Hi,
We have enabled SSL for the web services hosted on Tomcat. As part of the
configuration changes we have modified the server.xml to make changes to the
"connector" element.
We have given the "trustStorePass" value to point to a keystore which has
only the certificate for our web services. Ofcourse the clientAuth parameter
is set to true.
The problem we are facing is even though the client is prompted for the
certificate, the client is authenticated with any certificate instead of
authenticating with the intended one.
Any help is highly appreciated.
Thanks,
Savitha
[Tomcat-users] SSL issue
| Tweet |
|
Search Discussions
-
Christopher Schultz at Aug 25, 2011 at 6:46 pm ⇧ 
Savitha,On 8/25/2011 12:53 PM, Savitha Akella wrote:Good.
We have given the "trustStorePass" value to point to a keystore
which has only the certificate for our web services.
Do you mean "truststoreFile"?
Of course the clientAuth parameter is set to true.
Can you post your <Connector> configuration for us? Remember to remove
any passwords from it.
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Savitha Akella at Aug 25, 2011 at 11:02 pm ⇧
here is the connector configuration:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
clientAuth="true" port="443" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" keyAlias="keyalias"
keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
keyPass="changeit"
truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
truststorePass="changeit" SSLVerifyClient="require" SSLEngine="on"
SSLVerifyDepth="4" sslProtocol="TLS" />
Regards,
SavithaOn Thu, Aug 25, 2011 at 11:46 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Savitha,On 8/25/2011 12:53 PM, Savitha Akella wrote:Good.
We have given the "trustStorePass" value to point to a keystore
which has only the certificate for our web services.
Do you mean "truststoreFile"?
Of course the clientAuth parameter is set to true.
Can you post your <Connector> configuration for us? Remember to remove
any passwords from it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5WmHMACgkQ9CaO5/Lv0PA2XQCgpY+rTQ2nxtRKbwC1ZDV4CRac
gKgAnjldGl78sHuhDF/AFWsUD+grHfIc
=Z82E
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org -
Christopher Schultz at Aug 26, 2011 at 3:25 pm ⇧
Savitha,On 8/25/2011 7:01 PM, Savitha Akella wrote:Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" maxThreads="150" scheme="https" secure="true"
SSLEnabled="true" Okay.
keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
keyAlias="keyalias" keyPass="changeit" Okay.
clientAuth="true"
truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
truststorePass="changeit"
SSLVerifyClient="require" Okay.
sslProtocol="TLS"
not a documented valid value for this attribute.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.htmlSSLEngine="on"SSLEngine is not a recognized attribute.SSLVerifyDepth="4" />To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
Schultz wrote:
Savitha,Do you mean "truststoreFile"?On 8/25/2011 12:53 PM, Savitha Akella wrote:
We have given the "trustStorePass" value to point to a
keystore which has only the certificate for our web
services.Good.Of course the clientAuth parameter is set to true.
Can you post your <Connector> configuration for us? Remember to
remove any passwords from it.
-chris------------------------------------------------------------------------------------------------------------------------------------------For additional commands, e-mail: users-help@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Christopher Schultz at Aug 26, 2011 at 3:28 pm ⇧
Savitha,
I sent prematurely.On 8/26/2011 11:24 AM, Christopher Schultz wrote:How long are your certificate chains? If they are longer than 4, then
SSLVerifyDepth="4" />
you might not be checking up the chain far enough to get to your
trusted certificates.
You might want to check out this thread from the archives. I was
trying to do something slightly different, but there is good
information in there:
http://markmail.org/thread/ri3w5w444ynwsatt
- -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Crypto Sal at Aug 27, 2011 at 1:28 am ⇧
On 08/26/2011 11:24 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Savitha,On 8/25/2011 7:01 PM, Savitha Akella wrote:Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" maxThreads="150" scheme="https" secure="true"
SSLEnabled="true" Okay.
keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
keyAlias="keyalias" keyPass="changeit" Okay.
clientAuth="true"
truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
truststorePass="changeit"
SSLVerifyClient="require" Okay.
sslProtocol="TLS"
not a documented valid value for this attribute.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
Kindly double-check your data. I see that its the default and doesn't
need to be defined but is probably defined for clarity.It is for the Listener container. This would turn on/off APR. Seems likeSSLEngine="on"SSLEngine is not a recognized attribute.
a simple mistake.SSLVerifyDepth="4" />To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
Schultzwrote:
Savitha,Do you mean "truststoreFile"?On 8/25/2011 12:53 PM, Savitha Akella wrote:
We have given the "trustStorePass" value to point to a
keystore which has only the certificate for our web
services.Good.Of course the clientAuth parameter is set to true.
Can you post your<Connector> configuration for us? Remember to
remove any passwords from it.
-chris--------------------------------------------------------------------------BEGIN PGP SIGNATURE-----For additional commands, e-mail: users-help@tomcat.apache.org
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5Xur0ACgkQ9CaO5/Lv0PC4sACgraqr86G+o/CQ4m4pfn7SRoVy
NkYAoJhi4pR9EVYbeXbEEcYdSAgJ28+b
=jKq/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
-
Marvin Addison at Aug 26, 2011 at 4:23 pm ⇧
If you've got the container to request and accept a client cert, the
connector configuration is likely correct and it's an SSL trust
problem. Please post the output of the following command:
keytool -list -keystore
D:/users/apache-tomcat-7.0.11/keystore/trust.keystore -storePass
changeit
Also, please post some evidence that the client is sending the cert
you think it is. OpenSSL s_client is a good choice if you don't
already have a good tool for SSL troubleshooting.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Related Discussions
Discussion Navigation
| view | thread | post |
Discussion Overview
| group | users
 |
| categories | tomcat |
| posted | Aug 25, '11 at 4:53p |
| active | Aug 27, '11 at 1:28a |
| posts | 7 |
| users | 4 |
| website | tomcat.apache.org |
| irc | #tomcat |
4 users in discussion
