Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [servlet-dev] [glassfish-dev] [jakartaee-platform-dev] Help please -- Servlet TCK test issue

Hi,

On Wed, Mar 3, 2021 at 4:04 PM Steve Millidge (Payara) <steve.millidge@xxxxxxxxxxx> wrote:

I doubt anybody has written any code for TLS13 in GlassFish?


I think it would switch to TLSv1.3 automatically and transparently. 

I have to check again, but I'm pretty sure Payara when I worked on it in mid 2019 switched to TLSv1.3 on JDK 11. That's why I added this switch here: https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107

Kind regards,
Arjan Tijms



 

 

Steve

 

From: jakartaee-platform-dev <jakartaee-platform-dev-bounces@xxxxxxxxxxx> On Behalf Of arjan tijms
Sent: 03 March 2021 10:23
To: servlet developer discussions <servlet-dev@xxxxxxxxxxx>
Cc: glassfish developer discussions <glassfish-dev@xxxxxxxxxxx>; jakartaee-platform developer discussions <jakartaee-platform-dev@xxxxxxxxxxx>
Subject: Re: [jakartaee-platform-dev] [servlet-dev] Help please -- Servlet TCK test issue

 

Hi,

 

On Wed, Mar 3, 2021 at 10:15 AM Stuart Douglas <sdouglas@xxxxxxxxxx> wrote:

I don't think the TCK should limit the client to TLS <=1.2. I think the
server should do that if it can't support TLS 1.3 with post-handshake
authentication.

 

Maybe just change the TCK limit the client for that test to TLS 1.2.

 

That's what I did a few years ago to make client-cert work in practice, just setting the client to TLS 1.2 via:

 

System.setProperty("jdk.tls.client.protocols", "TLSv1.2");

 

Interestingly, debugging GlassFish 6.1.0-SNAPSHOT today, it responded with TLSv1.2 as the only server protocol:

 

 

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.303 CET|ServerHello.java:871|Consuming ServerHello handshake message (

"ServerHello": {

  "server version"      : "TLSv1.2",

  "random"              : "A1 BB 8C 0B 12 A1 C8 DC F5 54 43 86 5C 0F AA 9C 6E 23 DE CE CC 8D A9 9F B4 58 70 6D 15 D5 AA 0A",

  "session id"          : "26 E3 0A F0 C7 72 3A C4 65 2D A9 8C D4 B6 49 F6 1D EF E1 84 B2 08 6C 75 FD 0E B6 09 16 98 15 03",

  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",

  "compression methods" : "00",

  "extensions"          : [

    "extended_master_secret (23)": {

      <empty>

    },

    "renegotiation_info (65,281)": {

      "renegotiated connection": [53 FA 52 AF B1 F6 7A 53 7C 4D 32 D5 7A C2 61 EC 1F EB 88 42 4A C5 E2 BE]

    }

  ]

}

 

TLSv1.2 is then negotiated, and GlassFish responds with its usual request for a certificate:

 

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:671|Consuming CertificateRequest handshake message (

"CertificateRequest": {

  "certificate types": [ecdsa_sign, rsa_sign, dss_sign]

  "supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]

  "certificate authorities": [CN=localhost-instance, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA, CN=localhost, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA]

}

)

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp256r1_sha256

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp384r1_sha384

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309 CET|X509Authentication.java:213|No X.509 cert selected for EC

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.310 CET|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp512r1_sha512

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.310 CET|X509Authentication.java:213|No X.509 cert selected for RSA

[...]

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312 CET|X509Authentication.java:213|No X.509 cert selected for RSA

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha1

javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312 CET|X509Authentication.java:213|No X.509 cert selected for DSA

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha1

javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312 CET|CertificateRequest.java:774|No available authentication scheme

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (

<empty>

)

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead

javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312 CET|CertificateMessage.java:321|Produced client Certificate handshake message (

"Certificates": <empty list>

)

 

This then obviously fails. I'm not sure why GlassFish responds with TLSv1.2 only now, but might be some setting in its HTTPS connector config. The full (formatted) start command for GlassFish was:

 

 /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java 

    -cp glassfish/modules/glassfish.jar 

    -XX:+UnlockDiagnosticVMOptions 

    -XX:NewRatio=2 

    -Xmx512m 

    -Xbootclasspath/a:glassfish/lib/grizzly-npn-api.jar 

    -Xbootclasspath/a:glassfish/lib/resolver.jar 

    --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED 

    --add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED 

    --add-opens=java.base/java.lang=ALL-UNNAMED 

    --add-opens=java.base/java.util=ALL-UNNAMED 

    --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 

    -javaagent:glassfish/lib/monitor/flashlight-agent.jar 

    -Djava.awt.headless=true 

    -Djdk.corba.allowOutputStreamSubclass=true 

    

    -Djdk.tls.rejectClientInitiatedRenegotiation=true 

    -Djavax.net.ssl.keyStore=/glassfish/domains/domain1/config/keystore.jks 

    -Djavax.net.ssl.trustStore=/glassfish/domains/domain1/config/cacerts.jks 

    -Djava.security.policy=/glassfish/domains/domain1/config/server.policy 

    -Djava.security.auth.login.config=/glassfish/domains/domain1/config/login.conf 

    -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as 

    

    -Djavax.xml.accessExternalSchema=all 

    -Djdbc.drivers=org.apache.derby.jdbc.ClientDriver 

    -DANTLR_USE_DIRECT_CLASS_LOADING=true 

    -Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory 

    

    -Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command,org.apache.felix.shell.remote,org.apache.felix.fileinstall 

    -Dosgi.shell.telnet.port=6666 

    -Dosgi.shell.telnet.maxconn=1 

    -Dosgi.shell.telnet.ip=127.0.0.1 

    -Dgosh.args=--nointeractive 

    -Dfelix.fileinstall.dir=/glassfish/modules/autostart/ 

    -Dfelix.fileinstall.poll=5000 -Dfelix.fileinstall.log.level=2 

    -Dfelix.fileinstall.bundles.new.start=true 

    -Dfelix.fileinstall.bundles.startTransient=true 

    -Dfelix.fileinstall.disableConfigSave=false 

    

    -Dcom.ctc.wstx.returnNullForDefaultNamespace=true 

    -Dcom.sun.aas.instanceRoot=/glassfish/domains/domain1 

    -Dcom.sun.aas.installRoot=/glassfish 

    -Djava.library.path=/glassfish/lib:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:/ee9-tck/servlet/security-clientcert 

 

     com.sun.enterprise.glassfish.bootstrap.ASMain 

 

     -upgrade false 

     -domaindir /glassfish/domains/domain1 \

     -read-stdin true 

     -asadmin-args --host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=true,,,--echo=false,,,--interactive=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,glassfish/domains,,,domain1 

     -domainname domain1 

     -instancename server -type DAS -verbose false 

     -asadmin-classpath /glassfish/modules/admin-cli.jar 

     -debug false 

     -asadmin-classname com.sun.enterprise.admin.cli.AdminMain

 

Kind regards,

Arjan Tijms

 

_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/glassfish-dev

Back to the top