https://bz.apache.org/bugzilla/show_bug.cgi?id=61394
--- Comment #3 from Rainer Jung <rainer.j...@kippdata.de> --- OK, so the problem is only occuring if JSSE style config is used? And the attempt would be to read CA certs from the configured truststore, pass them as raw data to a new method setCACertificateRaw(), whose native impl converts them to OpenSSL X509 analogous to setCertificateRaw() and passes the result directly to OpenSSL via SSL_CTX_set_client_CA_list(). Is that what you expect? I might give it an attempt this evening. Note that our docs say: ################### trustManagerClassName JSSE only. The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored. ################### So retrieving CA certs from a configured trust store might give wrong results, if e.g. a custom trust manager gets used and a trust store is configured, that the trust manager would not use but we would still use it to feed OpenSSL. One could argue that would be a configuration issue, but at least the docs ("may be ignored") would open to interpretation then. Regards, Rainer -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org