Hi, We have enabled SSL logging and could the incoming request was trusted with common CN's used across the system.
We have added webservice certificate and incoming request is tested with that. Thanks for the assistance. Thanks Vinoth On Wednesday, August 16, 2017, Rainer Jung <rainer.j...@kippdata.de> wrote: > Am 16.08.2017 um 09:09 schrieb Jose María Zaragoza: > >> Hi: >> >> 2017-08-16 6:59 GMT+02:00 Vinoth Raja <rbvdvin...@gmail.com>: >> >>> Hi Chris, >>> >>> In the above conversation, the server presents the list of acceptable >>> client certificates to the client. Does that happen for you? >>> >>> [ Yes . It prints the list of acceptable certificate when >>> certificateVerification is set to required. It prints the acceptable >>> certificates from cacerts. >>> >> >> Sorry for this semi-offtopic , >> but I'm interested about the list of DN of CA sent by TLS server in >> SERVER HELLO message. >> I mean the list under "Acceptable client certificate CA names" header >> (output text in Cris' mail ) >> >> How I can set it in Tomcat 8.5 ? Does it works either JSSE & native TLS ? >> How is the client behaviour if it doesnt have an certificate signed by >> an "acceptable CA" ? >> > > It should work automatically with either JSSE or native TLS > implementation. It is based on the trust configuration in the > SSLHostConfig. So when you configure it using the OpenSSL config style, it > would be the attributes caCertificateFile and/or caCertificatePath, using > JSSE style config it would be the attributes truststoreFile or > trustManagerClassName. > > I wrote "should", because we found a bug in 8.5 when using JSSE style > config but OpenSSL implementation. That combination is supported but Tomcat > would not announce the acceptable CA subjects to the client during the > handshake. That means, if the client has only one certificate to present, > it should not be a problem, but if it has multiple certificates it is > missing the standard way to choose a good one. > > The fix for that bug was committed a few days ago to trunk (TC 9), and > backport to TC 8.5 will happen soon. But the fix needs an additional method > in the tcnative part, which first has to get released as tcnative 1.2.13 to > make the fix complete. But as I said the bug only shows up when mixing JSSE > style config with native impl. The other combinations should work fine. > > As Christopher wrote, you can also check the handshake with "openssl > s_client" to see what the server announces. > > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
