On 21/06/17 20:53, Racine Faye wrote: > Thanks for the reply Christopher. The way tomcat has always worked in > the past(Before 8.5.15) , is that your trust store is what tomcat uses > to decide what certificates the browser should show to the user > because it only shows them certificates that are in the certificate > chain of whatever you import into your trust store. So if you import a > root certificate it will show everything that has that root > certificate in its chain but if you import in an intermediate it will > only show the certificates that the intermediate accepts. So the way > it works for DoD is that on each CAC there are 2 client authentication > certificates one Email Cert and one ID cert. They contain different > information mainly the email address is only contained in the Email > cert. When users are prompted to select a certificate they are only > supposed to be given the selection of what certificates are in the > trust store because it knows that anything not in that trust store > won't be accepted anyways. When you set the clientAuth to true in the > connector that is what makes it so Tomcat then asks for a certificate > from the user for validation. I have used both IE and Chrome and I get > the same results in both. I am pretty sure it is not a browser issue > though because I have both Tomcat 8.5.15 and 8.5.14 running on the > same server using the same trust store and 8.5.14 asks for only > Certificates that are in the Chain of the Intermediates that I > imported in and 8.5.15 asks for all of the certificates. Unfortunately > I am not able to run openssl as I am on a goverment network and the > software we can use is restricted. > https://stackoverflow.com/questions/1666052/java-https-client-certificate-authentication > The previous link has a pretty good explanation of the way Tomcat has > always worked in the past in the comments and explains about the > behavior I am expecting.
I cannot reproduce the behaviour you are seeing. I have tested with 8.5.14 and 8.5.15 (building both from source) and in both cases specifying a truststoreFile limits the certs presented by the browser to those signed by those in the truststoreFile. That said, there have been quite a few changes in the TLS configuration for 8.5.x and 9.0.x and it is possible that some edge cases exist that are not handled correctly. If you want us to look at this further you are going to need to provide a test case that demonstrates the problem. This will need to include: - Connector configuration for server.xml that reproduces the issue - A complete set of keystores, certs and keys to configure Tomcat and the browser - Instructions on how to reproduce the issue Obviously don't use real certs for any of the above. The TLS generation presentation from 2016 may help you create all of these. http://tomcat.apache.org/presentations.html Finally, all of the above needs to be as simple as possible. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
