Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [servlet-dev] [glassfish-dev] [jakartaee-platform-dev] Help please -- Servlet TCK test issue

I've spent a little time looking at this this afternoon.

The two tests are essentially the same. One configures the security constraints in web.xml, the other via annotations.

As of Java 11, TLS 1.3 support is optional.

Most (all?) Java 11 implementations support TLS 1.3 and it is enabled by default for both client and server.

The sequence of events in the test is as follows:

- Client connects.
- TLS handshake, no client authentication.
- Client sends request
- Server parses it and maps it to a web application
- Server compares request to security constraints
- Security constraints require CLIENT-CERT
- Request fails because server cannot trigger post-handshake
  authentication

(Even if the server did support PHA, the client doesn't so it will fail there instead).

My reading of the spec is that the ability to create per URL security constraints strongly implies that renegotiation / PHA needs to be supported. The existence of this test supports that view.

I think the test is valid and should stay.

I have also read through section 2.2.2 of the Jakarta Servlet TCK user's guide. I think we should use the following rule:

<quote>
Servlet5 The Maintenance Lead can define exceptions to these Rules. Such exceptions would be made available as above, and will apply to all vendor implementations.
</quote>

My suggestion would be something like:

"If running on a JRE that supports TLS 1.3+ but does not support post-handshake authentication, it is permitted to run the TCK with the product configured to use TLS<=1.2 (i.e. disable TLS 1.3+) even if that is not the default configuration."

Separately, we should add a note somewhere in the servlet spec that HTTP/2 and renegotiation are not compatible.

Mark


On 03/03/2021 15:29, arjan tijms wrote:
Hi,

On Wed, Mar 3, 2021 at 4:04 PM Steve Millidge (Payara) <steve.millidge@xxxxxxxxxxx> wrote:

    I doubt anybody has written any code for TLS13 in GlassFish?


I think it would switch to TLSv1.3 automatically and transparently.

I have to check again, but I'm pretty sure Payara when I worked on it in mid 2019 switched to TLSv1.3 on JDK 11. That's why I added this switch here: https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107 <https://github.com/javaee-samples/javaee7-samples/blob/master/servlet/security-clientcert/src/test/java/org/javaee7/servlet/security/clientcert/SecureServletTest.java#L107>

Kind regards,
Arjan Tijms



    ____

    __ __

    Steve____

    __ __

    *From:*jakartaee-platform-dev
    <jakartaee-platform-dev-bounces@xxxxxxxxxxx
    <mailto:jakartaee-platform-dev-bounces@xxxxxxxxxxx>> *On Behalf Of
    *arjan tijms
    *Sent:* 03 March 2021 10:23
    *To:* servlet developer discussions <servlet-dev@xxxxxxxxxxx
    <mailto:servlet-dev@xxxxxxxxxxx>>
    *Cc:* glassfish developer discussions <glassfish-dev@xxxxxxxxxxx
    <mailto:glassfish-dev@xxxxxxxxxxx>>; jakartaee-platform developer
    discussions <jakartaee-platform-dev@xxxxxxxxxxx
    <mailto:jakartaee-platform-dev@xxxxxxxxxxx>>
    *Subject:* Re: [jakartaee-platform-dev] [servlet-dev] Help please --
    Servlet TCK test issue____

    __ __

    Hi,____

    __ __

    On Wed, Mar 3, 2021 at 10:15 AM Stuart Douglas <sdouglas@xxxxxxxxxx
    <mailto:sdouglas@xxxxxxxxxx>> wrote:____

            I don't think the TCK should limit the client to TLS <=1.2.
            I think the
            server should do that if it can't support TLS 1.3 with
            post-handshake
            authentication.____

        __ __

        Maybe just change the TCK limit the client for that test to TLS
        1.2.____

    __ __

    That's what I did a few years ago to make client-cert work in
    practice, just setting the client to TLS 1.2 via:____

