| Anonymous | Login | Signup for a new account | 12-17-2024 11:35 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0001185 | [Resin] | minor | always | 06-06-06 11:45 | 07-10-06 08:17 | ||||
| Reporter | mattp | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | Platform | Intel | ||||
| Status | closed | OS | Windows | ||||||
| Projection | none | OS Version | XP SP2 | ||||||
| ETA | none | Fixed in Version | 3.0.20 | Product Version | 3.0.14 | ||||
| Product Build | Pro | ||||||||
| Summary | 0001185: Client certs handled differently in ISAPI vs. OpenSSL | ||||||||
| Description |
From the Servlet 2.4 spec: "If there is an SSL certificate associated with the request, it must be exposed by the servlet container to the servlet programmer as an array of objects of type java.security.cert.X509Certificate and accessible via a ServletRequest attribute of javax.servlet.request.X509Certificate. The order of this array is defined as being in ascending order of trust. The first certificate in the chain is the one set by the client, the next is the one used to authenticate the first, and so on." When using IIS to terminate SSL and pass the request to Resin through the ISAPI plugin, a client certificate is passed, as expected, in the [0] element of an array in the javax.servlet.request.X509Certificate attribute. When using OpenSSL and the Resin HTTP server, however, the first element is another array of type java.security.cert.X509Certificate. That is, to get the client certificate, you have to get [0][0] from the request attribute, not [0]. |
||||||||
| Steps To Reproduce |
Set up Resin-pro-3.0.14 using ISAPI with IIS and with OpenSSL. Configure both stacks to accept client certificates. Install a client certificate in your browser and connect to your server using SSL. Create a JSP page (or whatever) that can show you the contents of the request attributes. A JSP fragment like below will work: <c:forEach var="item" items="${requestScope}"> <tr> <td>${item.key}</td><td>${item.value}</td> </tr> <c:if test="${item.key == 'javax.servlet.request.X509Certificate' && fn:length(item.value) > 0}"> <c:forEach var="cert" items="${item.value}" varStatus="status"> <tr> <c:if test="${status.index == 0}"> <td rowspan="${fn:length(item.value)}">Sub Certs:</td> </c:if> <td>${cert}</td> </tr> </c:forEach> </c:if> </c:forEach> Access this page through IIS and through Resin/OpenSSL and compare the results. |
||||||||
| Additional Information |
Through IIS: javax.servlet.request.X509Certificate = [ [ Version: V3 Subject: EMAILADDRESS=mattp@lokitech.com, EMAILADDRESS=mpangaro@lokitech.com, CN=Thawte Freemail Member Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 2048 bits modulus: 21514686517090528411649551774814907080844238914694376404666355147501863449379083846792209969282184869747409683460978393778273272305588713045516239481021092989544257204305158806431577786627766690992233718295712795335550911592154764762336817045746761845670298017683959266740025301187508326437442679968033379322301502395177465814753002899670637652269958451446052634553101148589185127381260970374479762133960565946049032417067672672172859629644978378419370176591690331265403882841127743512768351580853965739537025800004881652818674854625095603310405606420741989949038504484454731957200139402137054347634884651208488554129 public exponent: 65537 Validity: [From: Sat Oct 08 15:12:05 EDT 2005, To: Sun Oct 08 15:12:05 EDT 2006] Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA SerialNumber: [ 0f9ddb] Certificate Extensions: 2 [1]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [RFC822Name: mpangaro@lokitech.com, RFC822Name: mattp@lokitech.com]] [2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [MD5withRSA] Signature: 0000: BF 80 05 60 2B F6 7D 33 F3 8D 18 21 58 7A 00 FF ...`+..3...!Xz.. 0010: 73 12 A0 21 D5 58 88 03 DD 18 2F C9 45 54 CE 91 s..!.X..../.ET.. 0020: 80 EC 31 AA E7 8E A9 DD AB 6F 30 19 54 71 CF F3 ..1......o0.Tq.. 0030: 85 23 4C 1F F8 99 58 67 EA C8 8C B6 EB C1 E2 77 .#L...Xg.......w 0040: CA 55 37 81 09 10 B3 BF D5 65 7B 6A A9 A3 36 E9 .U7......e.j..6. 0050: 9D AD AA 7E D2 3E 5D 87 7D 6D 7A 8E 71 0A D7 6D .....>]..mz.q..m 0060: 8A 86 FB 8F 9F 2B 9C 99 1B 69 AD F7 F9 40 88 0C .....+...i...@.. 0070: 52 6C 1B 18 DA 3E 4B D9 DB D7 5B 00 E4 4A 2A 79 Rl...>K...[..J*y ] Through OpenSSL: javax.servlet.request.X509Certificate = [Ljava.security.cert.X509Certificate;@9faafc And the [0] element of that array = [ [ Version: V3 Subject: EMAILADDRESS=mattp@lokitech.com, EMAILADDRESS=mpangaro@lokitech.com, CN=Thawte Freemail Member Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 2048 bits modulus: 21514686517090528411649551774814907080844238914694376404666355147501863449379083846792209969282184869747409683460978393778273272305588713045516239481021092989544257204305158806431577786627766690992233718295712795335550911592154764762336817045746761845670298017683959266740025301187508326437442679968033379322301502395177465814753002899670637652269958451446052634553101148589185127381260970374479762133960565946049032417067672672172859629644978378419370176591690331265403882841127743512768351580853965739537025800004881652818674854625095603310405606420741989949038504484454731957200139402137054347634884651208488554129 public exponent: 65537 Validity: [From: Sat Oct 08 15:12:05 EDT 2005, To: Sun Oct 08 15:12:05 EDT 2006] Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting (Pty) Ltd., C=ZA SerialNumber: [ 0f9ddb] Certificate Extensions: 2 [1]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ [RFC822Name: mpangaro@lokitech.com, RFC822Name: mattp@lokitech.com]] [2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [MD5withRSA] Signature: 0000: BF 80 05 60 2B F6 7D 33 F3 8D 18 21 58 7A 00 FF ...`+..3...!Xz.. 0010: 73 12 A0 21 D5 58 88 03 DD 18 2F C9 45 54 CE 91 s..!.X..../.ET.. 0020: 80 EC 31 AA E7 8E A9 DD AB 6F 30 19 54 71 CF F3 ..1......o0.Tq.. 0030: 85 23 4C 1F F8 99 58 67 EA C8 8C B6 EB C1 E2 77 .#L...Xg.......w 0040: CA 55 37 81 09 10 B3 BF D5 65 7B 6A A9 A3 36 E9 .U7......e.j..6. 0050: 9D AD AA 7E D2 3E 5D 87 7D 6D 7A 8E 71 0A D7 6D .....>]..mz.q..m 0060: 8A 86 FB 8F 9F 2B 9C 99 1B 69 AD F7 F9 40 88 0C .....+...i...@.. 0070: 52 6C 1B 18 DA 3E 4B D9 DB D7 5B 00 E4 4A 2A 79 Rl...>K...[..J*y ] |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0001268) mattp 06-06-06 12:36 |
I just verified that this behavior is the same with the latest snapshot and OpenSSL 0.9.8b. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 06-06-06 11:45 | mattp | New Issue | |
| 06-06-06 12:36 | mattp | Note Added: 0001268 | |
| 07-10-06 08:17 | ferg | Assigned To | => ferg |
| 07-10-06 08:17 | ferg | Status | new => closed |
| 07-10-06 08:17 | ferg | Resolution | open => fixed |
| 07-10-06 08:17 | ferg | Fixed in Version | => 3.0.20 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
29 total queries executed. 26 unique queries executed. |  |
