Summary: | SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4 | ||
---|---|---|---|
Product: | Tomcat Native | Reporter: | Florian Kleedorfer <florian.kleedorfer> |
Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | regression | ||
Priority: | P2 | ||
Version: | 1.2.4 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
Florian Kleedorfer
2016-05-23 15:13:04 UTC
I tried with the latest APR versions available on the website: https://tomcat.apache.org/download-native.cgi with 1.1.34, our application works, with 1.2.7, I'm experiencing the same issue I'm seeing the issue (or something very like it) with 1.2.7 and Tomcat trunk. I spent a little time looking at the 1.1.x code vs 1.2.x but don't see any obvious root causes. I plan to do some more investigation today. Results of further testing: The following work: OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.x + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + Win client The following fail: Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + Win client Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client Assuming there is only a single bug here, the results above rule everything out apart from the OS hosting the Tomcat server. That suggests an OS specific element of one of the native builds is responsible for this change. It is going to take some more work to track this down. Whatever is going wrong is going wrong in OpenSSL. Don't know where the root cause is at the moment but the error is: 3648:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:.\ssl\s3_srvr.c:3270: Which is triggered a full failure rather than allowing the tc-native code to decide what to do. I've found the root cause. There were some changes in the build scripts between 1.1.x and 1.2.x that meant OCSP was always enabled. Validation with optionalNoCA always fails if OCSP is enabled. I plan to commit my fix early next week and start the process to release a new set of Windows binaries for tc-native. 1.1.x is not affected. 1.2.0 to 1.2.7 is affected. This has been fixed in 1.2.x and will be included in 1.2.8 onwards. |