DO NOT REPLY [Bug 46950] New: SSL renegotiation does not occur when resource with CLIENT-CERT auth is requested

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

           Summary: SSL renegotiation does not occur when resource with
                    CLIENT-CERT auth is requested
           Product: Tomcat 6
           Version: 6.0.18
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
        AssignedTo: dev@...
        ReportedBy: andre@...


When a part of a webapp requires an SSL connection with a client certificate
there should be an SSL renegotiation to request a client certificate from the
browser.

This is the configuration I added to an webapp that already uses an SSL
connector:

<login-config id="LoginConfig_1">
                <auth-method>CLIENT-CERT</auth-method>
                <realm-name>WPS</realm-name>
</login-config>

<security-constraint id="SecurityConstraint_1">
                <web-resource-collection id="WebResourceCollection_1">
                        <web-resource-name/>  
                        <url-pattern>/LoginWithCert.do</url-pattern>
                        <http-method>DELETE</http-method>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>PUT</http-method>
                        <http-method>HEAD</http-method>
                </web-resource-collection>
                <user-data-constraint id="UserDataConstraint_4">
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
</security-constraint>

Requests to /LoginWithCert.do require an SSL connection, if there isn't one,
but no client certificate is requested.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950


william.barker@... changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #1 from william.barker@...  2009-04-01 11:43:50 PST ---
There is no <auth-constraint> in the configuration, so of course Tomcat doesn't
ask for a certificate.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950


Andr <andre@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




--- Comment #2 from Andr <andre@...>  2009-04-02 03:00:48 PST ---
Ok. So now I changed the security-constraint to:
<security-constraint id="SecurityConstraint_1">
                <web-resource-collection id="WebResourceCollection_1">
                        <web-resource-name/>
                        <url-pattern>/LoginWithCert.do</url-pattern>
                        <http-method>DELETE</http-method>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>PUT</http-method>
                        <http-method>HEAD</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>*</role-name>
                </auth-constraint>
                <user-data-constraint id="UserDataConstraint_4">
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
</security-constraint>

Now I get this error when I access the resource:
HTTP Status 400 - No client certificate chain in this request

BUT no certificate was asked in the SSL (re-)negotiation.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950


Mark Thomas <markt@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WORKSFORME




--- Comment #3 from Mark Thomas <markt@...>  2009-04-14 16:15:31 PST ---
The following configuration works for me. At a guess, you haven't configured
Tomcat to trust the issuer of your client certificate. The browser only prompts
you to select a cert if it has one that the server will trust.

Please use the users list if you need further help configuring your SSL certs.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Bug46950</web-resource-name>
      <url-pattern>/bug46381.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>manager</role-name>
    </auth-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Everything</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950


Andr <andre@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |




--- Comment #4 from Andr <andre@...>  2009-04-15 04:03:39 PST ---
What works for you? Did you even read what I said?

How can the browser know if a server trusts a certain certificate or not
without even asking for it?

Let me explain the problem better.

Most of my site runs without client cert checking, so I have
SSLVerifyClient="none" on the connector. But I have one servlet that DOES want
a client certificate and so I configured the security restriction accordingly
in the deployment descriptor. Just that one resource, not the entire site.

It's in these cases that a SSL renegotiation does not occur to ask for the
client certificate. Tomcat only knows that I want a client certificate after
the client sends the http request.

Apache httpd has this feature and someone at the tomcat user's list asked me to
file this as a bug. Maybe it's just a missing feature.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950





--- Comment #5 from Mark Thomas <markt@...>  2009-04-15 04:38:10 PST ---
(In reply to comment #4)
> What works for you?
The security constraint and login configuration I posted which requires SSL for
the entire context but only requires user authentication for a single JSP. If I
browse to any resource except the one that requires auth using http I get
switched to https as expected. If I then request the protected resource I get
prompted for my certificate.

> Did you even read what I said?
Yes I did. Quite carefully. Taking that attitude is not going to induce people
to help you.

> How can the browser know if a server trusts a certain certificate or not
> without even asking for it?
This is the way the SSL handshake works. The server provides a client with a
list of trusted certs. If the client doesn't have a user cert issued by one of
the trysted certs the client doesn't waste time prompting the user to select
one.

> Let me explain the problem better.
>
> Most of my site runs without client cert checking, so I have
> SSLVerifyClient="none" on the connector.

That is new information. Your original bug report made no mention of using the
APR/native connector. I'd expect the behaviour to remain the same but I'll
re-test with the native and see.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950





--- Comment #6 from Mark Thomas <markt@...>  2009-04-15 05:21:57 PST ---
OK, I can confirm this when I test with the APR/native connector. Looking for a
fix now...

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950





--- Comment #7 from Mark Thomas <markt@...>  2009-04-16 12:37:33 PST ---
This is going to require a change to the APR/native connector.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950





--- Comment #8 from Andr <andre@...>  2009-05-14 04:17:52 PST ---
Created an attachment (id=23663)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23663)
Patch that makes the Apr connector behave like the non-Apr

This patch will turn on the SSL Client requirement prior to the SSL
renegotiation prompting the browser for one.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950


Alexey <liosa@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |liosa@...




--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950





--- Comment #9 from Mark Thomas <markt@...>  2009-05-27 06:08:48 PST ---
The proposed patch does not work exactly as intended. It does not trigger
renegotiation, rather it sets SSLVerifyClient for the all future SSL sessions
created by that request processor.

The side effects of this are:
- cert still not prompted for when transitioning from resource that doesn't
require cert to one that does
- subsequent SSL requests handled by that processor will prompt for a cert,
even when not required.

As per comment #7, a fix for this that aligns the APR/native connector
behaviour with the Java connectors will require a change to the native
component of the native connector (to enable the connection to be renegotiated
for the current connection).

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

--- Comment #10 from Mark Thomas <markt@...> 2009-09-15 18:59:35 BST ---
The native fixes have been applied to the 1.1.x branch and trunk (1.2.x)
The Tomcat fixes have been applied to trunk (7.0.x) and proposed for 6.0.x and
5.5.x. Note that the 6.0.x/5.5.x patch depends on there being a new tc-native
release

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

Mark Thomas <markt@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|Servlet & JSP API           |Native:Integration
            Version|6.0.18                      |5.5.28
            Product|Tomcat 6                    |Tomcat 5
   Target Milestone|default                     |---

--- Comment #11 from Mark Thomas <markt@...> 2009-11-02 16:33:29 GMT ---
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.

It will also be proposed for backport to 5.5.x

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

--- Comment #12 from Andre Cruz <andre@...> 2009-11-03 02:54:46 UTC ---
Thanks!

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

Mark Thomas <markt@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #13 from Mark Thomas <markt@...> 2009-11-27 11:16:10 GMT ---
This has been applied to 5.5.x and will be included in 5.5.29 onwards.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=46950

Mark Thomas <markt@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #13 from Mark Thomas <markt@...> 2009-11-30 16:33:37 GMT ---
This has been applied to 5.5.x and will be included in 5.5.29 onwards.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...