Hi Christopher,
Thanks for looking into this!
Am 17.06.2016 um 00:01 schrieb Christopher Schultz:
clientAuth="want"?
Note that this is only documented for the JSSE-based connectors, not
the APR connector.
Yes, thanks - I think that's garbage left in there from my attempts to
use BIO/NIO connectors, which do not seem to allow the needed behaviour
(self-signed client certs) at all - but this is beside the point now.
Removing this attribute does not change anything regarding this bug.
SSLVerifyDepth="2"
Why do you bother to specify SSLVerifyDepth if you aren't trying to
use CLIENT-CERT authentication? This is just for informational
purposes from the client, right?
I don't know of any reason to set this attribute to 2 - it was decided
by the original developer and the config used to work. Probably remains
of another abandoned experiment. To be fair, I know of no reason to
remove it (use the defaults) or set a different value, either. If you
have suggestions, I'd be thankful to hear them.
With
no changes to the client, this works on Tomcat 8.0.30 but fails
with Tomcat 8.0.32?
My setup:
* Client and server are running on the same machine.
* Everything I documented in this bug report was tried on the same 64
Bit Windows 7 machine.
* Client and server use jdk1.8.0_92
* I am running tomcat through intellij by pointing intellij to a freshly
unpacked tomcat 8.0.(30|32).
* I am running a client as a separate java program, also from intellij.
The bug:
1. When I point intellij to the tomcat 8.0.30 folder, the application
works. When I point it to 8.0.32, it doesn't.
2. After reproducing the error as stated in 1., I can 'fix' 8.0.32 by
copying 8.0.30/bin/tcnative-1.dll to 8.0.32/bin, which convinces me that
the version change between those two tcnative versions is responsible.
The information I gave on openssl versions was taken from the tomcat log
messages. The different openssl versions are due to different versions
of tcnative-1.dll (or at least that is what I think).
'openssl version' on the command prompt of this machine says
OpenSSL 0.9.8zf 19 Mar 2015
Since you presumably have a system with OpenSSL 1.0.1m on it (the
"working" system), please install Tomcat 8.0.32 on that system and
re-try with Tomcat 8.0.32 + tcnative 1.2.4 + OpenSSL 1.0.1m.
Since you presumably have a system with OpenSSL 1.0.2e on it (the
"non-working" system), please try installing Tomcat 8.0.30 on the
system with OpenSSL 1.0.2e and re-try with Tomcat 8.0.30 + tcnative
1.1.33 + OpenSSL 1.0.2e.
Since my whole setup is local, I don't think I can perform these steps.
This will help narrow-down which component contains the change which
is causing these failures.
I suspect the problem will be narrowed-down to either a change in
OpenSSL, a change in tcnative, or a change in APR.
Thanks,
Florian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org