Re: [jakartaee-platform-dev] [servlet-dev] [glassfish-dev] Help please -

[Mark Thomas <markt@xxxxxxxxxx>]

I've spent a little time looking at this this afternoon.

The two tests are essentially the same. One configures the security 
constraints in web.xml, the other via annotations.

As of Java 11, TLS 1.3 support is optional.

Most (all?) Java 11 implementations support TLS 1.3 and it is enabled by 
default for both client and server.

The sequence of events in the test is as follows:

- Client connects.
- TLS handshake, no client authentication.
- Client sends request
- Server parses it and maps it to a web application
- Server compares request to security constraints
- Security constraints require CLIENT-CERT
- Request fails because server cannot trigger post-handshake
  authentication

(Even if the server did support PHA, the client doesn't so it will fail 
there instead).

My reading of the spec is that the ability to create per URL security 
constraints strongly implies that renegotiation / PHA needs to be 
supported. The existence of this test supports that view.

I think the test is valid and should stay.

I have also read through section 2.2.2 of the Jakarta Servlet TCK user's 
guide. I think we should use the following rule:

<quote>
Servlet5 The Maintenance Lead can define exceptions to these Rules. Such 
exceptions would be made available as above, and will apply to all 
vendor implementations.
</quote>

My suggestion would be something like:

"If running on a JRE that supports TLS 1.3+ but does not support 
post-handshake authentication, it is permitted to run the TCK with the 
product configured to use TLS<=1.2 (i.e. disable TLS 1.3+) even if that 
is not the default configuration."

Separately, we should add a note somewhere in the servlet spec that 
HTTP/2 and renegotiation are not compatible.

