Stunnel certificados3/1/2023 (Other clients than stunnel works without problem.) Maybe there is a problem within APR that client certificate is not available when SSL session is reused. The difference is that (based on stunnel's logfile) the first request creates a new SSL session, and subsequent requests reuses that session. server application didn't see client's certificate, 509Certificate is null.ģ) After stunnel daemon is restarted, the first request is proceed correctly (with certificate info in 509Certificate) and subsequent requests has 509Certificate = null. server application sees client's certificate in 509Certificate correctly.Ģ) Second and any subsequent requests within the same stunnel connection. So it uses "stunnel" ( ) for http-to-https proxy.ġ) At the first request from this client. HTTPS APR connector with SSLVerif圜lient="require".Ĭlient is a legacy application with no HTTPS support. We have similar (maybe the same) problem. If so, stop and restart tomcat and try again. Note: the issue usually happens in 30 seconds, but sometimes it goes on without error for longer. refresh the page (F5) every few secondsĪctual result: about 30 seconds after the first load of page, the page will show a NPE instead of the certificate name in Firefox load the page (when asked, select the certifcate imported from m圓.p12) import the m圓.p12 certificate to Firefox (the password is : test ) put the a.war file to the webapps folder The certificate files are in the WAR file, extract them to C:\ (or elsewhere). (make sure you have a Java environment, JAVA_HOME must be set) download and extract apache-tomcat-8.0.26-windows-圆4.zip The WAR file also contains the CA's, server and client certificates that can be used for the test. Either unpack the single JSP file in it and put it into the webapps folder under its own folder (like tomcat/webapps/x/a.jsp) or deploy the WAR file under webapps/. I attach a WAR file that can be used to reproduce the issue. The issue persists with the new apache-tomcat-8.0.26-windows-圆4. The browser complained about the hostname mitmatch which I clicked away).Ĭan upload test CA, server-cert/key and client cert/key for test if requiered. Now I also tried with a "real" certificate issued by trusted CA. Originally I tested with a server certificate issued by my private testing CA. I posted there myself recently ( "Firefox SSL with APR - losing client certificate" has a bit more details), but it is basically just my monologue. Ubuntu 14.04 LTS 64 bit / tomcat 7.0.52-1ubuntu0.3 / libapr1:amd64 1.5.0-1 / libtcnative-1:amd64 1.1.29-1Ī similar issue was discussed on the tomcat-users mailing list in 2010: "Client certificate gone after 1 minute timeout (SSL, APR)" but with no solution. If I don't use APR (by deleting the tcnative-1.dll file and adapting the connector syntax for JSSE) the problem does not happen.Īpache-tomcat-8.0.24-windows-圆4 (also 32 bit version) - has APR 1.5.1 and TCN 1.1.33 Open the page and keep refreshing it every few secondsĪfter about 30 seconds it will show a NPE exception error page. In the webapps folder create a folder named cert, there create a file named ccertA.jsp that contains the above code snippet It also occurs with different versions of tomcat and Java (and OS bitness) - see below for a list.Ī simple test case using latest versions is:ĭownload and extract apache-tomcat-8.0.24-windows-圆4.zip This happens with Firefox (v39 and v40) and Chrome (v44), but not with IE v11. After that each request will fail the same way, until I restart tomcat. To be more precise: when reloading about once per second, the problem occurs almost every time after 30 seconds. It usually happens in less than a minute. To the app it appears the client certificate was not sent.Įxample code (JSP fragment, can be the only content of a JSP file):Īfter a few refreshes of the page (where it will show the client certificate DN) the page will fail with a NullPointerException as request.getAttribute will return null. When accessing a web application that uses client certificate authentication run on Tomcat/APR (on Windows) with Firefox or Chrome, the client cert is "lost" after a short while.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |