Verify client certificate CN in Tomcat(APR)
Posted
by
Petter
on Server Fault
See other posts from Server Fault
or by Petter
Published on 2013-04-18T15:29:52Z
Indexed on
2013/07/03
17:09 UTC
Read the original article
Hit count: 369
I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).
What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.
I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire
typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).
I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).
<Connector
protocol="HTTP/1.1"
port="443" maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="mycert.pem"
SSLCertificateKeyFile="privkey.pem"
SSLCACertificateFile="CABundle.pem"
SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq "host.example.com")"/>
Can you suggest a way to make this work using Tomcat/APR/OpenSSL?
© Server Fault or respective owner