Home / Browse / Winstone Servlet Container / Mail / Archive

Winstone Servlet Container

Email Archive: winstone-devel (read-only)

Re: [Winstone-devel] CLIENT_CERT authentication question...

From: Rick Knowles <rick@kn...> - 2007-06-11 06:29

Hey - sorry to be so slow in replying.

Not so sure about how tomcat would go about this in detail, but if 
Winstone were to do it, it would be limited by whatever limitations the 
JSSE components placed on reloading.

My guess (and I really mean guess here, because I have no experience at 
all with this), would be that it would be a security risk to allow 
reloading of certificates at runtime because you couldn't guarantee the 
keystore in memory was the one on disk, so I suspect most 
implementations would disallow reloading of the same keystore. They 
might however allow loading of additional keystores, so you might be 
able to work around the limitation at container level by shutting down 
all open SSL sockets, and re-opening the listener with a new keystore 
file configured (i.e. with new filename or something).

Note: as I said, I have no experience with this, so I might be 
misleading you. I don't really have the time to research it, but if 
someone can propose a solution or patch, I'll integrate it.

Thanks,

Rick

Martin Cordova wrote:
> Hi Rick, I am doing some tests with client certificate authentication,
> using Tomcat 6, and a webapps that allows for dynamic enrollment, I
> mean, client can generate his/her PKCS12 keystore via web, and the
> server will add it to the server trustStore, the client will import
> this Keystore into the browser and client_cert will work just fine...
> well, that's what I thought.
>
> The problem is that Tomcat6 cannot reload the KeyStore (as far as I
> know) so this dynamic enrollment scenario cannot work.
>
> My question is: I know that Winstone supports client_cert, what would
> be your suggestion about changing the Winstone code to support
> keystore reloading? Do you think that Winstone's design for this task
> will support this without complex code modifications?
>
> I just can't see how dynamic enrollment and CLIENT_CERT authentication
> can work (via JSSE) if there is no chance to reload keystores. This
> topic has been posted in tomcat list during the last years, without
> receiving an effective solution. I can't affor to restart the server
> everytime a new user enrolls himself.
>
> Thanks a lot in advance for any comment.
>
> Regards,
> Martin
>

Thread View

Thread	Author	Date
[Winstone-devel] CLIENT_CERT authentication question...	Martin Cordova <martin.cordova@gm...>

Re: [Winstone-devel] CLIENT_CERT authentication question...

From: Rick Knowles <rick@kn...> - 2007-06-11 06:29

Hey - sorry to be so slow in replying.

Not so sure about how tomcat would go about this in detail, but if 
Winstone were to do it, it would be limited by whatever limitations the 
JSSE components placed on reloading.

My guess (and I really mean guess here, because I have no experience at 
all with this), would be that it would be a security risk to allow 
reloading of certificates at runtime because you couldn't guarantee the 
keystore in memory was the one on disk, so I suspect most 
implementations would disallow reloading of the same keystore. They 
might however allow loading of additional keystores, so you might be 
able to work around the limitation at container level by shutting down 
all open SSL sockets, and re-opening the listener with a new keystore 
file configured (i.e. with new filename or something).

Note: as I said, I have no experience with this, so I might be 
misleading you. I don't really have the time to research it, but if 
someone can propose a solution or patch, I'll integrate it.

Thanks,

Rick

Martin Cordova wrote:
> Hi Rick, I am doing some tests with client certificate authentication,
> using Tomcat 6, and a webapps that allows for dynamic enrollment, I
> mean, client can generate his/her PKCS12 keystore via web, and the
> server will add it to the server trustStore, the client will import
> this Keystore into the browser and client_cert will work just fine...
> well, that's what I thought.
>
> The problem is that Tomcat6 cannot reload the KeyStore (as far as I
> know) so this dynamic enrollment scenario cannot work.
>
> My question is: I know that Winstone supports client_cert, what would
> be your suggestion about changing the Winstone code to support
> keystore reloading? Do you think that Winstone's design for this task
> will support this without complex code modifications?
>
> I just can't see how dynamic enrollment and CLIENT_CERT authentication
> can work (via JSSE) if there is no chance to reload keystores. This
> topic has been posted in tomcat list during the last years, without
> receiving an effective solution. I can't affor to restart the server
> everytime a new user enrolls himself.
>
> Thanks a lot in advance for any comment.
>
> Regards,
> Martin
>