[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: Client-CERT SSLVerifyClient=none does not seem to work .. any suggestion for debugging?
From:       Vivien Wu <vivien.kobayashi () gmail ! com>
Date:       2019-08-29 21:58:48
Message-ID: CADK7ZiLDSueztLJDqBPgbJQb4FFauuXf0NZZjLbgtfvEUWZaAA () mail ! gmail ! com
[Download RAW message or body]


Thank you for your response.
Perhaps I was not clear.. what I really want to do is to have Client
authentication only for the particular path (/Authn/X509).
But it does not seem to kick in and I am wondering if there is any
suggestion for troubleshooting.

-Vivien

On Thu, Aug 29, 2019 at 12:48 AM Mark Thomas <markt@apache.org> wrote:

> On 28/08/2019 23:09, Vivien Wu wrote:
> > Tomcat version: 8.5.14
> > OS: debian 9 (stretch)
> > Issues:  If using SSLVerifyClient=optional, it seems to work (log
> attached,
> > assuming config is validated);
> > however when trying to use SSLVerifyClient=none, the browser complains
> >
> > This site can't provide a secure connection login-test.foo.com sent an
> > invalid response.
> > ERR_SSL_PROTOCOL_ERROR
>
> What did you expect?
>
> You told the Connector - explicitly - not to ask for CLIENT-CERT
> authentication.
>
> You told the application to require CLIENT-CERT authentication.
>
> It looks like SSLVerifyClient=optional is the correct setting for you
> use case.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


[prev in list] [next in list] [prev in thread] [next in thread]