subject:"\[Bug 59616\] SSLVerifyClient=\"optionalNoCA\" stops working between 1.1.33 and 1.2.4"

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-06-20 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

Mark Thomas  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #6 from Mark Thomas  ---
1.1.x is not affected.
1.2.0 to 1.2.7 is affected.
This has been fixed in 1.2.x and will be included in 1.2.8 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-06-17 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

--- Comment #5 from Mark Thomas  ---
I've found the root cause. There were some changes in the build scripts between
1.1.x and 1.2.x that meant OCSP was always enabled. Validation with
optionalNoCA always fails if OCSP is enabled.

I plan to commit my fix early next week and start the process to release a new
set of Windows binaries for tc-native.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-06-17 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

--- Comment #4 from Mark Thomas  ---
Whatever is going wrong is going wrong in OpenSSL. Don't know where the root
cause is at the moment but the error is:
3648:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify
failed:.\ssl\s3_srvr.c:3270:

Which is triggered a full failure rather than allowing the tc-native code to
decide what to do.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-06-17 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

--- Comment #3 from Mark Thomas  ---
Results of further testing:

The following work:
OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.x + OSX client
OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client
OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + OSX client
OSX + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.6 + Win client

The following fail:
Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + Win client
Win + Tomcat 9.0.x + OpenSSL 1.0.2h + APR 1.5.2 + tc-native 1.2.7 + OSX client

Assuming there is only a single bug here, the results above rule everything out
apart from the OS hosting the Tomcat server. That suggests an OS specific
element of one of the native builds is responsible for this change. It is going
to take some more work to track this down.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-06-17 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

--- Comment #2 from Mark Thomas  ---
I'm seeing the issue (or something very like it) with 1.2.7 and Tomcat trunk. I
spent a little time looking at the 1.1.x code vs 1.2.x but don't see any
obvious root causes. I plan to do some more investigation today.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

2016-05-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=59616

Florian Kleedorfer  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Florian Kleedorfer  ---
I tried with the latest APR versions available on the website:
https://tomcat.apache.org/download-native.cgi
with 1.1.34, our application works, 
with 1.2.7, I'm experiencing the same issue

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

[Bug 59616] SSLVerifyClient="optionalNoCA" stops working between 1.1.33 and 1.2.4

6 matches

Site Navigation

Mail list logo

Footer information