Hi Felix,
thanks for your reply. So does this mean no way on Tomcat 5.5? (as I
won't switch to a newer version, especially 7.x any time soon)
To your question:
Primary reason is I want my fat client java application and my java web
application to react the same way when a user supplies an expired
certificate.
(btw: interesting that Derby and Tomcat both being Apache products
behave differently here to start with).
I would still check the expiration date as part of the application logic
in both scenarios and for expired client certs allow read-only access to
the data base only
(so misuse the expiry date on the certificate to trigger read-only
restrictions).
Tx & Rgds
Am 26.04.2011 21:52, schrieb Felix Schumacher:
On Tue, 26 Apr 2011 20:44:38 +0200, Thomas Hill wrote:
Hi,
I am using clientAuth on Tomcat 5.5.30, JVM version 1.6.0_21-b06 from
Sun on Linux. The client certificates are self-generated and signed as
I am acting as CA for the client certificates. Authentication is
working as expected until the certificate expiry date is reached which
is when I am getting "ssl_error_certificate_unknown_alert" errors
returned and the connection is refused. I would like Tomcat to be more
tolerant and continue accepting the certificate even after its
expiration. Is there a way to change the configuration such that this
can be achieved?
Note: Sun's JSSE implementation by default (in contrast to IBM's)
accepts expired self-signed certificates - I also found this to be the
case when my Java application is communicating direct with an Apache
Derby Data Base Server running SSL. I would like the same tolerance
and behaviour be evidenced when connecting via Tomcat in a web/browser
based application environment.
I haven't tried it, but it looks like the attribute
'trustManagerClassName' should
help you with tomcat 7.11 and newer.
I do wonder, why you want expired certificates to be still valid, if
you are the ca
anyway and could certainly sign new for free.
Bye
Felix
Thanks
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
