Created attachment 38232 [details] ZIP file containing the adjusted default config as mentioned in the description According to the documentation https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig, setting certificateVerification="none" should behave as follows: "A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication." The problem encountered is that a resource protected by a security constraint that uses CLIENT-CERT authentication does not cause Tomcat to request a certificate chain. As a result all access is denied. Reproduced in Apache Tomcat versions 9.0.60 and 8.5.77 Tested Java versions: OpenJDK Runtime Environment (build 17.0.2+8-86) Tomcat 9.0.60 and 8.5.77, Zulu 8.56.0.23-CA-win64 (build 1.8.0_302-b08) on Tomcat 9.0.60 Tested Tomcat Connector on Tomcat 9.0.60: - org.apache.coyote.http11.Http11NioProtocol - JSSE - org.apache.coyote.http11.Http11AprProtocol, UpgradeProtocol org.apache.coyote.http2.Http2Protocol - JSSE and OpenSSL Tested Tomcat Connector on Tomcat 8.5.77: - org.apache.coyote.http11.Http11NioProtocol - JSSE catalina.log excerpt of a failed authentication: 23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /examples/jsp/security/protected/index.jsp 23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 23-Mar-2022 21:15:11.271 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 23-Mar-2022 21:15:11.277 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml] 23-Mar-2022 21:15:11.282 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 23-Mar-2022 21:15:11.284 FINE [https-openssl-apr-443-exec-2] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test How to reproduce: 1. For changes made to the default condifuration see attachments: - conf/server.xml: Connector port 8080 disabled, connector port 443 with SSL configuration enabled and adjusted - conf/tomcat-users.xml: Role "user" and one user added - webapps/examples/WEB-INF/web.xml: Changed security-constraint, login-config and security-role for CLIENT-CERT authentication 2. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a browser This should result in "HTTP Status 401 – Unautorisiert" To check if the configuration works otherwhise: 1. Change certificateVerification to "required" in conf/server.xml 2. Restart Tomcat 3. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a browser This should return the example webpage showing the authenticated user.
Hardware: PC OS: Windows 10
Tried some other things with the same result: - Tested with Apache Tomcat 9 on Windows Server - Removed LockOutRealm and used UserDatabaseRealm directly - Used MemoryRealm instead of UserDatabaseRealm - Used a different role name - Used allRolesMode="authOnly" and checked for role "*"
Tomcat has unit tests for this which have been passing consistently for as long as I can remember. This is also at least one test in the Servlet TCK for this that Tomcat also passes. TLS 1.3 changed how client certificate authentication works. It uses a new process called post handshake authentication. JSSE does not support this on the server side and currently has no plans to since HTTP/2 does not allow it. I suspect one of two causes: 1. TLS v1.3 + JSSE 2. Misconfiguration Tomcat emits a warning if you use certificateVerification="want" with TLS 1.3. I suspect we need a similar warning for TLS 1.3 + certificateVerification="none" + CLIENT-CERT
1) Reconfigured to only use TLS1.2 and verified that OpenSSL is used: From stderr: APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] OpenSSL successfully initialized [OpenSSL 1.1.1l 24 Aug 2021] The used TLS version is not shown in the logs - probably need to change some log config to see it. Result is still the same. Full stderr: 2022-03-24 10:25:50 Apache Commons Daemon procrun stderr initialized. 24-Mar-2022 10:25:51.720 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.60 24-Mar-2022 10:25:51.726 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Mar 9 2022 14:52:25 UTC 24-Mar-2022 10:25:51.726 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.60.0 24-Mar-2022 10:25:51.726 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Windows 10 24-Mar-2022 10:25:51.726 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 10.0 24-Mar-2022 10:25:51.726 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 24-Mar-2022 10:25:51.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: C:\Program Files\OpenJDK\jdk-17.0.2 24-Mar-2022 10:25:51.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 17.0.2+8-86 24-Mar-2022 10:25:51.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 24-Mar-2022 10:25:51.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 10:25:51.727 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 10:25:51.752 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 10:25:51.752 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 10:25:51.752 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp 24-Mar-2022 10:25:51.752 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\logging.properties 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djavax.net.debug=all 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Duser.language=en -Duser.region=US 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: exit 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: abort 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms128m 24-Mar-2022 10:25:51.753 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx256m 24-Mar-2022 10:25:51.763 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. 24-Mar-2022 10:25:51.763 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true]. 24-Mar-2022 10:25:51.763 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 24-Mar-2022 10:25:51.777 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1l 24 Aug 2021] 24-Mar-2022 10:25:52.164 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-443"] connector has been configured to support negotiation to [h2] via ALPN 24-Mar-2022 10:25:52.164 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-443"] javax.net.ssl|DEBUG|10|main|2022-03-24 10:25:52.458 CET|SunX509KeyManagerImpl.java:160|found key for : tomcat ( "certificate" : { "version" : "v3", "serial number" : "032883B4D8C10F02842E587217569586A3DF", "signature algorithm": "SHA256withRSA", "issuer" : "CN=R3, O=Let's Encrypt, C=US", "not before" : "2022-03-23 15:15:31.000 CET", "not after" : "2022-06-21 16:15:30.000 CEST", "subject" : "CN=dev.intranet.t-base.pro", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false }, { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://r3.o.lencr.org , accessMethod: caIssuers accessLocation: URIName: http://r3.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let 0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org ]] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: dev.intranet.t-base.pro DNSName: education.dev.intranet.t-base.pro DNSName: tenniscenter.dev.intranet.t-base.pro DNSName: trainerplattform.dev.intranet.t-base.pro DNSName: wptest.dev.intranet.t-base.pro ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78 VW..."..'.nY...x 0010: 9B B1 85 F9 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "032883B4D8C10F02842E587217569586A3DF", "signature algorithm": "SHA256withRSA", "issuer" : "CN=R3, O=Let's Encrypt, C=US", "not before" : "2022-03-23 15:15:31.000 CET", "not after" : "2022-06-21 16:15:30.000 CEST", "subject" : "CN=dev.intranet.t-base.pro", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false }, { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://r3.o.lencr.org , accessMethod: caIssuers accessLocation: URIName: http://r3.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let 0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org ]] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: dev.intranet.t-base.pro DNSName: education.dev.intranet.t-base.pro DNSName: tenniscenter.dev.intranet.t-base.pro DNSName: trainerplattform.dev.intranet.t-base.pro DNSName: wptest.dev.intranet.t-base.pro ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78 VW..."..'.nY...x 0010: 9B B1 85 F9 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "00912B084ACF0C18A753F6D62E25A75F5A", "signature algorithm": "SHA256withRSA", "issuer" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "not before" : "2020-09-04 02:00:00.000 CEST", "not after" : "2025-09-15 18:00:00.000 CEST", "subject" : "CN=R3, O=Let's Encrypt, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://x1.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] }, { ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://x1.c.lencr.org/] ]] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "4001772137D4E942B8EE76AA3C640AB7", "signature algorithm": "SHA256withRSA", "issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.", "not before" : "2021-01-20 20:14:03.000 CET", "not after" : "2024-09-30 20:14:03.000 CEST", "subject" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u... 0010: 60 85 89 10 `... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] }, { ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl] ]] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo 0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt 0020: 2E 6F 72 67 .org ]] ] ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] } ]} ) 24-Mar-2022 10:25:52.493 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1115] milliseconds 24-Mar-2022 10:25:52.562 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 24-Mar-2022 10:25:52.562 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.60] 24-Mar-2022 10:25:52.570 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\docs] 24-Mar-2022 10:25:52.854 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 10:25:53.027 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\docs] has finished in [457] ms 24-Mar-2022 10:25:53.028 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\examples] 24-Mar-2022 10:25:53.419 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 10:25:53.605 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\examples] has finished in [577] ms 24-Mar-2022 10:25:53.606 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT] 24-Mar-2022 10:25:53.636 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 10:25:53.646 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT] has finished in [39] ms 24-Mar-2022 10:25:53.650 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-apr-443"] 24-Mar-2022 10:25:53.663 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [1169] milliseconds 24-Mar-2022 10:26:07.419 FINE [https-openssl-apr-443-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET / 24-Mar-2022 10:26:07.420 FINE [https-openssl-apr-443-exec-3] org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable constraints defined 24-Mar-2022 10:26:07.434 FINE [https-openssl-apr-443-exec-3] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml] 24-Mar-2022 10:26:07.445 FINE [https-openssl-apr-443-exec-3] org.apache.catalina.authenticator.AuthenticatorBase.invoke Not subject to any constraint 24-Mar-2022 10:26:13.024 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /examples/jsp 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp --> false 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable constraint located 24-Mar-2022 10:26:13.025 FINE [https-openssl-apr-443-exec-5] org.apache.catalina.authenticator.AuthenticatorBase.invoke Not subject to any constraint 24-Mar-2022 10:26:15.731 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /examples/jsp/security/protected/index.jsp 24-Mar-2022 10:26:15.731 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 10:26:15.732 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 10:26:15.732 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 24-Mar-2022 10:26:15.733 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test 2) a) I replaced the login method in the web.xml Removed: <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> Added: <login-config> <auth-method>FORM</auth-method> <realm-name>Example Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/jsp/security/protected/login.jsp</form-login-page> <form-error-page>/jsp/security/protected/error.jsp</form-error-page> </form-login-config> </login-config> Form shows when accessing the protected URL and login using the certificate DN and password as set in tomcat-users.xml works. b) changed back to CLIENT-CERT and set certificateVerification="required" Client cert is requested when accessing the protected URL and access is granted. So misconfiguration seems to be unlikely, except some configuration is missing which is also not part of the default installation and nobody talks about (means I have not found any hint of something else when researching configuration examples). Full stderr of the succesfull authentication with certificateVerification="required": 2022-03-24 11:09:37 Apache Commons Daemon procrun stderr initialized. 