Summary: | Connector attribute certificateVerification in the new SSLHostConfig section is not requiring a client certificate | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Shaun Morton <shaun> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 8.5.4 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | All |
Description
Shaun Morton
2016-08-03 21:01:34 UTC
I would expect to see this error message in the tomcat8-stdout.????-??-??.log with SSL debug is enabled and the client does not present a certificate. I see nothing in the log when running 8.5.4: %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] http-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate http-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2 http-nio-8443-exec-2, called closeSocket() http-nio-8443-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain http-nio-8443-exec-2, IOException in getSession(): javax.net.ssl.SSLHandshakeException: null cert chain http-nio-8443-exec-2, called close() http-nio-8443-exec-2, called closeInternal(true) and what Chrome would present: This site can’t provide a secure connection servername didn’t accept your login certificate, or your login certificate may have expired. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT I was able to resolve the problem. Need to use the attribute "truststorePassword" instead of the attribute "truststorePass" listed on the following help page: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig Working Server.xml file: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" maxKeepAliveRequests="15" connectionTimeout="60000" acceptCount="100" connectionUploadTimeout="300000" compression="force" enableLookups="true" disableUploadTimeout="false" > <SSLHostConfig truststoreFile="?:\?\?.jks" truststorePassword="*******" certificateVerification="required" protocols="+TLSv1,+TLSv1.1,+TLSv1.2" > <Certificate certificateKeystoreFile="?:\?\?.jks" certificateKeystorePassword="*******" certificateKeyAlias="1" type="RSA" /> </SSLHostConfig> </Connector> Thanks for the update. I've fixed the docs for 9.0.x and 8.5.x for the next release of each (9.0.0.M10 and 8.5.5). |