pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2012-08-16 22:58:00
attachment pki-certrequest.patch
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2012-08-16 22:58:00
attachment pki-certrequest.patch
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2013-11-22 23:40:07
This is a narrow problem and probably low level too. There's already a workaround, so it can be postponed.
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2017-02-27 14:08:00
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #300. Originally filed by edewata (@edewata) on 2012-08-16 22:57:36:
Some CLI operations fail due to SSL handshake problem involving multiple request chunks. Here are the steps to reproduce:
Both review and approve operations are done via SSL and they require client certificate authentication. However, the review works, but the approve fails with HTTP code 401 (Unauthorized). This is because the review is a GET operation which doesn't send any data, but the approve is a POST operation which sends a relatively large data.
These commands use Apache HTTP Client library which has a parameter called MIN_CHUNK_LIMIT (see http://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/params/CoreConnectionPNames.html). The parameter is set to 512 bytes by default, so any request longer than that (such as the approve request) may be sent in multiple chunks.
It seems that the server doesn't properly handle a request sent in multiple chunks. Currently in Tomcat JSS the JSSSocketFactory.handshake() is not doing the handshake. The initial handshake is actually done when the server starts reading the data stream in NSS without asking for the client certificate. Then when the server needs to get the client certificate it will do an SSL renegotiation in JSSSupport.getPeerCertificateChain(). For some reason the renegotiation fails if the request is sent in multiple chunks.