[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options
From: Mark Thomas <markt () apache ! org>
Date: 2019-02-13 8:33:52
Message-ID: 9f897235-c16d-b4b2-b9b5-fd011575d1be () apache ! org
[Download RAW message or body]
On 12/02/2019 22:26, Christopher Schultz wrote:
> Mark,
>
> On 2/12/19 13:27, Mark Thomas wrote:
>> Try again. Prompted for certificate. Select valid cert. Connection
>> refused. Ah. the trust store again. Switch back to the OpenSSL
>> config.
>
> This is a real point of confusion for users... the difference between
> configuring for OpenSSL versus JSSE (especially when using OpenSSL via
> JSSE).
>
> Is there any technical reason why we can't accept either type of
> certificate for either type of connector? I can't think of a reason
> why we couldn't convert from one to the other if necessary.
>
> Sure, it's a bunch of plumbing code that we have to babysit, but the
> configuration will be *so* much nicer, regardless of the user's
> preference (e.g. PEM-encoded DER files, just like $diety intended, or
> the hellspawn that is certificate keystores).
Some of that is already in place but there are gaps.
Likewise we have merged some of the configuration options but could
probably do more.
A good starting point would be a wiki page or similar that documented
the current state and then we could start to fill in the gaps.
Just thinking out loud, a nice way to test this would be with a single
set of key/cert files and multiple connectors on different ports that
each used a different combination. Testing would then be a case of start
Tomcat and check the homepage on a handful of different ports (which
could easily be made into a unit test).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic