Verify client certificate CN in Tomcat(APR)

Posted by Petter on Server Fault See other posts from Server Fault or by Petter
Published on 2013-04-18T15:29:52Z Indexed on 2013/07/03 17:09 UTC
Read the original article Hit count: 369

Filed under:
|
|
|

I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).

What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.

I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).

I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).

<Connector
   protocol="HTTP/1.1"
   port="443" maxThreads="150"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="mycert.pem"
   SSLCertificateKeyFile="privkey.pem"
   SSLCACertificateFile="CABundle.pem"
   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

Can you suggest a way to make this work using Tomcat/APR/OpenSSL?

© Server Fault or respective owner

Related posts about ssl

Related posts about tomcat