Hi, I am using JSSE implementation and not OpenSSL. Defining trustStoreFile doesnt seems to be trust the incoming request. setting "certificateVerification=required" making any request to tomcat trusted and it fails to even launch the tomcat manager page. is there a way to trust only the incoming cert for the web service connection we make?
Thanks Vinoth On Wed, Aug 16, 2017 at 5:48 PM, Rainer Jung <rainer.j...@kippdata.de> wrote: > Am 16.08.2017 um 09:09 schrieb Jose María Zaragoza: > >> Hi: >> >> 2017-08-16 6:59 GMT+02:00 Vinoth Raja <rbvdvin...@gmail.com>: >> >>> Hi Chris, >>> >>> In the above conversation, the server presents the list of acceptable >>> client certificates to the client. Does that happen for you? >>> >>> [ Yes . It prints the list of acceptable certificate when >>> certificateVerification is set to required. It prints the acceptable >>> certificates from cacerts. >>> >> >> Sorry for this semi-offtopic , >> but I'm interested about the list of DN of CA sent by TLS server in >> SERVER HELLO message. >> I mean the list under "Acceptable client certificate CA names" header >> (output text in Cris' mail ) >> >> How I can set it in Tomcat 8.5 ? Does it works either JSSE & native TLS ? >> How is the client behaviour if it doesnt have an certificate signed by >> an "acceptable CA" ? >> > > It should work automatically with either JSSE or native TLS > implementation. It is based on the trust configuration in the > SSLHostConfig. So when you configure it using the OpenSSL config style, it > would be the attributes caCertificateFile and/or caCertificatePath, using > JSSE style config it would be the attributes truststoreFile or > trustManagerClassName. > > I wrote "should", because we found a bug in 8.5 when using JSSE style > config but OpenSSL implementation. That combination is supported but Tomcat > would not announce the acceptable CA subjects to the client during the > handshake. That means, if the client has only one certificate to present, > it should not be a problem, but if it has multiple certificates it is > missing the standard way to choose a good one. > > The fix for that bug was committed a few days ago to trunk (TC 9), and > backport to TC 8.5 will happen soon. But the fix needs an additional method > in the tcnative part, which first has to get released as tcnative 1.2.13 to > make the fix complete. But as I said the bug only shows up when mixing JSSE > style config with native impl. The other combinations should work fine. > > As Christopher wrote, you can also check the handshake with "openssl > s_client" to see what the server announces. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >