FAQ

[Tomcat-users] SSL issue

Savitha Akella
Aug 25, 2011 at 4:53 pm
Hi,

We have enabled SSL for the web services hosted on Tomcat. As part of the
configuration changes we have modified the server.xml to make changes to the
"connector" element.
We have given the "trustStorePass" value to point to a keystore which has
only the certificate for our web services. Ofcourse the clientAuth parameter
is set to true.
The problem we are facing is even though the client is prompted for the
certificate, the client is authenticated with any certificate instead of
authenticating with the intended one.
Any help is highly appreciated.

Thanks,
Savitha
reply

Search Discussions

6 responses

  • Christopher Schultz at Aug 25, 2011 at 6:46 pm
    Savitha,
    On 8/25/2011 12:53 PM, Savitha Akella wrote:
    We have given the "trustStorePass" value to point to a keystore
    which has only the certificate for our web services.
    Do you mean "truststoreFile"?
    Of course the clientAuth parameter is set to true.
    Good.

    Can you post your <Connector> configuration for us? Remember to remove
    any passwords from it.

    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Savitha Akella at Aug 25, 2011 at 11:02 pm
    here is the connector configuration:

    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
    clientAuth="true" port="443" SSLEnabled="true" maxThreads="150"
    scheme="https" secure="true" keyAlias="keyalias"
    keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
    keyPass="changeit"
    truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
    truststorePass="changeit" SSLVerifyClient="require" SSLEngine="on"
    SSLVerifyDepth="4" sslProtocol="TLS" />

    Regards,
    Savitha
    On Thu, Aug 25, 2011 at 11:46 AM, Christopher Schultz wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Savitha,
    On 8/25/2011 12:53 PM, Savitha Akella wrote:
    We have given the "trustStorePass" value to point to a keystore
    which has only the certificate for our web services.
    Do you mean "truststoreFile"?
    Of course the clientAuth parameter is set to true.
    Good.

    Can you post your <Connector> configuration for us? Remember to remove
    any passwords from it.

    - -chris
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iEYEARECAAYFAk5WmHMACgkQ9CaO5/Lv0PA2XQCgpY+rTQ2nxtRKbwC1ZDV4CRac
    gKgAnjldGl78sHuhDF/AFWsUD+grHfIc
    =Z82E
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Aug 26, 2011 at 3:25 pm
    Savitha,
    On 8/25/2011 7:01 PM, Savitha Akella wrote:
    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
    port="443" maxThreads="150" scheme="https" secure="true"
    SSLEnabled="true" Okay.
    keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
    keyAlias="keyalias" keyPass="changeit" Okay.
    clientAuth="true"
    truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"

    truststorePass="changeit"
    SSLVerifyClient="require" Okay.
    sslProtocol="TLS"
    Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
    not a documented valid value for this attribute.

    http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
    SSLEngine="on"
    SSLEngine is not a recognized attribute.

    SSLVerifyDepth="4" />

    Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
    Schultz wrote:

    Savitha,
    On 8/25/2011 12:53 PM, Savitha Akella wrote:
    We have given the "trustStorePass" value to point to a
    keystore which has only the certificate for our web
    services.
    Do you mean "truststoreFile"?
    Of course the clientAuth parameter is set to true.
    Good.

    Can you post your <Connector> configuration for us? Remember to
    remove any passwords from it.

    -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Christopher Schultz at Aug 26, 2011 at 3:28 pm
    Savitha,

    I sent prematurely.
    On 8/26/2011 11:24 AM, Christopher Schultz wrote:
    SSLVerifyDepth="4" />
    How long are your certificate chains? If they are longer than 4, then
    you might not be checking up the chain far enough to get to your
    trusted certificates.

    You might want to check out this thread from the archives. I was
    trying to do something slightly different, but there is good
    information in there:

    http://markmail.org/thread/ri3w5w444ynwsatt

    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Crypto Sal at Aug 27, 2011 at 1:28 am

    On 08/26/2011 11:24 AM, Christopher Schultz wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Savitha,
    On 8/25/2011 7:01 PM, Savitha Akella wrote:
    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
    port="443" maxThreads="150" scheme="https" secure="true"
    SSLEnabled="true" Okay.
    keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
    keyAlias="keyalias" keyPass="changeit" Okay.
    clientAuth="true"
    truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"

    truststorePass="changeit"
    SSLVerifyClient="require" Okay.
    sslProtocol="TLS"
    Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
    not a documented valid value for this attribute.

    http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

    Kindly double-check your data. I see that its the default and doesn't
    need to be defined but is probably defined for clarity.

    SSLEngine="on"
    SSLEngine is not a recognized attribute.
    It is for the Listener container. This would turn on/off APR. Seems like
    a simple mistake.

    SSLVerifyDepth="4" />

    Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
    Schultzwrote:

    Savitha,
    On 8/25/2011 12:53 PM, Savitha Akella wrote:
    We have given the "trustStorePass" value to point to a
    keystore which has only the certificate for our web
    services.
    Do you mean "truststoreFile"?
    Of course the clientAuth parameter is set to true.
    Good.

    Can you post your<Connector> configuration for us? Remember to
    remove any passwords from it.

    -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iEYEARECAAYFAk5Xur0ACgkQ9CaO5/Lv0PC4sACgraqr86G+o/CQ4m4pfn7SRoVy
    NkYAoJhi4pR9EVYbeXbEEcYdSAgJ28+b
    =jKq/
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Marvin Addison at Aug 26, 2011 at 4:23 pm
    If you've got the container to request and accept a client cert, the
    connector configuration is likely correct and it's an SSL trust
    problem. Please post the output of the following command:

    keytool -list -keystore
    D:/users/apache-tomcat-7.0.11/keystore/trust.keystore -storePass
    changeit

    Also, please post some evidence that the client is sending the cert
    you think it is. OpenSSL s_client is a good choice if you don't
    already have a good tool for SSL troubleshooting.

    M

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post