[Pki-devel] SSL handshake problem

Nathan Kinder nkinder at redhat.com
Fri Aug 17 21:07:36 UTC 2012 

Adding Elio to the thread in case he has any thoughts on this...

On 08/16/2012 11:49 AM, Endi Sukma Dewata wrote:
> Hi,
>
> I'm having a problem running a CLI operation on Dogtag 10 which seems 
> to be caused by SSL handshake issue. Here are the steps to reproduce:
>
> 1. Get the latest Dogtag 10 source code.
> 2. Apply the attached pki-certrequest.patch.
> 3. Get the pki-dev tools (see http://pki.fedoraproject.org/wiki/Testing).
> 4. Execute these commands in pki-dev/scripts to build and install CA:
>
>  % ./theme-build.sh
>  % ./theme-install.sh
>  % ./core-build.sh
>  % ./core-install.sh
>  % ./ds-create.sh
>  % ./ca-create.sh
>
> 5. Then execute these test commands in pki-dev/scripts:
>
>  % ./cert-request-submit.sh cert-request.xml (note the Request ID)
>  % ./cert-request-review.sh <Request ID> review.xml
>  % ./cert-request-approve.sh review.xml
>
> Both review and approve operations are done via SSL and they require 
> client certificate authentication. However, the review works, but the 
> approve operation fails with HTTP code 401 (Unauthorized). This is 
> because the review is a GET operation which doesn't send any data, but 
> the approve is a POST operation which sends a relatively large data.
>
> These commands use Apache HTTP Client library which has a parameter 
> called MIN_CHUNK_LIMIT (see 
> http://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/params/CoreConnectionPNames.html). 
> The parameter is set to 512 bytes by default, so any request longer 
> than that (such as the approve request) may be sent in multiple chunks.
>
> It seems that the current Tomcat JSS doesn't properly handle a request 
> sent in multiple chunks. Currently the JSSSocketFactory.handshake() is 
> not doing the handshake. The initial handshake is actually done when 
> the server starts reading the data stream, without asking for the 
> client certificate. Then when the server needs to get the client 
> certificate it will do an SSL renegotiation in 
> JSSSupport.getPeerCertificateChain(). For some reason the 
> renegotiation fails if the request is sent in multiple chunks.
>
> One possible solution is to fix either Tomcat JSS, JSS, or NSS to 
> handle multiple request chunks properly. We'll need an expert in this 
> area to investigate and fix it.
>
> Another solution is to raise the MIN_CHUNK_LIMIT on the client, but 
> there's a hard limit of 8 KB and there might be 3rd party clients 
> which we can't control.
>
> Another possibility is we might be able to remove the requirement for 
> renegotiation (still to be confirmed). Originally the renegotiation is 
> needed to access some pages in Dogtag Web UI so it will prompt for 
> client certificate. In Dogtag 10 we're doing some reorganization so 
> renegotiation might not be needed anymore. In general unprotected UI 
> pages would be accessed via unsecured port, but when the user tries to 
> access a protected page he will be redirected to a secured port. Here 
> the client certificate will be asked during the initial negotiation. 
> Since there is no unauthenticated SSL connection, there is no need for 
> renegotiation.
>
> Assuming we don't need renegotiation anymore, I attached a patch for 
> Tomcat JSS (tomcatjss-handshake.patch) to do the initial negotiation 
> in JSSSocketFactory.handshake() that will also ask for the client 
> certificate. With this patch the approve operation will work properly. 
> Is this the right solution? Are there other solutions?
>
> Thanks.
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120817/dad281ce/attachment.htm>

More information about the Pki-devel mailing list