[英]Client's certificate authentication issue in Tomcat in 7.0.100+
We have client's certificate authentication in our project我们的项目中有客户的证书认证
However, for some reason after 100 Tomcat release nothing seems to work但是,由于某种原因,在 100 个 Tomcat 发布后似乎没有任何效果
We get either 400 HTTP
response or the certificate header is empty (if we set rejectIllegalHeader="false"
) when we proxy to the application through nginx
当我们通过nginx
代理到应用程序时,我们得到400 HTTP
响应或证书标头为空(如果我们设置rejectIllegalHeader="false"
)
Example (header's value), name - ssl_client_cert
:示例(标头的值),名称 - ssl_client_cert
:
"-----BEGIN CERTIFICATE-----\x0A\x09MIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQ...
\x0A\x09-----END CERTIFICATE-----"
Or ssl_client_raw_cert
或者ssl_client_raw_cert
"-----BEGIN CERTIFICATE-----\x0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQsw ...
y2EmDsw=\x0A-----END CERTIFICATE-----\x0A"
I guess here is the commit to blame我想这是罪魁祸首
https://github.com/apache/tomcat/commit/ae8c82eff96990878e79691819ae941538ee62fd#diff-d4454b2c33deae44a2c2f5cd354aa3ca70c6a268e78c4fd5e1f76fcebc0181ba https://github.com/apache/tomcat/commit/ae8c82eff96990878e79691819ae941538ee62fd#diff-d4454b2c33deae44a2c2f5cd354aa3ca70c6a268e78c4fd58e78c4fd5e1b
Prior to the 100th release everything worked fine在第 100 个版本之前一切正常
To bypass that we use ssl_client_escaped_cert
instead.为了绕过这一点,我们改用ssl_client_escaped_cert
。
"-----BEGIN%20CERTIFICATE-----%0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9 ...
qgt0Tzy2EmDsw%3D%0A-----END%20CERTIFICATE-----%0A"
Now we have to unescape it manually in Java code现在我们必须在 Java 代码中手动取消转义
String certificateInfo = URLDecoder.decode(request.getHeader(headerName), "UTF-8");
Is there a way we can make Tomcat accept a non-escaped certificate in 100th version and higher?有没有办法让 Tomcat 接受第 100 个版本及更高版本的非转义证书?
No, there is no way you can configure Tomcat to allow an HTTP header value than contains 0x0A.不,您无法将 Tomcat 配置为允许包含 0x0A 的 HTTP 标头值。 Those changes were made in response to CVE-2020-1935 .这些更改是针对CVE-2020-1935 做出的。
As an aside, I assume Nginx is performing the client authentication and passing the validated client certificate to Tomcat.顺便说一句,我假设 Nginx 正在执行客户端身份验证并将经过验证的客户端证书传递给 Tomcat。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.