Summary: | 3a4c7bf2513a6f3e52d9608f3855d5f8148fef48 introduces regression with cert-based authentication | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Michael Osipov <michaelo> |
Component: | Util | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | regression | ||
Priority: | P2 | ||
Version: | 8.5.75 | ||
Target Milestone: | ---- | ||
Hardware: | All | ||
OS: | All |
Description
Michael Osipov
2022-01-26 13:54:29 UTC
When the possibility exists, the regular configuration should be used otherwise there will always be problems. The doc there https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslopensslconfcmd also says it is going to be a mess since there is config duplication. Looking at https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html, it is possible to identify some commands that would accurately indicate that CA is being configured, including ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath, RequestCAFile. In that case the reject callback would not be set. But having to do and maintain that special handling is annoying, and calls for more special cases. Yet another problem is that the changelog entry does not really represent the change in behavior. I guess we need to reproduce the same "Compatibility and Stability warning" block as mod_ssl. We can certainly add a similar warning to the docs for OpenSSLConf. I'm going to look at this again to see if I can get to the bottom of why I see different behaviour on MacOS and if that enables me to identify an alternative solution that avoids the complications with OpenSSLConf. (In reply to Mark Thomas from comment #3) > We can certainly add a similar warning to the docs for OpenSSLConf. OpenSSLConf is not documented at all, we need to document that and simply copy the banner from mod_ssl. That should be enough to warn users. > I'm going to look at this again to see if I can get to the bottom of why I > see different behaviour on MacOS and if that enables me to identify an > alternative solution that avoids the complications with OpenSSLConf. Not only that, I would expect that if not configured it would return the same TLS message as mod_ssl for consistency reasons. The description in changelog doesn't really help to identify the actual change. The root cause was the way homebrew configures OpenSSL. It imports the CAs trrusted by the system when you install OpenSSL and uses those as the defaults of you don't explicitly define a CA. The Tomcat Test CA was in that list due to some previous testing I had been doing and that was the cause of the difference in behaviour. I have reverted the original patch as it is unnecessary. Separately, I'll add some docs for OpenSSLConf. |