Mark


On 03/03/2021 15:29, arjan tijms wrote:
> Hi,
>
> On Wed, Mar 3, 2021 at 4:04 PM Steve Millidge (Payara) 
> <steve.millidge@xxxxxxxxxxx> wrote:
>
>     I doubt anybody has written any code for TLS13 in GlassFish?
>
>
> I think it would switch to TLSv1.3 automatically and transparently.
>
> I have to check again, but I'm pretty sure Payara when I worked on it in 
> mid 2019 switched to TLSv1.3 on JDK 11. That's why I added this 
> switch here: 
> https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107 
> <https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107>
>
> Kind regards,
> Arjan Tijms
>
>
>
>     ____
>
>     __ __
>
>     Steve____
>
>     __ __
>
>     *From:*jakartaee-platform-dev
>     <jakartaee-platform-dev-bounces@xxxxxxxxxxx
>     <mailto:jakartaee-platform-dev-bounces@xxxxxxxxxxx>> *On Behalf Of
>     *arjan tijms
>     *Sent:* 03 March 2021 10:23
>     *To:* servlet developer discussions <servlet-dev@xxxxxxxxxxx
>     <mailto:servlet-dev@xxxxxxxxxxx>>
>     *Cc:* glassfish developer discussions <glassfish-dev@xxxxxxxxxxx
>     <mailto:glassfish-dev@xxxxxxxxxxx>>; jakartaee-platform developer
>     discussions <jakartaee-platform-dev@xxxxxxxxxxx
>     <mailto:jakartaee-platform-dev@xxxxxxxxxxx>>
>     *Subject:* Re: [jakartaee-platform-dev] [servlet-dev] Help please --
>     Servlet TCK test issue____
>
>     __ __
>
>     Hi,____
>
>     __ __
>
>     On Wed, Mar 3, 2021 at 10:15 AM Stuart Douglas <sdouglas@xxxxxxxxxx
>     <mailto:sdouglas@xxxxxxxxxx>> wrote:____
>
>             I don't think the TCK should limit the client to TLS <=1.2.
>             I think the
>             server should do that if it can't support TLS 1.3 with
>             post-handshake
>             authentication.____
>
>         __ __
>
>         Maybe just change the TCK limit the client for that test to TLS
>         1.2.____
>
>     __ __
>
>     That's what I did a few years ago to make client-cert work in
>     practice, just setting the client to TLS 1.2 via:____
>
>     __ __
>
>     System.setProperty("jdk.tls.client.protocols", "TLSv1.2");____
>
>     __ __
>
>     Interestingly, debugging GlassFish 6.1.0-SNAPSHOT today, it
>     responded with TLSv1.2 as the only server protocol:____
>
>     __ __
>
>     __ __
>
>     javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.303
>     CET|ServerHello.java:871|Consuming ServerHello handshake message (____
>
>     "ServerHello": {____
>
>        "server version"      : "TLSv1.2",____
>
>        "random"              : "A1 BB 8C 0B 12 A1 C8 DC F5 54 43 86 5C
>     0F AA 9C 6E 23 DE CE CC 8D A9 9F B4 58 70 6D 15 D5 AA 0A",____
>
>        "session id"          : "26 E3 0A F0 C7 72 3A C4 65 2D A9 8C D4
>     B6 49 F6 1D EF E1 84 B2 08 6C 75 FD 0E B6 09 16 98 15 03",____
>
>        "cipher suite"        :
>     "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",____
>
>        "compression methods" : "00",____
>
>        "extensions"          : [____
>
>          "extended_master_secret (23)": {____
>
>            <empty>____
>
>          },____
>
>          "renegotiation_info (65,281)": {____
>
>            "renegotiated connection": [53 FA 52 AF B1 F6 7A 53 7C 4D 32
>     D5 7A C2 61 EC 1F EB 88 42 4A C5 E2 BE]____
>
>          }____
>
>        ]____
>
>     }____
>
>     __ __
>
>     TLSv1.2 is then negotiated, and GlassFish responds with its usual
>     request for a certificate:____
>
>     __ __
>
>     javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.309
>     CET|CertificateRequest.java:671|Consuming CertificateRequest
>     handshake message (____
>
>     "CertificateRequest": {____
>
>        "certificate types": [ecdsa_sign, rsa_sign, dss_sign]____
>
>        "supported signature algorithms": [ecdsa_secp256r1_sha256,
>     ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
>     rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
>     rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
>     rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
>     rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]____
>
>        "certificate authorities": [CN=localhost-instance, OU=GlassFish,
>     O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA,
>     CN=localhost, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa,
>     ST=Ontario, C=CA]____
>
>     }____
>
>     )____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
>     CET|X509Authentication.java:213|No X.509 cert selected for EC____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
>     CET|CertificateRequest.java:764|Unavailable authentication scheme:
>     ecdsa_secp256r1_sha256____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
>     CET|X509Authentication.java:213|No X.509 cert selected for EC____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
>     CET|CertificateRequest.java:764|Unavailable authentication scheme:
>     ecdsa_secp384r1_sha384____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
>     CET|X509Authentication.java:213|No X.509 cert selected for EC____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.310
>     CET|CertificateRequest.java:764|Unavailable authentication scheme:
>     ecdsa_secp512r1_sha512____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.310
>     CET|X509Authentication.java:213|No X.509 cert selected for RSA____
>
>     [...]____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
