0

I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).

What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.

I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).

I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).

<Connector
   protocol="HTTP/1.1"
   port="443" maxThreads="150"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="mycert.pem"
   SSLCertificateKeyFile="privkey.pem"
   SSLCACertificateFile="CABundle.pem"
   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

Can you suggest a way to make this work using Tomcat/APR/OpenSSL?

Petter Nordlander
  • 103
  • 1
  • 5

1 Answers1

0

The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?

I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.

I would suggest:

  1. Create cert in your keystore /your/path/to/java/jre/lib/security/cacerts by using keytool binary that comes with your java installation. It is provided for you to put your java app on SSL.

OR

  1. if you already have your CACERT.PEM, convert it to DER using openssl:

openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER

  1. use keytool to import the cert into your keystore.

  2. edit server.xml and the way you go.

Nikolas Sakic
  • 492
  • 2
  • 8
  • PEM should be fine, http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html uses pem in the example configuration. The question is not about how to import CA certs (this is working ok), but how to lock down the HTTPS connection to one single trusted client certificate. – Petter Nordlander Apr 19 '13 at 05:41
  • Is there no option for client-side cert in Connector element? We now there is clientAuth="true", using truststore: truststoreFile, truststorePass, and truststoreType. I haven't tested it yet but client certs go in the trustore keystore if clientAuth is set to true. – Nikolas Sakic Apr 20 '13 at 18:39
  • I guess so. Those types does, however, not work with the APR connector. That would mean I would have to sacrifice performance, which is, unfortunately, not an option – Petter Nordlander Apr 20 '13 at 20:06
  • How much performance are we talking about here? Have you done any sort of testing? – Nikolas Sakic Apr 21 '13 at 03:11
  • Yes I have done. It's not really relevant, as I state in the question - I can get this working using the java connector (JSSE). My question is how to do it using the APR/openssl module. – Petter Nordlander Apr 21 '13 at 08:40
  • @PetterNordlander _SSLCACertificateFile_ is the correct attribute, desc says: "File of concatenated PEM-encoded CA Certificates for Client Auth". See [APR doc](https://tomcat.apache.org/tomcat-6.0-doc/apr.html) or [mod_ssl docs](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile) – David Balažic Sep 16 '15 at 15:24