The bug seems ot be in the JSSE package I could solve it by changing the method JSSE14Support.handshake() from: protected void handShake() throws IOException { if( ssl.getWantClientAuth() ) { logger.debug("No client cert sent for want"); } else { ssl.setNeedClientAuth(true); } synchronousHandshake(ssl); } to: protected void handShake() throws IOException { if( ssl.getNeedClientAuth() ) { logger.debug("No client cert sent for want"); } else { ssl.setWantClientAuth(true); } synchronousHandshake(ssl); } This way in the above scenario wantClientAuth is set to true. So the SSLSocket would also accept connection without client certificates, but the SSLAuthenticator will then display an error page.
Comment 3 Armin H 2007-01-30 04:09:42 EST
Does this patch introduce a logical change for applications and therefore need an RFE?
Hi,
The only way to present a useful error page is to establish a socket. JSSE
won't let the socket happen if there's a problem with a client cert. In my mind
the only way to provide a useful error page would be to for Tomcat to only ever
use "setWantClientAuth" (which isn't even available pre Java 1.4 !), and to draw
an HTML error page for all requests if "need=true" is set in Tomcat's own config.
It's nicer to just leave all this stuff up to JSSE and not worry about it. By
circumventing JSSE's "no socket for you" security, Tomcat risks making itself
insecure, even though a helpful error page would be *really* handy!
Workaround: set your own SSL config in Tomcat to "WANT" instead of "NEED" (in
server.xml) and setup your own ServletFilter on "/*" that draws a nice error
page if no client cert is provided.
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
sslProtocol="TLS"
clientAuth="want" <- 요렇게 하면 해결됨
/>