Even when SSLVerifyClient="optionalNoCA" is specified in the connector, invalid client certificates still lead to invalid SSL handshakes. This is because SSL_get_verify_result(con->ssl) in sslnetwork.c still returns != X509_V_OK even though SSL_callback_SSL_verify() returns ok in these cases. There is an extra check in openssl itself which is returning the error. The way this is dealt on mod_ssl in apache (ssl_engine_io.c) is: if ((verify_result != X509_V_OK) || sslconn->verify_error) { if (ssl_verify_error_is_optional(verify_result) && (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) { /* leaving this log message as an error for the moment, * according to the mod_ssl docs: * "level optional_no_ca is actually against the idea * of authentication (but can be used to establish * SSL test pages, etc.)" * optional_no_ca doesn't appear to work as advertised * in 1.x */ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL client authentication failed, " "accepting certificate based on " "\"SSLVerifyClient optional_no_ca\" " "configuration"); ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); } else { const char *error = sslconn->verify_error ? sslconn->verify_error : X509_verify_cert_error_string(verify_result); ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL client authentication failed: %s", error ? error : "unknown"); ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); return ssl_filter_io_shutdown(filter_ctx, c, 1); } } Even though verify_result is not OK, if optional_no_ca is specified, the request should be valid. The release notes specify that bugs in this code should be filed under "Native:JNI" component but I could find it in the pull-down.
This actually belongs to Connectors, not JK
Should be fixed now. Can you verify by using the SVN trunk?
Yes, it seems to work. Thanks!
What version of tomcat will incorporate this patch, do you know? Thanks.