On 08/01/2020 21:39, logo wrote: <snip/>
>> I have confirmed that this updated key then works cleanly with both the >> OpenSSL and JSSE TLS implementations. >> > > Felix already suggested that. I've tried it and at first it looks good. > Connector starts and serves the ECDSA cert. Sorry I missed that. It was late and I was trying to do things too quickly. > Please see the last two emails with the findings of the testssl.sh scans. I > don’t know but tomcat now also serves strange ciphers… (at least some that > openssl doesn’t even support and the scanner gets some strange results!) > > https://markmail.org/message/nj7lvuplld4c5nqx ACK. I'll try and dig deeper once I've tackled the conversion issue. >> In theory, Tomcat should be able to do this conversion for you. The >> issue will be how much of the crypto API we need to do that is part of >> the public API and, where it isn't, how easy it is to craft our own. >> >> I'm currently investigating… >> > > Thanks for your support. I got the people at smallstep to create an option to > also create RSA certs. So there is currently a workaround to use their acme > process with tomcat. Yes, we can do the conversion. It isn't too bad but I need to clean up my rather hacky approach to make it more robust before committing it. I hope to make progress on this today. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org