    __ __

    System.setProperty("jdk.tls.client.protocols", "TLSv1.2");____

    __ __

    Interestingly, debugging GlassFish 6.1.0-SNAPSHOT today, it
    responded with TLSv1.2 as the only server protocol:____

    __ __

    __ __

    javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.303
    CET|ServerHello.java:871|Consuming ServerHello handshake message (____

    "ServerHello": {____

       "server version"      : "TLSv1.2",____

       "random"              : "A1 BB 8C 0B 12 A1 C8 DC F5 54 43 86 5C
    0F AA 9C 6E 23 DE CE CC 8D A9 9F B4 58 70 6D 15 D5 AA 0A",____

       "session id"          : "26 E3 0A F0 C7 72 3A C4 65 2D A9 8C D4
    B6 49 F6 1D EF E1 84 B2 08 6C 75 FD 0E B6 09 16 98 15 03",____

       "cipher suite"        :
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",____

       "compression methods" : "00",____

       "extensions"          : [____

         "extended_master_secret (23)": {____

           <empty>____

         },____

         "renegotiation_info (65,281)": {____

           "renegotiated connection": [53 FA 52 AF B1 F6 7A 53 7C 4D 32
    D5 7A C2 61 EC 1F EB 88 42 4A C5 E2 BE]____

         }____

       ]____

    }____

    __ __

    TLSv1.2 is then negotiated, and GlassFish responds with its usual
    request for a certificate:____

    __ __

    javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.309
    CET|CertificateRequest.java:671|Consuming CertificateRequest
    handshake message (____

    "CertificateRequest": {____

       "certificate types": [ecdsa_sign, rsa_sign, dss_sign]____

       "supported signature algorithms": [ecdsa_secp256r1_sha256,
    ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256,
    rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
    rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256,
    rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224,
    rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]____

       "certificate authorities": [CN=localhost-instance, OU=GlassFish,
    O=Eclipse.org Foundation Inc, L=Ottawa, ST=Ontario, C=CA,
    CN=localhost, OU=GlassFish, O=Eclipse.org Foundation Inc, L=Ottawa,
    ST=Ontario, C=CA]____

    }____

    )____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
    CET|X509Authentication.java:213|No X.509 cert selected for EC____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
    CET|CertificateRequest.java:764|Unavailable authentication scheme:
    ecdsa_secp256r1_sha256____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
    CET|X509Authentication.java:213|No X.509 cert selected for EC____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.309
    CET|CertificateRequest.java:764|Unavailable authentication scheme:
    ecdsa_secp384r1_sha384____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.309
    CET|X509Authentication.java:213|No X.509 cert selected for EC____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.310
    CET|CertificateRequest.java:764|Unavailable authentication scheme:
    ecdsa_secp512r1_sha512____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.310
    CET|X509Authentication.java:213|No X.509 cert selected for RSA____

    [...]____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
    CET|X509Authentication.java:213|No X.509 cert selected for RSA____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
    CET|CertificateRequest.java:764|Unavailable authentication scheme:
    rsa_pkcs1_sha1____

    javax.net.ssl|ALL|01|main|2021-03-03 10:47:06.312
    CET|X509Authentication.java:213|No X.509 cert selected for DSA____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
    CET|CertificateRequest.java:764|Unavailable authentication scheme:
    dsa_sha1____

    javax.net.ssl|WARNING|01|main|2021-03-03 10:47:06.312
    CET|CertificateRequest.java:774|No available authentication scheme____

    javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
    CET|ServerHelloDone.java:151|Consuming ServerHelloDone handshake
    message (____

    <empty>____

    )____

    javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
    CET|CertificateMessage.java:290|No X.509 certificate for client
    authentication, use empty Certificate message instead____

    javax.net.ssl|DEBUG|01|main|2021-03-03 10:47:06.312
    CET|CertificateMessage.java:321|Produced client Certificate
    handshake message (____

    "Certificates": <empty list>____

    )____

    __ __

    This then obviously fails. I'm not sure why GlassFish responds with
    TLSv1.2 only now, but might be some setting in its HTTPS connector
    config. The full (formatted) start command for GlassFish was:____

    __ __

      /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java ____

         -cp glassfish/modules/glassfish.jar ____

         -XX:+UnlockDiagnosticVMOptions ____

         -XX:NewRatio=2 ____

         -Xmx512m ____

         -Xbootclasspath/a:glassfish/lib/grizzly-npn-api.jar ____

         -Xbootclasspath/a:glassfish/lib/resolver.jar ____

--add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED ____

         --add-opens=java.base/sun.net.www.protocol.jrt=ALL-UNNAMED ____

         --add-opens=java.base/java.lang=ALL-UNNAMED ____

         --add-opens=java.base/java.util=ALL-UNNAMED ____

         --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED ____

         -javaagent:glassfish/lib/monitor/flashlight-agent.jar ____

         -Djava.awt.headless=true ____

         -Djdk.corba.allowOutputStreamSubclass=true ____

    ____

         -Djdk.tls.rejectClientInitiatedRenegotiation=true ____

-Djavax.net.ssl.keyStore=/glassfish/domains/domain1/config/keystore.jks
    ____

-Djavax.net.ssl.trustStore=/glassfish/domains/domain1/config/cacerts.jks
    ____

-Djava.security.policy=/glassfish/domains/domain1/config/server.policy
    ____

-Djava.security.auth.login.config=/glassfish/domains/domain1/config/login.conf
    ____

         -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as ____

    ____

         -Djavax.xml.accessExternalSchema=all ____

         -Djdbc.drivers=org.apache.derby.jdbc.ClientDriver ____

         -DANTLR_USE_DIRECT_CLASS_LOADING=true ____

-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory
    ____

    ____

-Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command,org.apache.felix.shell.remote,org.apache.felix.fileinstall
    ____

         -Dosgi.shell.telnet.port=6666 ____

         -Dosgi.shell.telnet.maxconn=1 ____

         -Dosgi.shell.telnet.ip=127.0.0.1 ____

         -Dgosh.args=--nointeractive ____

         -Dfelix.fileinstall.dir=/glassfish/modules/autostart/ ____

         -Dfelix.fileinstall.poll=5000 -Dfelix.fileinstall.log.level=2 ____

         -Dfelix.fileinstall.bundles.new.start=true ____

         -Dfelix.fileinstall.bundles.startTransient=true ____

         -Dfelix.fileinstall.disableConfigSave=false ____

    ____

         -Dcom.ctc.wstx.returnNullForDefaultNamespace=true ____

         -Dcom.sun.aas.instanceRoot=/glassfish/domains/domain1 ____

         -Dcom.sun.aas.installRoot=/glassfish ____

-Djava.library.path=/glassfish/lib:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:/ee9-tck/servlet/security-clientcert
    ____

    __ __

          com.sun.enterprise.glassfish.bootstrap.ASMain ____

    __ __

          -upgrade false ____

          -domaindir /glassfish/domains/domain1 \____

          -read-stdin true ____

          -asadmin-args
    --host,,,localhost,,,--port,,,4848,,,--secure=false,,,--terse=true,,,--echo=false,,,--interactive=false,,,start-domain,,,--verbose=false,,,--watchdog=false,,,--debug=false,,,--domaindir,,,glassfish/domains,,,domain1
    ____

          -domainname domain1 ____

          -instancename server -type DAS -verbose false ____

          -asadmin-classpath /glassfish/modules/admin-cli.jar ____

          -debug false ____

          -asadmin-classname com.sun.enterprise.admin.cli.AdminMain____

    __ __

    Kind regards,____

    Arjan Tijms____

    __ __

    _______________________________________________
    glassfish-dev mailing list
    glassfish-dev@xxxxxxxxxxx <mailto:glassfish-dev@xxxxxxxxxxx>
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/glassfish-dev
    <https://www.eclipse.org/mailman/listinfo/glassfish-dev>


_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev




Back to the top