I want to use a self-signed client certificate. Thus, to avoid the checks along the certificate chain, I have set certificateVerification="optionalNoCA". For some reason, I only manage to establish a connection without ssl handshake problems, if I provide my (self-created) CA certificate used to sign said client certificate using caCertificateFile=... , as in the following server.xml excerpt: <SSLHostConfig certificateVerification="optionalNoCA" caCertificateFile="myRootCA.crt.pem" > I have tested the following versions (from dockerhub): tomcat 8.5.0 tc-native 1.2.5 tomcat 9.0.0-M4 tc-native 1.2.5 tomcat 9.0.0-M27 tc-native 1.2.14 tomcat 9.0.79 tc-native 1.2.38 tomcat 10.0.27 tc-native 1.2.35 I have read https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 and https://bz.apache.org/bugzilla/show_bug.cgi?id=63894 so I was hoping all problems around optionalNoCA are fixed.
On top, the problem also exists in my local installation (Ubuntu 20.04, Java 17): tomcat 9.0.55 tc-native 1.2.31 openssl 1.1.1f Here is the relevant longer excerpt from server.xml (the rest is unchanged from the default): <Connector SSLEnabled="true" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"> <SSLHostConfig certificateVerification="optionalNoCA" caCertificateFile="myRootCA.crt.pem" > <Certificate certificateFile="localhost.crt" certificateKeyFile="localhost.key" type="RSA"/> </SSLHostConfig> </Connector> If I remove the caCertificateFile attribute, I get handshake problems with my self-signed certificate.
You need to disable OCSP else optionalNoCA will always fail. Nest the following in your SSLHostConfig element in server.xml <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true"/> </OpenSSLConf> Tomcat Native should probably (just confirming that with a discussion on the dev@ list) do this automatically.
This has been fixed in: - 1.2.x for 1.2.39 onwards - 2.0.x for 2.0.6 onwards The release process for these version is expected to start this week.