tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Sulliman <robert.sulli...@sjrb.ca>
Subject Tomcat - Two Way SSL as Server
Date Mon, 14 Nov 2016 18:25:06 GMT
Hi All,

I'm trying to implement two way SSL on a new web service that we are building and I'm having
some issues.

First some info on  the environment.

Server version: Apache Tomcat/8.0.36
Server built:   Jun 9 2016 13:55:50 UTC
Server number:  8.0.36.0
OS Name:        Linux
OS Version:     3.10.0-514.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_111-b14
JVM Vendor:     Oracle Corporation

We use an internal certificate authority to sign all of our certificates. So all the client
certificates are signed by our internal root. When I trust the root certificate in the client
trust store everything works. All client certificates signed by the internal root work.

However, if I remove the root certificate from the client trust store, and add individual
client certificates instead I get a cert chain error.
________________________________
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 107108750176335210433834926983330116805775068919227166974389735341685270962458
  public y coord: 93195725734236902743006469378087068209149058097948526490562555560744449337507
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA,
SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA,
SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=Client, OU=Information Technology, O=Company, L=Calgary, ST=Alberta, C=CA>
*** ServerHelloDone
http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482
http-nio2-8443-exec-2, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
http-nio2-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
http-nio2-8443-exec-2, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-nio2-8443-exec-2, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException:
null cert chain
http-nio2-8443-exec-2, called closeOutbound()
http-nio2-8443-exec-2, closeOutboundInternal()
________________________________
This is an issue for us as we can't have all the client certificates in the company granted
access to this endpoint, it kind of defeats the purpose.

The company root certificate is in another trust store used on server startup. Here are my
configs.

Server.xml connector:
________________________________
   <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               port="8443" maxThreads="24" minSpareThreads="4" maxSpareThreads="4" acceptCount="1000"
server=" "
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="certs/servercert.jks" keystorePass=" CrazyPasswordHere"
               clientAuth="true" truststoreFile="/usr/local/tomcat/certs/clienttrust.jks"
truststorePass="CrazyPasswordHere"
               sslEnabledProtocols="TLSv1.2" sslProtocol="TLS"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
               TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
               useServerCipherSuitesOrder="true" compression="on" compressionMinSize="2048"
               compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"
/>
________________________________
Systemd init:
________________________________
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat
After=syslog.target network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/usr/local/tomcat
Environment=CATALINA_BASE=/usr/local/tomcat
Environment='CATALINA_OPTS= -Xms2048M -Xmx2048M -server -XX:+UseParallelGC \
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=8090 \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access \
-Djavax.net.debug=SSL \
-Djavax.net.ssl.trustStore=/usr/local/tomcat/certs/servertrust.jks \
-Djavax.net.ssl.trustStorePassword=CrazyPasswordHere \
-Djavax.net.ssl.keyStore=/usr/local/tomcat/certs/serverclient.jks \
-Djavax.net.ssl.keyStorePassword=CrazyPasswordHere '
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/usr/local/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID

User=tomcat
Group=tomcat

[Install]
WantedBy=multi-user.target
________________________________

Thanks!

Robert Sulliman

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message