24-Mar-2022 11:09:37.718 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.60 24-Mar-2022 11:09:37.721 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Mar 9 2022 14:52:25 UTC 24-Mar-2022 11:09:37.721 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.60.0 24-Mar-2022 11:09:37.721 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Windows 10 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 10.0 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: C:\Program Files\OpenJDK\jdk-17.0.2 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 17.0.2+8-86 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 11:09:37.722 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 11:09:37.731 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\logging.properties 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djavax.net.debug=all 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Duser.language=en -Duser.region=US 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 24-Mar-2022 11:09:37.732 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2022 11:09:37.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: exit 24-Mar-2022 11:09:37.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: abort 24-Mar-2022 11:09:37.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms128m 24-Mar-2022 11:09:37.733 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx256m 24-Mar-2022 11:09:37.736 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. 24-Mar-2022 11:09:37.736 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true]. 24-Mar-2022 11:09:37.737 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 24-Mar-2022 11:09:37.742 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1l 24 Aug 2021] 24-Mar-2022 11:09:38.034 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-443"] connector has been configured to support negotiation to [h2] via ALPN 24-Mar-2022 11:09:38.034 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-443"] javax.net.ssl|DEBUG|10|main|2022-03-24 11:09:38.243 CET|SunX509KeyManagerImpl.java:160|found key for : tomcat ( "certificate" : { "version" : "v3", "serial number" : "032883B4D8C10F02842E587217569586A3DF", "signature algorithm": "SHA256withRSA", "issuer" : "CN=R3, O=Let's Encrypt, C=US", "not before" : "2022-03-23 15:15:31.000 CET", "not after" : "2022-06-21 16:15:30.000 CEST", "subject" : "CN=dev.intranet.t-base.pro", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false }, { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://r3.o.lencr.org , accessMethod: caIssuers accessLocation: URIName: http://r3.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let 0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org ]] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: dev.intranet.t-base.pro DNSName: education.dev.intranet.t-base.pro DNSName: tenniscenter.dev.intranet.t-base.pro DNSName: trainerplattform.dev.intranet.t-base.pro DNSName: wptest.dev.intranet.t-base.pro ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78 VW..."..'.nY...x 0010: 9B B1 85 F9 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "032883B4D8C10F02842E587217569586A3DF", "signature algorithm": "SHA256withRSA", "issuer" : "CN=R3, O=Let's Encrypt, C=US", "not before" : "2022-03-23 15:15:31.000 CET", "not after" : "2022-06-21 16:15:30.000 CEST", "subject" : "CN=dev.intranet.t-base.pro", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false }, { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://r3.o.lencr.org , accessMethod: caIssuers accessLocation: URIName: http://r3.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let 0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org ]] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: dev.intranet.t-base.pro DNSName: education.dev.intranet.t-base.pro DNSName: tenniscenter.dev.intranet.t-base.pro DNSName: trainerplattform.dev.intranet.t-base.pro DNSName: wptest.dev.intranet.t-base.pro ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 56 57 D9 DC 96 22 93 7F 27 7E 6E 59 04 D0 BD 78 VW..."..'.nY...x 0010: 9B B1 85 F9 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "00912B084ACF0C18A753F6D62E25A75F5A", "signature algorithm": "SHA256withRSA", "issuer" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "not before" : "2020-09-04 02:00:00.000 CEST", "not after" : "2025-09-15 18:00:00.000 CEST", "subject" : "CN=R3, O=Let's Encrypt, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://x1.i.lencr.org/ ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] }, { ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://x1.c.lencr.org/] ]] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [] ] ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ clientAuth serverAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 14 2E B3 17 B7 58 56 CB AE 50 09 40 E6 1F AF 9D .....XV..P.@.... 