Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] [servlet-dev] Help please -- Servlet TCK test issue

Hi,

On Wed, Mar 3, 2021 at 10:15 AM Stuart Douglas <sdouglas@xxxxxxxxxx> wrote:
I don't think the TCK should limit the client to TLS <=1.2. I think the
server should do that if it can't support TLS 1.3 with post-handshake
authentication.

Maybe just change the TCK limit the client for that test to TLS 1.2.

That's what I did a few years ago to make client-cert work in practice, just setting the client to TLS 1.2 via:

System.setProperty("jdk.tls.client.protocols", "TLSv1.2");

Interestingly, debugging GlassFish 6.1.0-SNAPSHOT today, it responded with TLSv1.2 as the only server protocol:


javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.303 CET|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "A1 BB 8C 0B 12 A1 C8 DC F5 54 43 86 5C 0F AA 9C 6E 23 DE CE CC 8D A9 9F B4 58 70 6D 15 D5 AA 0A",
  "session id"          : "26 E3 0A F0 C7 72 3A C4 65 2D A9 8C D4 B6 49 F6 1D EF E1 84 B2 08 6C 75 FD 0E B6 09 16 98 15 03",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [53 FA 52 AF B1 F6 7A 53 7C 4D 32 D5 7A C2 61 EC 1F EB 88 42 4A C5 E2 BE]
    }
  ]
}

TLSv1.2 is then negotiated, and GlassFish responds with its usual request for a certificate:

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:671|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [ecdsa_sign, rsa_sign, dss_sign]
  "supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [CN=localhost-instance, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA, CN=localhost, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA]
}
)
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.310 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp512r1_sha512
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.310 CET|X509Authentication.java:213|No X.509 cert selected for RSA
[...]
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312 CET|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312 CET|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:774|No available authentication scheme
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)

This then obviously fails. I'm not sure why GlassFish responds with TLSv1.2 only now, but might be some setting in its HTTPS connector config. The full (formatted) start command for GlassFish was:

 /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java 
    -cp glassfish/modules/glassfish.jar 
    -XX:+UnlockDiagnosticVMOptions 
    -XX:NewRatio=2 
    -Xmx512m 
    -Xbootclasspath/a:glassfish/lib/grizzly-npn-api.jar 
    -Xbootclasspath/a:glassfish/lib/resolver.jar 
    --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED 
    --add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED 
    --add-opens=java.base/java.lang=ALL-UNNAMED 
    --add-opens=java.base/java.util=ALL-UNNAMED 
    --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 
    -javaagent:glassfish/lib/monitor/flashlight-agent.jar 
    -Djava.awt.headless=true 
    -Djdk.corba.allowOutputStreamSubclass=true 
    
    -Djdk.tls.rejectClientInitiatedRenegotiation=true 
    -Djavax.net.ssl.keyStore=/glassfish/domains/domain1/config/keystore.jks 
    -Djavax.net.ssl.trustStore=/glassfish/domains/domain1/config/cacerts.jks 
    -Djava.security.policy=/glassfish/domains/domain1/config/server.policy 
    -Djava.security.auth.login.config=/glassfish/domains/domain1/config/login.conf 
    -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as 
    
    -Djavax.xml.accessExternalSchema=all 
    -Djdbc.drivers=org.apache.derby.jdbc.ClientDriver 
    -DANTLR_USE_DIRECT_CLASS_LOADING=true 
    -Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory 
    
    -Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command,org.apache.felix.shell.remote,org.apache.felix.fileinstall 
    -Dosgi.shell.telnet.port=6666 
    -Dosgi.shell.telnet.maxconn=1 
    -Dosgi.shell.telnet.ip=127.0.0.1 
    -Dgosh.args=--nointeractive 
    -Dfelix.fileinstall.dir=/glassfish/modules/autostart/ 
    -Dfelix.fileinstall.poll=5000 -Dfelix.fileinstall.log.level=2 
    -Dfelix.fileinstall.bundles.new.start=true 
    -Dfelix.fileinstall.bundles.startTransient=true 
    -Dfelix.fileinstall.disableConfigSave=false 
    
    -Dcom.ctc.wstx.returnNullForDefaultNamespace=true 
    -Dcom.sun.aas.instanceRoot=/glassfish/domains/domain1 
    -Dcom.sun.aas.installRoot=/glassfish 
    -Djava.library.path=/glassfish/lib:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:/ee9-tck/servlet/security-clientcert 

     com.sun.enterprise.glassfish.bootstrap.ASMain 

     -upgrade false 
     -domaindir /glassfish/domains/domain1 \
     -read-stdin true 
     -asadmin-args --host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=true,,,--echo=false,,,--interactive=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,glassfish/domains,,,domain1 
     -domainname domain1 
     -instancename server -type DAS -verbose false 
     -asadmin-classpath /glassfish/modules/admin-cli.jar 
     -debug false 
     -asadmin-classname com.sun.enterprise.admin.cli.AdminMain

Kind regards,
Arjan Tijms


Back to the top