1

We have client's certificate authentication in our project

However, for some reason after 100 Tomcat release nothing seems to work

We get either 400 HTTP response or the certificate header is empty (if we set rejectIllegalHeader="false") when we proxy to the application through nginx

Example (header's value), name - ssl_client_cert:

"-----BEGIN CERTIFICATE-----\x0A\x09MIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQ...
\x0A\x09-----END CERTIFICATE-----"

Or ssl_client_raw_cert

"-----BEGIN CERTIFICATE-----\x0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBHMQsw ...
y2EmDsw=\x0A-----END CERTIFICATE-----\x0A"

I guess here is the commit to blame

https://github.com/apache/tomcat/commit/ae8c82eff96990878e79691819ae941538ee62fd#diff-d4454b2c33deae44a2c2f5cd354aa3ca70c6a268e78c4fd5e1f76fcebc0181ba

Prior to the 100th release everything worked fine

To bypass that we use ssl_client_escaped_cert instead.

"-----BEGIN%20CERTIFICATE-----%0AMIIFXDCCA0SgAwIBAgIBBDANBgkqhkiG9 ...
qgt0Tzy2EmDsw%3D%0A-----END%20CERTIFICATE-----%0A"

Now we have to unescape it manually in Java code

 String certificateInfo = URLDecoder.decode(request.getHeader(headerName), "UTF-8");

Is there a way we can make Tomcat accept a non-escaped certificate in 100th version and higher?

Improve this question

1 Answer 1

Reset to default
3

No, there is no way you can configure Tomcat to allow an HTTP header value than contains 0x0A. Those changes were made in response to CVE-2020-1935.

As an aside, I assume Nginx is performing the client authentication and passing the validated client certificate to Tomcat.

Improve this answer
1
  • Thanks a lot, at least now we know that we have to modify our code
    – Joe D
    Commented Nov 22, 2020 at 14:36

Not the answer you're looking for? Browse other questions tagged or ask your own question.