0010: 8B 14 C2 C6 .... ] ] } ]}, "certificate" : { "version" : "v3", "serial number" : "4001772137D4E942B8EE76AA3C640AB7", "signature algorithm": "SHA256withRSA", "issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.", "not before" : "2021-01-20 20:14:03.000 CET", "not after" : "2024-09-30 20:14:03.000 CEST", "subject" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c ] ] }, { ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u... 0010: 60 85 89 10 `... ] ] }, { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] }, { ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl] ]] }, { ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1] [] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo 0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt 0020: 2E 6F 72 67 .org ]] ] ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] } ]} ) 24-Mar-2022 11:09:38.265 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [752] milliseconds 24-Mar-2022 11:09:38.322 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 24-Mar-2022 11:09:38.322 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.60] 24-Mar-2022 11:09:38.335 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\docs] 24-Mar-2022 11:09:38.546 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 11:09:38.652 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\docs] has finished in [316] ms 24-Mar-2022 11:09:38.653 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\examples] 24-Mar-2022 11:09:39.009 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 11:09:39.309 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\examples] has finished in [656] ms 24-Mar-2022 11:09:39.309 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT] 24-Mar-2022 11:09:39.356 FINE [main] org.apache.catalina.authenticator.AuthenticatorBase.startInternal No SingleSignOn Valve is present 24-Mar-2022 11:09:39.369 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT] has finished in [59] ms 24-Mar-2022 11:09:39.373 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-apr-443"] 24-Mar-2022 11:09:39.387 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [1122] milliseconds 24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /examples/jsp/security/protected/index.jsp 24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 11:24:15.003 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 11:24:15.010 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml] 24-Mar-2022 11:24:15.021 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 24-Mar-2022 11:24:15.022 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 24-Mar-2022 11:24:15.023 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 24-Mar-2022 11:24:15.027 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] with realm [org.apache.catalina.realm.UserDatabaseRealm] 24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.authenticate Authenticating client certificate chain 24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro' 24-Mar-2022 11:24:15.028 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509 certificate: [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] with realm [org.apache.catalina.realm.UserDatabaseRealm] 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT' 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl() 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro()] 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.hasRole Username [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] has role [user] 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: user 24-Mar-2022 11:24:15.032 FINE [https-openssl-apr-443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
Looking at the tested configuration, none of them will work. Http11NioProtocol - JSSE - Fails due to TLS 1.3 PHA isn't supported Http11AprProtocol - HTTP/2 - Fails as HTTP/2 doesn't permit PHA You need to: - Configure TLS 1.2 only - Not configure HTTP/2 then it should work with any connector (NIO, NIO2 or APR/Native) and any TLS implementation (JSSE or OpenSSL).
Hi Mark, this did the trick. You definitely know your stuff. Thanks a lot. I used TLS1.2 and the OpenSSL TLS implemntation and tested both org.apache.coyote.http11.Http11NioProtocol and org.apache.coyote.http11.Http11AprProtocol. Both worked. org.apache.coyote.http11.Http11NioProtocol perfectly so. Authentication and response from Tomcat happened immediately after selecting the certificate in the browser. Felt almost faster than delivering a static page. org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after selecting the certificate in the browser. Tested with Chrome, Edge and Postman with identical results. I am happy with Nio working. But if you want to look into the issue with org.apache.coyote.http11.Http11AprProtocol, I am willing to support with testing. stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL. Pauses after "Calling authenticate()": 24-Mar-2022 12:42:07.712 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /examples/jsp/security/protected/index.jsp 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /jsp/security/protected/index.jsp --> true 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] with realm [org.apache.catalina.realm.UserDatabaseRealm] 24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.authenticate Authenticating client certificate chain 24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro' 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'CN=T-base-CA, DC=intranet, DC=t-base, DC=pro' 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509 certificate: [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] with realm [org.apache.catalina.realm.UserDatabaseRealm] 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT' 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl() 24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro()] 24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.hasRole Username [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, CN=Users, DC=intranet, DC=t-base, DC=pro] has role [user] 24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: user 24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
Hi Mark, Just fyi: According to my tests, TLS 1.3 with OpenSSL also does not work. So it is not limited to JSSE. You mentioned to output a warning when CLIENT-CERT is used with an unsupported protocol. Would it be possible to throw an error if PHA is attempted in an unsupported configuration (TLS 1.3, HTTP2)? This might be not as good in avoiding the problem in the first place, but much better in figuring out on what the problem is, if it occurs. kr Martin PS: Mark, how does the bug process work. Should I set the bug to resolved as I have a solution, or will you do it, once you are done with it?
