https://bz.apache.org/bugzilla/show_bug.cgi?id=61394
--- Comment #3 from Rainer Jung <rainer.j...@kippdata.de> ---
OK, so the problem is only occuring if JSSE style config is used?
And the attempt would be to read CA certs from the configured truststore, pass
them as raw data to a new method setCACertificateRaw(), whose native impl
converts them to OpenSSL X509 analogous to setCertificateRaw() and passes the
result directly to OpenSSL via SSL_CTX_set_client_CA_list().
Is that what you expect?
I might give it an attempt this evening.
Note that our docs say:
###################
trustManagerClassName
JSSE only.
The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must also
implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust
store attributes may be ignored.
###################
So retrieving CA certs from a configured trust store might give wrong results,
if e.g. a custom trust manager gets used and a trust store is configured, that
the trust manager would not use but we would still use it to feed OpenSSL. One
could argue that would be a configuration issue, but at least the docs ("may be
ignored") would open to interpretation then.
Regards,
Rainer
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
