Bug 1072310

Summary: HTTPS connector doesn't request certificate despite verify-client="want"
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: FIlip Bogyai <fbogyai>
Component: WebAssignee: Rémy Maucherat <rmaucher>
Status: CLOSED CURRENTRELEASE QA Contact: FIlip Bogyai <fbogyai>
Severity: medium Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: dosoudil, jclere, jkudrnac
Target Milestone: DR6   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-28 15:39:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1071331    

Description FIlip Bogyai 2014-03-04 11:07:44 UTC 
HTTPS web connector can be configured to use 2-way SSL with attribute "verify-client". According to documentation: Set to "want" if you want the SSL stack to request a client Certificate, but not fail if one is not presented.

When user with valid/invalid certificate is trying to connect to unsecured resource, certificate should be requested when verify-client="want". But certificate is requested only if user try to connect to secured resource, which is the same behavior as verify-client="false".
Comment 1 Jean-frederic Clere 2014-03-06 09:13:34 UTC 
If you use HttpClient to test I think you can differentiate  want an true: the connector is going to give the certificate via the first steps of the SSL dialogue or through a renegociation so a part timing there is no differences.
Comment 2 FIlip Bogyai 2014-03-06 10:24:06 UTC 
I have used browser- Firefox to test this behavior. When I use EAP 6.3.0.DR1 (before JBoss Web upgrade) and try to connect to unsecured resource on connector with settings verify-client="want", the client certificate is requested. If I use EAP 6.3.0.DR2 (with new JBoss Web 7.4.0.Beta4) and try to connect to unsecured resource on same connector, the client certificate is not requested. I see this as a regression. 

Reference to documentation: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#SSL_Connector_Reference1
Comment 3 Jean-frederic Clere 2014-03-11 10:16:49 UTC 
fixed by r2379
Comment 4 Jean-frederic Clere 2014-03-11 10:50:59 UTC 
well by r2380 in fact.
Comment 5 Jean-frederic Clere 2014-03-17 20:38:05 UTC 
It requires a new tag of jbossweb.
Comment 6 Vladimir Dosoudil 2014-04-01 09:09:52 UTC 
JBoss Web upgraded to 7.4.0.Final, see BZ#1077643.
Comment 7 FIlip Bogyai 2014-04-01 09:26:34 UTC 
Verified on EAP 6.3.0.DR6