-
Bug
-
Resolution: Done
-
Major
-
JWS 3.0.1 DR1
-
None
ASF Bug 57931 – NIO connector incorrectly closes connection when client certificate verification fails
Ensure that TLS connections with the NIO or NIO2 HTTP connectors that experience issues during the handhshake (e.g. missing or invalid client certificate) are closed cleanly and that the client receives the correct error code rather than simply closing the connection.
If tomcat is set to use TLS and clientAuth="want" or clientAuth="true", it appears the NIO connector closes the connection in response to an untrusted client certificate. This behavior differs from the BIO connector, and violates RFC 5246, which states that a fatal alert must be provided if "some aspect of the cert chain was unacceptable". By closing the connection, this causes OpenSSL to provide an obscure error "Unexpected EOF", which indicates the TLS protocol was violated.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57931
http://svn.apache.org/r1680256