>     CET|X509Authentication.java:213|No X.509 cert selected for RSA____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
>     CET|CertificateRequest.java:764|Unavailable authentication scheme:
>     rsa_pkcs1_sha1____
>
>     javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
>     CET|X509Authentication.java:213|No X.509 cert selected for DSA____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
>     CET|CertificateRequest.java:764|Unavailable authentication scheme:
>     dsa_sha1____
>
>     javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
>     CET|CertificateRequest.java:774|No available authentication scheme____
>
>     javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
>     CET|ServerHelloDone.java:151|Consuming ServerHelloDone handshake
>     message (____
>
>     <empty>____
>
>     )____
>
>     javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
>     CET|CertificateMessage.java:290|No X.509 certificate for client
>     authentication, use empty Certificate message instead____
>
>     javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
>     CET|CertificateMessage.java:321|Produced client Certificate
>     handshake message (____
>
>     "Certificates": <empty list>____
>
>     )____
>
>     __ __
>
>     This then obviously fails. I'm not sure why GlassFish responds with
>     TLSv1.2 only now, but might be some setting in its HTTPS connector
>     config. The full (formatted) start command for GlassFish was:____
>
>     __ __
>
>       /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java ____
>
>          -cp glassfish/modules/glassfish.jar ____
>
>          -XX:+UnlockDiagnosticVMOptions ____
>
>          -XX:NewRatio=2 ____
>
>          -Xmx512m ____
>
>          -Xbootclasspath/a:glassfish/lib/grizzly-npn-api.jar ____
>
>          -Xbootclasspath/a:glassfish/lib/resolver.jar ____
>
>         
>     --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED ____
>
>          --add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED ____
>
>          --add-opens=java.base/java.lang=ALL-UNNAMED ____
>
>          --add-opens=java.base/java.util=ALL-UNNAMED ____
>
>          --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED ____
>
>          -javaagent:glassfish/lib/monitor/flashlight-agent.jar ____
>
>          -Djava.awt.headless=true ____
>
>          -Djdk.corba.allowOutputStreamSubclass=true ____
>
>     ____
>
>          -Djdk.tls.rejectClientInitiatedRenegotiation=true ____
>
>         
>     -Djavax.net.ssl.keyStore=/glassfish/domains/domain1/config/keystore.jks
>     ____
>
>         
>     -Djavax.net.ssl.trustStore=/glassfish/domains/domain1/config/cacerts.jks
>     ____
>
>         
>     -Djava.security.policy=/glassfish/domains/domain1/config/server.policy
>     ____
>
>         
>     -Djava.security.auth.login.config=/glassfish/domains/domain1/config/login.conf
>     ____
>
>          -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as ____
>
>     ____
>
>          -Djavax.xml.accessExternalSchema=all ____
>
>          -Djdbc.drivers=org.apache.derby.jdbc.ClientDriver ____
>
>          -DANTLR_USE_DIRECT_CLASS_LOADING=true ____
>
>         
>     -Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory
>     ____
>
>     ____
>
>         
>     -Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command,org.apache.felix.shell.remote,org.apache.felix.fileinstall
>     ____
>
>          -Dosgi.shell.telnet.port=6666 ____
>
>          -Dosgi.shell.telnet.maxconn=1 ____
>
>          -Dosgi.shell.telnet.ip=127.0.0.1 ____
>
>          -Dgosh.args=--nointeractive ____
>
>          -Dfelix.fileinstall.dir=/glassfish/modules/autostart/ ____
>
>          -Dfelix.fileinstall.poll=5000 -Dfelix.fileinstall.log.level=2 ____
>
>          -Dfelix.fileinstall.bundles.new.start=true ____
>
>          -Dfelix.fileinstall.bundles.startTransient=true ____
>
>          -Dfelix.fileinstall.disableConfigSave=false ____
>
>     ____
>
>          -Dcom.ctc.wstx.returnNullForDefaultNamespace=true ____
>
>          -Dcom.sun.aas.instanceRoot=/glassfish/domains/domain1 ____
>
>          -Dcom.sun.aas.installRoot=/glassfish ____
>
>         
>     -Djava.library.path=/glassfish/lib:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:/ee9-tck/servlet/security-clientcert
>     ____
>
>     __ __
>
>           com.sun.enterprise.glassfish.bootstrap.ASMain ____
>
>     __ __
>
>           -upgrade false ____
>
>           -domaindir /glassfish/domains/domain1 \____
>
>           -read-stdin true ____
>
>           -asadmin-args
>     --host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=true,,,--echo=false,,,--interactive=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,glassfish/domains,,,domain1
>     ____
>
>           -domainname domain1 ____
>
>           -instancename server -type DAS -verbose false ____
>
>           -asadmin-classpath /glassfish/modules/admin-cli.jar ____
>
>           -debug false ____
>
>           -asadmin-classname com.sun.enterprise.admin.cli.AdminMain____
>
>     __ __
>
>     Kind regards,____
>
>     Arjan Tijms____
>
>     __ __
>
>     _______________________________________________
>     glassfish-dev mailing list
>     glassfish-dev@xxxxxxxxxxx <mailto:glassfish-dev@xxxxxxxxxxx>
>     To unsubscribe from this list, visit
>     https://www.eclipse.org/mailman/listinfo/glassfish-dev
>     <https://www.eclipse.org/mailman/listinfo/glassfish-dev>
>
>
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev