-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Racine,
On 6/21/17 12:38 PM, Racine Faye wrote: > I have noticed that in Tomcat 8.5.15 on the Windows Server 2008 > Operating System that the way that tomcat presents user > certificates has changed. I have a trust store that I use on the > tomcat 8.5.14 version that has only DoD intermediate Email > certificates which makes it so when users go to the site they are > prompted for only their email cert. > > When upgrading to 8.5.15 I used the same trust store and it now > prompts for all certificates on the computer. What prompts for all certificates on the computer? > I am not sure if that is intended behavior or an oversight but it > is kind of confusing to users to be presented certificates that > they can't use. I don't believe Tomcat is presenting any certificates to the user, is it? It's the browser that is showing the certificate selection to the user. What browser are you using? > Another reason for having them only select the email cert is that > only the email certificate contains the information that we need > to get their user ID. This is informative, but not really relevant. Theoretically, the user can provide any certificate that has been signed by a certificate in the trust store. So if the user decides to provide a signed certificate that does *not* have the email address in it, then your application needs to be the one signalling an error. > I want to see if anyone else is having this issue or if anyone has > noticed that when specifying a trust store in Tomcat 8.5.15 that it > will present the user with all the certificates they have rather > than only the ones that the trust store will accept. > To rule out an issue with my server xml I have installed both > 8.5.15 and 8.5.14 on the server and used the exact same server.xml > file and I see that the 8.5.14 version will ask the user for only 1 > cert and that the 8.5.15 version will ask the user for all certs. > If anyone has a fix for this or might know what is going on or if > there is an extra configuration needed that would be helpful. Are you using the same web browser with both Tomcat versions? What browser(s) are you using? Versions? What OS? Are you able to run openssl s_client against your Tomcat server? That can tell you what the server is providing as part of the TLS handshake... you may be able to tell the difference between what certs are being sent back with the handshake. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxfIACgkQHPApP6U8 pFhKFw//S1RAkI/aB2dJ0jhRM3VuzNBXOW3cvO+LdB0cUA+B2az9VKskPrRSgAPx Pu4uIcadJrda7PlLHEP/W5MxQRrBBPONybyIM/AUOx3t0halXRXAb+IUKPnZ0IH8 /cS4vcI4C55mUh393hxVTcNPHh8egHvd1cJSm3nWwx+ZJwmfnjiLlssoMdgs3Lla 3NvAqVajCrVksgygkXr23qkcfH1utNxXZnTAxRXF4PmLgFk46M3Jnu6cJVhFNO3s Bc1zI+XYJwsX9fICE4dkmmWJ/ZblWgjG5nh4bSSq3Ons6MJg1anUcy0p7GsNUvaU 8uPUQiz2Xz4t/qPA2kBfsZUYwm/besLDdSp+CYr9VweT6apAp0Kr6kJu79W40MfR w4Qpo+8wEkLDjPL/VBBU9yEso4PCGkpFHFsCnfSPf/L+eltyCZkaQfaQK5OehUaa px1suyhbYe9xbMdq1WD06CSQYTlDuc7XxuNVgr8Nd1q3nQvkLZJAB/jIkEUhZ174 GXw+Sqzp09YPSKleQuetPvsP1iqmqsikX40Asl70UdEmEvW55KUrzD+DzY68cGjn dcq6hEKVlLZ+0X96k3UEU8yRN7rCOexvypK0lfX2U0jgB2nZld4F5c0dwvqPy+UZ xnwJToijUlnCDh4t0+6WEggVizYEEuXZf04aI00WZeC96WfgJG8= =4E5V -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org