Re: [servlet-dev] Help please -- Servlet TCK test issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [servlet-dev] Help please -- Servlet TCK test issue

From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, 3 Mar 2021 07:51:29 +0000
Delivered-to: servlet-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1

On 02/03/2021 22:28, Stuart Douglas wrote:

On Tue, 2 Mar 2021 at 20:18, arjan tijms <arjan.tijms@xxxxxxxxx<mailto:arjan.tijms@xxxxxxxxx>> wrote:
    Hi,

    In general, TLS 1.3 is not fully compatible with Servlet since for
    some reason the JEP decided to exclude Post-Handshake Authentication
    in Java. See https://openjdk.java.net/jeps/332
    <https://openjdk.java.net/jeps/332>.

    This is exactly what Servlet needs.
Technically I don't think Servlet does need it, it's just the way theTCK is written needs it. AFAIK the spec does not explicitly requiresupport for post handshake auth.

It might not be explicitly called out but the the specification clearlydoes require support for post handshake authentication.

Without it you can't have application A using BASIC auth over TLS andapplication B using CLIENT-CERT and navigate from app A to app B in thesame connection.

Similarly, without it you can't implement security constraints thatprotect an entire application with TLS but only require CLIENT-CERTauthentication for a subset of the application and allows access to therest without a certificate.

There ways you can hack around some of these complications (makecertificates optional, make certificates required for the entire app)but you quickly come up against use cases where these workarounds areinsufficient.

From memory the issue with the TCK is that if you use REQUIRED for theclient auth mode and always request certificates some tests will failthat are not expecting anauthenticated user, which is why post handshake auth is required. Mymemory may be a bit out of date though, it has been a few years since Iran into this.

The TCK is testing at least one of the scenarios above and confirmingthat renegotation (TLS <=1.2) or post handshake authentication (TLS1.3+) is available.

Technically these tests could probably be challenged,


My view is that any such challenge should be rejected.

or worked around by onlyexposing the user/client cert info if auth is actually required (it hasbeen a few years though, so my
memory may be incorrect).


I don't think that is possible.

The approach Tomcat took is that if you want to pass the TCK in aconfiguration that uses a pure JDK/JSSE solution then you need toconfigure the container to use TLS <=1.2 only. Neither the servletspecification nor the TCK requires TLS 1.3.

I don't think the TCK should limit the client to TLS <=1.2. I think theserver should do that if it can't support TLS 1.3 with post-handshakeauthentication.


Mark

Follow-Ups:
- Re: [servlet-dev] Help please -- Servlet TCK test issue
  - From: Stuart Douglas

References:
- [servlet-dev] Help please -- Servlet TCK test issue
  - From: Ed Bratt
- Re: [servlet-dev] Help please -- Servlet TCK test issue
  - From: Stuart Douglas
- Re: [servlet-dev] Help please -- Servlet TCK test issue
  - From: arjan tijms
- Re: [servlet-dev] Help please -- Servlet TCK test issue
  - From: Stuart Douglas

Prev by Date: Re: [servlet-dev] Help please -- Servlet TCK test issue
Next by Date: Re: [servlet-dev] Help please -- Servlet TCK test issue
Previous by thread: Re: [servlet-dev] Help please -- Servlet TCK test issue
Next by thread: Re: [servlet-dev] Help please -- Servlet TCK test issue
Index(es):
- Date
- Thread

Breadcrumbs