(In reply to Martin Stangl from comment #6) > org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after > selecting the certificate in the browser. > > Tested with Chrome, Edge and Postman with identical results. > > I am happy with Nio working. > But if you want to look into the issue with > org.apache.coyote.http11.Http11AprProtocol, I am willing to support with > testing. > > stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL. > Pauses after "Calling authenticate()": Hmm. > 24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7] > org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling > authenticate() > 24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7] > org.apache.catalina.realm.CombinedRealm.authenticate Attempting to > authenticate user [EMAILADDRESS=martin.stangl@t-base.pro, CN=Martin Stangl, > CN=Users, DC=intranet, DC=t-base, DC=pro] with realm > [org.apache.catalina.realm.UserDatabaseRealm] /Exactly/ 1 minute delay? Are you using OCSP (does OCSP even work for client certs)? Can you snoop outbound network traffic from the server to see if something is making a network connection at the start of this pause? At first, I was thinking "entropy problem" but (a) it was repeatable and (b) it's exactly 1 minute which sounds more like a network timeout than anything else.
Hi Christopher, no OCSP, but I noticed that the CRL LDAP URL is invalid: URL=ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=T-base-CA,CN=NoCore,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=intranet,DC=t-base,DC=pro?certificateRevocationList?base?objectClass=cRLDistributionPoint) I will try to fix the AD Certificate Service configuration by either fixing the URL or getting rid of the CRL and try again with a new client certificate. I agree, looks very much like a network timeout.
Seems this CRL URL is on purpose like this. I will go forward and use a client cert not issued by my AD CA for testing purposes.
I tested with 2 other client certificates. Same result. Let's encrypt certificate with OSCP. (For some strange reasons javax.net.ssl decided to print certificate details in this case) 25-Mar-2022 20:17:39.052 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 20:17:39.071 CET|X509TrustManagerImpl.java:247|Found trusted certificate ( "certificate" : { "version" : "v3", "serial number" : "008210CFB0D240E3594463E0BB63828B00", "signature algorithm": "SHA256withRSA", "issuer" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "not before" : "2015-06-04 13:04:38.000 CEST", "not after" : "2035-06-04 13:04:38.000 CEST", "subject" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] } ]} ) 25-Mar-2022 20:18:39.083 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [CN=dev.intranet.t-base.pro] with realm [org.apache.catalina.realm.UserDatabaseRealm] Self signed certificate: 25-Mar-2022 20:25:56.643 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 25-Mar-2022 20:26:56.666 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [CN=Self-Signed, O=T-base OG, ST=Some-State, C=AT] with realm [org.apache.catalina.realm.UserDatabaseRealm] The "server" is a Windows 10 notebook, so unfortunately very noisy. But I can confirm that no related calls to the internet where done when using the certificate issued by the Active Directory Certificate Service. I will try to do some more snooping, but it will take 2 to 3 days until I get to it.
I came up with another test: I took the server (notebook) offline, because if no network cable is plugged in, network requests immediately fail and do not time out. Still the exact same delay. So most likely not network related. stderr excerpt: 25-Mar-2022 22:16:54.202 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() javax.net.ssl|DEBUG|A1|https-openssl-apr-443-exec-6|2022-03-25 22:16:54.230 CET|X509TrustManagerImpl.java:247|Found trusted certificate ( "certificate" : { "version" : "v3", "serial number" : "008210CFB0D240E3594463E0BB63828B00", "signature algorithm": "SHA256withRSA", "issuer" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "not before" : "2015-06-04 13:04:38.000 CEST", "not after" : "2035-06-04 13:04:38.000 CEST", "subject" : "CN=ISRG Root X1, O=Internet Security Research Group, C=US", "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen: no limit ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] }, { ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 79 B4 59 E6 7B B6 E5 E4 01 73 80 08 88 C8 1A 58 y.Y......s.....X 0010: F6 E9 9B 6E ...n ] ] } ]} ) 25-Mar-2022 22:17:54.245 FINE [https-openssl-apr-443-exec-6] org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [CN=dev.intranet.t-base.pro] with realm [org.apache.catalina.realm.UserDatabaseRealm]
Wireshark
Created attachment 38233 [details] Wireshark capture of authentication with Let's Encrypt OSCP certificate
Created attachment 38234 [details] Wireshark capture of authentication with Active Directory issued certificate
Created attachment 38235 [details] Wireshark capture of authentication with Self Signed certificate
Hi Christopher, I captured the traffic from when the client certificate is submitted to the server until the authentication completed. So basically the full 60 seconds of delay. Wireshark could not capture anything while my machine was offline, which is understandable. So the 3 attached captures are from when I connected to the hotel's wireless I am currently staying at and show all outgoing traffic from my machine. I used the source mac address for filtering and made one capture for each certificate I used for testing. Here the IPs of my machine: ifIndex IPAddress PrefixLength PrefixOrigin SuffixOrigin AddressState PolicyStore ------- --------- ------------ ------------ ------------ ------------ ----------- 37 fe80::145e:ea51:ed90:b7f1%37 64 WellKnown Link Preferred ActiveStore 37 2a02:1205:5078:1db0:2582:b03f:b764:cd74 128 RouterAdv... Random Preferred ActiveStore 37 2a02:1205:5078:1db0:145e:ea51:ed90:b7f1 64 RouterAdv... Link Preferred ActiveStore 37 192.168.1.67 24 Dhcp Dhcp Preferred ActiveStore Let me know if we also need to capture the communication between the browser and tomcat as this requires for me to setup Wireshark for Loopback capturing.
(In reply to Martin Stangl from comment #17) > I captured the traffic from when the client certificate is submitted to the > server until the authentication completed. So basically the full 60 seconds > of delay. > > Wireshark could not capture anything while my machine was offline, which is > understandable. I think you misunderstood what I was suggesting: using Wireshark to monitor *outbound* traffic during your testing. We want to catch whatever process is making an outgoing connection and timing out. Wireshark should definitely be able to tell you *something* is happening. DNS lookup, or connection-attempt to some remote service which fails after 60 seconds when you are connected and fails *immediately* when you are not connected. > Let me know if we also need to capture the communication between the browser > and tomcat as this requires for me to setup Wireshark for Loopback capturing. No need to capture anything between the browser and the server. I'm only interested in seeing what the server is trying to do when you authenticate. I suspect if you look for new connection attempts (on any protocol, to any host/port) as you authenticate, and you ignore the connection from the browser -> Tomcat, you'll find the answer pretty quickly.
(In reply to Christopher Schultz from comment #18) > I think you misunderstood what I was suggesting: using Wireshark to monitor > *outbound* traffic during your testing. This is exactly what I captured. Every packet leaving the machine during the authentication process. > making an outgoing connection and timing out. Wireshark should definitely be > able to tell you *something* is happening. DNS lookup, or connection-attempt > to some remote service which fails after 60 seconds when you are connected > and fails *immediately* when you are not connected. Wireshark does not get anything if no interface is connected. And this makes sense to me, because to which of the not connected interface should the traffic go? It does not make it so far, therefore Wireshark will not get anything to capture. And as I mentioned before: Wait time is still 60 seconds, even with immediate network communication failures due to having no network connection. So the delay might still be related to communication, but is most likely not originating from the network code. The relevant request should be in the first 2 to 3 seconds of each capture, but there is nothing in there which is common to the three captures. The only SYNs without ACKs I see are related to some devices on the WLAN (a Huawai Honor 7, I could not identify the other device). Also they start a little too late and the retries end way before 60 seconds. So as far as I can tell, nothing goes out which relates to the issue.
I verified that the 60000 milliseconds delay are the timeout configured by the connectionTimeout parameter of the connector.
Testing this locally with 9.0.x, Tomcat Native 1.2.x and the APR connector this works as expected for me. I modified the examples web application to use CLIENT-CERT, configured the APR connector for TLSv1.2 and no HTTP/2 and used the standard test keys and certs we use for the Tomcat unit tests. To investigate further we are going to need exact steps to recreate this from a clean install of the latest 9.0.x release including any test keys and certs you are using.
I will make a step by step guide but cannot do it before Saturday.
Requested information has not been provided so I'm closing this issue. If you are able to recreate this issue and can provide the steps to recreate it from a clean install of the latest 9.0.x release, then feel free to re-open this issue and provide the reproduction steps.