Hi Mark, Thank you for the settings. I am not sure what is the APR/native connector version, I am using the default APR/native connector in 6.0.29 (I do not set/change APR on my Windows machine).
I am not sure why the client certificate authentication failed when my client certificate was signed with SHA256 but client certificate authentication worked perfectly when client certificate was signed with SHA1. >From http://old.nabble.com/SHA256-digest-windows-0.9.8k--td26123008.html, it mentioned developer required to include a call to OpenSSL_add_all_algorithms() instead calling SSL_library_init() which only adds the more commonly uses SSL algorithms. I am not sure where should I include this. Can you advice how to solve my problem? My APR connector settings: <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" SSLCertificateFile="C:\usr\tomcat\tomcat.crt" SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key" SSLVerifyClient="optional" SSLVerifyDepth="1" SSLCipherSuite="AES128-SHA:DES-CBC3-SHA" SSLCACertificateFile="C:\usr-files\client-cert-ca.crt" /> On 13 November 2010 00:38, Mark Thomas <ma...@apache.org> wrote: > On 12/11/2010 16:27, Goo Sam Kong wrote: > > Hi > > > > I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP. > > APR/native connector version? SSL re-negotiation wasn't supported until > recently and the CVE-2009-3555 fixes further complicate things. > > > <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt" > > SSLCertificateFile="C:\usr\tomcat\tomcat.crt" > > SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key" > > SSLCipherSuite="AES128-SHA:DES-CBC3-SHA" > > SSLEnabled="true" > > SSLEngine="on" > > SSLVerifyClient="optional" > > maxThreads="150" > > port="8443" > > protocol="HTTP/1.1" > > scheme="https" > > secure="true" > > sslProtocol="TLS" /> > > Is SSLEngine a valid attribute here? I don't see it in the Connector docs. > SSLVerifyClient="optional" can (should?) be removed. > Is that SSLCipherSuite compatible with your client? Try removing that > setting until everything else is working. > > The following settings are known to work: > > <Connector > port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > maxThreads="150" > scheme="https" > secure="true" > SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem" > SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem" > SSLCACertificateFile="${catalina.base}/conf/cacert.pem" /> > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >