https://bz.apache.org/bugzilla/show_bug.cgi?id=69728
Bug ID: 69728
Summary: TLS with H2 - Weird log - Confusion between optional
client certificate and optional verification?
Product: Tomcat 10
Version: 10.1.31
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: bugzi...@gdarmont.fr
Target Milestone: ------
Hey Tomcat team!
Something looks unclear in the TLS client certificate handling in Tomcat.
Our Spring Boot application is configured with HTTP/2 and optional client
certificate, through Spring Boot property "ssl.clientAuth = WANT".
This property is mapped to Tomcat's "CertificateVerification.OPTIONAL".
Our need is quite simple:
* if a new connection presents a TLS client certificate, we need to validate
it. If certificate is valid, connection is established and client is
authenticated.
* if a new connection does not have a TLS client certificate, connection is
established and client is anonymous.
Note that everything is working fine.
But the problem is that when the application starts, we have this warning log:
"The TLS virtual host [...] is configured for optional certificate verification
and the enclosing connector is configured to support upgrade to h2. HTTP/2 over
TLS does not permit optional certificate verification."
And this log looks wrong, because we don't ask for optional verification, we
ask for optional client certificate presence. If the certificate is present, we
do want to validate it.
My understanding is that there's 2 level of optional -optional certificate and
optional verification- sometimes merged into only one.
Am I missing something here?
Guillaume
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
