tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Арсений Зинченко <setev...@gmail.com>
Subject Tomcat && SSL: two issues
Date Fri, 31 Jan 2014 10:15:15 GMT
Hi, people.

We have Tomcat with two factor authentication when access to
/some/pagerequested.

Auth configured with JDBCRealm & Oracle database:

  <Realm  className="org.apache.catalina.realm.JDBCRealm"
         driverName="oracle.jdbc.driver.OracleDriver"
         ...

SSL-connector:

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="want" sslProtocol="TLS"
               keystoreFile="/home/keystore.jks"
               keyAlias="keystore"
               keystorePass="password"
               truststoreFile="/home/trustcacerts.jks"
               truststorePass="password" />

Auth requring via web.xml:

  <security-constraint>^M
    <web-resource-collection>^M
      <web-resource-name>*</web-resource-name>^M
      <url-pattern>/some/*</url-pattern>^M
    </web-resource-collection>^M
    <auth-constraint>^M
      <role-name>cert</role-name>^M
    </auth-constraint>^M
    <user-data-constraint>^M
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>^M
    </user-data-constraint>^M
  </security-constraint>^M
  <login-config>^M
    <auth-method>CLIENT-CERT</auth-method>^M
  </login-config>^M
  <security-role>^M
    <role-name>cert</role-name>^M
  </security-role>^M

 Client's cert created with keytool:

    $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12
    $ keytool -export -alias somealias -file somefile.cer -keystore
somekey.p12 -storetype PKCS12

somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 -
to client's browsers.

User's present in trustcacerts.jks like:

    somealias, 30-Jan-2014, trustedCertEntry,
    Certificate fingerprint (MD5):
60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74

And present in Oracle database, like:

    USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA

    ROLE_NAME: cert

(not exactly same - but about it)

Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0
and Chrome 32.0.1700.76 m.

So - we have two issues.

1) Some (!) of users when connecting with Chrome got error:

Error code: ERR_SSL_PROTOCOL_ERROR

In Catalina-' log:

    WARNING: Exception getting SSL attributes
    javax.net.ssl.SSLHandshakeException: renegotiation is not allowed

Attempts add lines allowUnsafeLegacyRenegotiation="true" and
allowLegacyHelloMessages="true" doesn't give results (was added to
Connector or -D(option) to CATALINA_OPTS).

What else can be done? All googled tips says only about this two parametrs.

2) Using Firefox - from some machines give error 403, from others -
normal auth. It's look like (from Tomcat auth-log):

    10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine,
C=UA [30/Jan/2014:16:50:29 +0000] "GET /some/page HTTP/1.1" 403 1108
// Got auth failed;
    10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev,
ST=Unknown, C=UA [30/Jan/2014:16:17:29 +0000] "GET /some/page
HTTP/1.1" 200 81 // Normal result.

I only think about may be some difference in browser's configs... But
which exactly? Or - something another?

Unfortunatelly - we haven't access to tcpdump and ssldump now, so I
can't check for details.

Thanks for any tips/links.

 <javascript:void 0>
 powered by
nullTranslate <javascript:void 0>
  <javascript:void 0>
        username2 <javascript:void 0>   — select a translation: null <#>
[jˈuːzənɛɪːm tˈuː]
username2 <javascript:void 0>
0
.
 See also: <http://multitran.ru/c/m.exe?CL=1&l1=1&s=username2><http://translate.google.com/#en|ru|username2><http://lingvopro.abbyyonline.com/en/Search/en-ru/username2><http://dictionary.reference.com/browse/username2><http://www.thefreedictionary.com/username2>
    LinguaLeo

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message