On 21 March 2018 at 14:54, Mark Thomas <ma...@apache.org> wrote: > > > Progress. > > Tomcat 8.0.x is more relaxed about the content of PKCS12 trust stores > then 8.5.x because of a change[1] made so that the effectiveness of the > certificateVerificationDepth configuration attribute did not depend on > the presence of a certificate revocation list. > > The PKCS12 store the scripts you provided creates includes the private > key of the trusted certificate. This is ... unusual. 8.5.x skips this > cert as it does not expect a trusted cert to include the private key. > > I've tried various ways to get openssl to create a PKCS12 file without > the private key but with the certificate without success. In the end I > used keytool to do this and that worked. Something along these lines: > > keytool -storetype pkcs12 -importcert -file ca-cert.pem \ > -keystore ca-truststore.p12 > > With the modified trust store 8.5.x started with the same configuration > as 8.0.x. > > Please can you test your set-up with 8.5.x, the modified trust store and > the same configuration as 8.0.x (NIO, JSSE). That should help us track > down where the problem may lie. > > Thanks, > > Mark >
I created the PKCS12 as you showed above used my 8.0.x configuration and ran my test application for 8 hours without a single connection closed error . -- Richard -- This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses. Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
