Bug 59940 - Connector attribute certificateVerification in the new SSLHostConfig section is not requiring a client certificate
Summary: Connector attribute certificateVerification in the new SSLHostConfig section ...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.4
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-03 21:01 UTC by Shaun Morton
Modified: 2016-08-04 19:55 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Shaun Morton 2016-08-03 21:01:34 UTC
Connector attribute "certificateVerification" in the new SSLHostConfig section is not requiring a client certificate in Tomcat 8.5.4.

In Tomcat 8.0.33 I was using the clientAuth="true" connector attribute.  I moved it over to the new certificateVerification="required" in the SSLHostConfig section.

I have removed all client certificates and I am not getting rejected.  I connect to a Tomcat 8.0.33 with not certificate and get rejected.  If I add the client certificate back and connect to the 8.0.33 I am good.  

I have set Tomcat logs to debug and have not found any error messages, issues starting the connector or issues with bad attributes.  I have used both IE and Chrome browsers.  It seems as if the certificateVerification isn't being set.  I searched for any issues for the certificateVerification attribute and could not find anything.

I apologize up front if I missed the fix when searching for one.

Here is my server.xml portion for SSL:
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation with the JSSE engine. When
         using the JSSE engine, the JSSE configuration attributes must be used.
    -->

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	       SSLEnabled="true"
               maxThreads="150" 
	       scheme="https" 
	       secure="true"
	       maxKeepAliveRequests="15"
	       connectionTimeout="60000"
	       acceptCount="100"
	       connectionUploadTimeout="300000"
	       compression="force"
	       enableLookups="true"
	       disableUploadTimeout="false" >
        <SSLHostConfig>
	       truststoreFile="?:\?\?.jks"
	       truststorePass="*********"
	       certificateVerification="required"
	       protocols="TLSv1,TLSv1.1,TLSv1.2" >
            <Certificate certificateKeystoreFile="?:\?\?.jks"
			 certificateKeystorePassword="***********"
	 		 certificateKeyAlias="1"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
Comment 1 Shaun Morton 2016-08-04 16:23:56 UTC
I would expect to see this error message in the tomcat8-stdout.????-??-??.log with SSL debug is enabled and the client does not present a certificate.  I see nothing in the log when running 8.5.4:

%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
http-nio-8443-exec-2, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
http-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-nio-8443-exec-2, called closeSocket()
http-nio-8443-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8443-exec-2, IOException in getSession():  javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8443-exec-2, called close()
http-nio-8443-exec-2, called closeInternal(true)

and what Chrome would present:
This site can’t provide a secure connection

servername didn’t accept your login certificate, or your login certificate may have expired.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
Comment 2 Shaun Morton 2016-08-04 19:25:32 UTC
I was able to resolve the problem.  Need to use the attribute "truststorePassword" instead of the attribute "truststorePass" listed on the following help page:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig




Working Server.xml file:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	       SSLEnabled="true"
               maxThreads="150" 
	       scheme="https" 
	       secure="true"
	       maxKeepAliveRequests="15"
	       connectionTimeout="60000"
	       acceptCount="100"
	       connectionUploadTimeout="300000"
	       compression="force"
	       enableLookups="true"
	       disableUploadTimeout="false" >
        <SSLHostConfig
	       truststoreFile="?:\?\?.jks"
	       truststorePassword="*******"
	       certificateVerification="required"
	       protocols="+TLSv1,+TLSv1.1,+TLSv1.2" >
            <Certificate certificateKeystoreFile="?:\?\?.jks"
			 certificateKeystorePassword="*******"
	 		 certificateKeyAlias="1"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
Comment 3 Mark Thomas 2016-08-04 19:55:21 UTC
Thanks for the update. I've fixed the docs for 9.0.x and 8.5.x for the next release of each (9.0.0.M10 and 8.5.5).