Connector attribute "certificateVerification" in the new SSLHostConfig section is not requiring a client certificate in Tomcat 8.5.4. In Tomcat 8.0.33 I was using the clientAuth="true" connector attribute. I moved it over to the new certificateVerification="required" in the SSLHostConfig section. I have removed all client certificates and I am not getting rejected. I connect to a Tomcat 8.0.33 with not certificate and get rejected. If I add the client certificate back and connect to the 8.0.33 I am good. I have set Tomcat logs to debug and have not found any error messages, issues starting the connector or issues with bad attributes. I have used both IE and Chrome browsers. It seems as if the certificateVerification isn't being set. I searched for any issues for the certificateVerification attribute and could not find anything. I apologize up front if I missed the fix when searching for one. Here is my server.xml portion for SSL: <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation with the JSSE engine. When using the JSSE engine, the JSSE configuration attributes must be used. --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" maxKeepAliveRequests="15" connectionTimeout="60000" acceptCount="100" connectionUploadTimeout="300000" compression="force" enableLookups="true" disableUploadTimeout="false" > <SSLHostConfig> truststoreFile="?:\?\?.jks" truststorePass="*********" certificateVerification="required" protocols="TLSv1,TLSv1.1,TLSv1.2" > <Certificate certificateKeystoreFile="?:\?\?.jks" certificateKeystorePassword="***********" certificateKeyAlias="1" type="RSA" /> </SSLHostConfig> </Connector>
I would expect to see this error message in the tomcat8-stdout.????-??-??.log with SSL debug is enabled and the client does not present a certificate. I see nothing in the log when running 8.5.4: %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] http-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = bad_certificate http-nio-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2 http-nio-8443-exec-2, called closeSocket() http-nio-8443-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain http-nio-8443-exec-2, IOException in getSession(): javax.net.ssl.SSLHandshakeException: null cert chain http-nio-8443-exec-2, called close() http-nio-8443-exec-2, called closeInternal(true) and what Chrome would present: This site can’t provide a secure connection servername didn’t accept your login certificate, or your login certificate may have expired. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT
I was able to resolve the problem. Need to use the attribute "truststorePassword" instead of the attribute "truststorePass" listed on the following help page: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig Working Server.xml file: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" maxKeepAliveRequests="15" connectionTimeout="60000" acceptCount="100" connectionUploadTimeout="300000" compression="force" enableLookups="true" disableUploadTimeout="false" > <SSLHostConfig truststoreFile="?:\?\?.jks" truststorePassword="*******" certificateVerification="required" protocols="+TLSv1,+TLSv1.1,+TLSv1.2" > <Certificate certificateKeystoreFile="?:\?\?.jks" certificateKeystorePassword="*******" certificateKeyAlias="1" type="RSA" /> </SSLHostConfig> </Connector>
Thanks for the update. I've fixed the docs for 9.0.x and 8.5.x for the next release of each (9.0.0.M10 and 8.5.5).