tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas Therrien <Nicolas.Therr...@airbus-dscomm.com>
Subject RE: Question related to mutual authentication
Date Thu, 09 Nov 2017 20:40:22 GMT
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Thursday, November 9, 2017 11:16 AM
To: users@tomcat.apache.org
Subject: Re: Question related to mutual authentication

Mark,

On 11/9/17 5:02 AM, Mark Thomas wrote:
> On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien 
> <Nicolas.Therrien@airbus-dscomm.com> wrote:
> 
> <snip/>
> 
>> My understanding is that when "certificateVerification" is set to 
>> "required", the server would perform the same verification as the 
>> client does, that is:
>> 
>> 1) Verify the incoming certificate is signed by an authority that is 
>> part of the local truststore.
> 
> Correct.
> 
>> 2) Verify that the incoming certificate's common name matches the 
>> hostname of the peer we are communicating with.
> 
> Incorrect.
> 
> The client very is intended to prove the identity of the user, not the 
> host the happen to be using.

s/very/cert/

This is also very (sic) dependent upon the URL that the client is using to connect to the
server. For example, if you move a certificate with cn=localhost between many servers and
access it using https://localhost/ then you will never get any errors. Likewise, if you redefine
the DNS name and keep the URL consistent, then you will also connect without any errors.

Since you wrote the client, you are ultimately responsible for performing hostname verification.
If you use HttpsURLConnection or anything else built-into the JVM like that that uses SSLContext
and friends, you should automatically get hostname verification unless you specifically take
steps to disable it.

But if you are rolling your own connection code, you won't get that kind of protection.

- -chris

------------------------------------------


Thanks to Christopher and Mark for your responses.  Much appreciated!

I understand now that when validating the client, we're validating the user, not a  machine
name. This makes sense.  I realize now that both server and client validation are dependent
on the context and is not necessarily a foolproof guarantee of identity.

This question is now closed :)

Nicolas Therrien ing.
Senior Software Engineer

Airbus DS Communications
home of VESTA®
200 Boul. de la Technologie, Suite 300
Gatineau, QC J8Z 3H6
Canada
819.931.2139  (DIRECT)
www.Airbus-DSComm.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message