Hi! I have successfully set up mutual authentication on a Tomcat 9.0.1 server running on CentOS 6.5. To do my testing, I use a Java program that I wrote to verify my understanding of SSL and the server configuration.
My question is about the server-side verification of the client certificate (CertificateRequest part of handshake). I noticed that the hostname/common name in the client certificate did not seem to be validated. I can move that certificate on several machines and the server will always accept it, as long as it is signed by one of the trusted authorities in the server JVM's truststore. I am puzzled by this behavior because I was expecting the hostname to matter. If my certificate was set for a machine, I was not expecting it to work on another machine. My understanding is that when "certificateVerification" is set to "required", the server would perform the same verification as the client does, that is: 1) Verify the incoming certificate is signed by an authority that is part of the local truststore. 2) Verify that the incoming certificate's common name matches the hostname of the peer we are communicating with. Also, should the server behavior be correct, can someone explain to me why it is like that? I find it odd that the client certificate can be copied around and used by anyone and still pass mutual authentication... Thanks in advance, Nicolas Therrien ing. Senior Software Engineer Airbus DS Communications home of VESTA® 200 Boul. de la Technologie, Suite 300 Gatineau, QC J8Z 3H6 Canada 819.931.2139 (DIRECT) www.Airbus-DSComm.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org