Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30202

Implement a SSLValve to use/parse the new nginx header ssl_client_escaped_cert

    XMLWordPrintable

    Details

      Description

      Context:

      Nuxeo 10.10-HF23 introduces Tomcat 9.0.31 which breaks tls_client_auth in Nuxeo applications due to the issue described here: https://stackoverflow.com/questions/64911070/clients-certificate-authentication-issue-in-tomcat-in-7-0-100.

      In a nutshell, Tomcat 9.0.30+ no longer accepts ssl_client_cert headers from nginx now that "strict header value parsing" has been implemented to resolve a CVE.

      The following blog post describes the solution one vendor implemented to resolve this problem: https://connect2id.com/products/server/docs/guides/tls-proxy.

      What Nuxeo should do:

      Implement a SSLValve to use the new nginx headerĀ "ssl_client_escaped_cert" (when available). And contribute this code to Tomcat team which is pretty responsive in general.

        Attachments

          Issue Links

          is caused by

          Task - A task that needs to be done. NXP-28656 Upgrade Tomcat to 9.0.31

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d