On 8 November 2017 21:09:11 GMT+00:00, Nicolas Therrien <nicolas.therr...@airbus-dscomm.com> wrote:
<snip/> >My understanding is that when "certificateVerification" is set to >"required", the server would perform the same verification as the >client does, that is: > >1) Verify the incoming certificate is signed by an authority that is >part of the local truststore. Correct. >2) Verify that the incoming certificate's common name matches the >hostname of the peer we are communicating with. Incorrect. The client very is intended to prove the identity of the user, not the host the happen to be using. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org