TLS client auth accepted CA [Was: 2 Way SSL integration with Webservices - Inbound connection not trusted]

Wed, 16 Aug 2017 02:49:48 -0700 

Am 16.08.2017 um 09:09 schrieb Jose María Zaragoza:

Hi:

2017-08-16 6:59 GMT+02:00 Vinoth Raja <rbvdvin...@gmail.com>:

Hi Chris,

In the above conversation, the server presents the list of acceptable
client certificates to the client. Does that happen for you?

[ Yes . It prints the list of acceptable certificate when
certificateVerification is set to required. It prints the acceptable
certificates from cacerts.


Sorry for this semi-offtopic ,
but I'm interested about the list of DN of CA sent by TLS server in
SERVER HELLO message.
I mean the list under "Acceptable client certificate CA names" header
(output text in Cris' mail )

How I can set it in Tomcat 8.5 ? Does it works either JSSE & native TLS ?
How is the client behaviour if it doesnt have an certificate signed by
an "acceptable CA" ?
It should work automatically with either JSSE or native TLS implementation. It is based on the trust configuration in the SSLHostConfig. So when you configure it using the OpenSSL config style, it would be the attributes caCertificateFile and/or caCertificatePath, using JSSE style config it would be the attributes truststoreFile or trustManagerClassName.
I wrote "should", because we found a bug in 8.5 when using JSSE style config but OpenSSL implementation. That combination is supported but Tomcat would not announce the acceptable CA subjects to the client during the handshake. That means, if the client has only one certificate to present, it should not be a problem, but if it has multiple certificates it is missing the standard way to choose a good one.
The fix for that bug was committed a few days ago to trunk (TC 9), and backport to TC 8.5 will happen soon. But the fix needs an additional method in the tcnative part, which first has to get released as tcnative 1.2.13 to make the fix complete. But as I said the bug only shows up when mixing JSSE style config with native impl. The other combinations should work fine.
As Christopher wrote, you can also check the handshake with "openssl s_client" to see what the server announces. 

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to