Reputation: 144
Client's certificate authentication issue in Tomcat in 7.0.100+
We have client's certificate authentication in our project
However, for some reason after 100 Tomcat release nothing seems to work
We get either 400 HTTP response or the certificate header is empty (if we set rejectIllegalHeader="false") when we proxy to the application through nginx
Example (header's value), name - ssl_client_cert:
"-----BEGIN CERTIFICATE-----\x0A\x09MIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQ...
\x0A\x09-----END CERTIFICATE-----"
Or ssl_client_raw_cert
"-----BEGIN CERTIFICATE-----\x0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQsw ...
y2EmDsw=\x0A-----END CERTIFICATE-----\x0A"
I guess here is the commit to blame
Prior to the 100th release everything worked fine
To bypass that we use ssl_client_escaped_cert instead.
"-----BEGIN%20CERTIFICATE-----%0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9 ...
qgt0Tzy2EmDsw%3D%0A-----END%20CERTIFICATE-----%0A"
Now we have to unescape it manually in Java code
String certificateInfo = URLDecoder.decode(request.getHeader(headerName), "UTF-8");
Is there a way we can make Tomcat accept a non-escaped certificate in 100th version and higher?
Upvotes: 1
Views: 403
Answers (1)
Reputation: 16615
No, there is no way you can configure Tomcat to allow an HTTP header value than contains 0x0A. Those changes were made in response to CVE-2020-1935.
As an aside, I assume Nginx is performing the client authentication and passing the validated client certificate to Tomcat.
Upvotes: 3
Related Questions
- Tomcat and SSL Client certificate
- How to use client certificate with tomcat 9?
- Tomcat Client Authentication using SSL
- Tomcat 9.x.x Client Authentication using X.509 Certificates
- Java ClientAuth SSL connection fails
- SSL Authentication Issue
- Tomcat 7 ssl client authenitcation
- Tomcat as a client. Web application on Tomcat does not use SSL client certificate
- Can't get X509 root certificate from client in Tomcat
- tomcat ssl client handshake java error