On 12/02/2019 17:21, John Palmer wrote: > using the old Connector/clientAuth="true" or the new > Connector/SSLHostConfig/ certificateVerification="REQUIRED" (tried > lowercase and without the D) format..doesn't seem to work properly. > > no matter what value I use or which format... the behavior seems to be that > the client cert is prompted for, but is optional.... (the web pages are > shown whether a cert is selected or Cancel is selected on the prompt. > (in the latter case, a JSP scriplet that shows X509 certificate content > throws an error, confirming that the client certifcate was not sent). > > (Openssl s_client cmd confirms that the "Acceptable client certificate CA > names" > from the trustStore specified ARE being sent). > > I don't doubt that I'm missing (mistyping or misunderstanding) something > (again), but I'm gonna ask for help a little sooner this time rather than > continuing to beat a dead horse :) ...
Maybe. Or you might have hit a Tomcat bug. So, starting with a clean build of the latest 8.5.x source... Enable TLS (uncomment the second of the comment out TLS connectors in the default server.xml), switch it to NIO2 from APR/native and copy the key, cert, etc. into the correct locations. Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome. Add certificateVerification="required" to the SSLHostConfig and restart. Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome rejected. Ah. No trust store configured on the connector. Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart. Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome rejected. Realised I tried to use OpenSSL config and I'm using JSSE. Removed caCertificateFile="conf/ca-rsa-cert.pem" and added truststoreFile="conf/ca-rsa.jks" to SSLHostConfig. Starts with TLS enabled with NIO2 on 8443. Connection from Chrome prompts for client cert. Click cancel - connection rejected. As expected. Try again, this time selecting a certificate - connection allowed. All working as expected. Add Tomcat Native (so OpenSSL is usedd for TLS). Tomcat starts with NIO2 (OpenSSL) on port 8443. Prompted for user certificate. Click cancel. Connection refused. Try again. Prompted for certificate. Select valid cert. Connection refused. Ah. the trust store again. Switch back to the OpenSSL config. Tomcat starts with NIO2 (OpenSSL) on port 8443. Prompted for user certificate. Click cancel. Connection refused. Try again. Prompted for certificate. Select valid cert. Connection allowed. All seems to be working as expected here. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
