:void 0>
  <javascript:void 0>
        username2 <javascript:void 0>   — select a translation: null <#>
[jˈuːzənɛɪːm tˈuː]
username2 <javascript:void 0>
 See also: <><|ru|username2><><><>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message