[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 Mark Thomaschanged: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #6 from Mark Thomas --- 1.1.x is not affected. 1.2.0 to 1.2.7 is affected. This has been fixed in 1.2.x and will be included in 1.2.8 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 --- Comment #5 from Mark Thomas--- I've found the root cause. There were some changes in the build scripts between 1.1.x and 1.2.x that meant OCSP was always enabled. Validation with optionalNoCA always fails if OCSP is enabled. I plan to commit my fix early next week and start the process to release a new set of Windows binaries for tc-native. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 --- Comment #4 from Mark Thomas--- Whatever is going wrong is going wrong in OpenSSL. Don't know where the root cause is at the moment but the error is: 3648:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:.\ssl\s3_srvr.c:3270: Which is triggered a full failure rather than allowing the tc-native code to decide what to do. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 --- Comment #3 from Mark Thomas--- Results of further testing: The following work: OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.x + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + OSX client OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + Win client The following fail: Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + Win client Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client Assuming there is only a single bug here, the results above rule everything out apart from the OS hosting the Tomcat server. That suggests an OS specific element of one of the native builds is responsible for this change. It is going to take some more work to track this down. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 --- Comment #2 from Mark Thomas--- I'm seeing the issue (or something very like it) with 1.2.7 and Tomcat trunk. I spent a little time looking at the 1.1.x code vs 1.2.x but don't see any obvious root causes. I plan to do some more investigation today. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4
https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 Florian Kleedorferchanged: What|Removed |Added OS||All --- Comment #1 from Florian Kleedorfer --- I tried with the latest APR versions available on the website: https://tomcat.apache.org/download-native.cgi with 1.1.34, our application works, with 1.2.7, I'm experiencing the same issue -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org