-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Vinoth,
On 8/15/17 11:42 AM, Vinoth Raja wrote:
> clientAuth="true" Is not valid attribute for connector in tomcat
> 8.5.15. I have tried setting certificateVerifucation as required
> but application URL is not reachable and it was complaining about
> certificate.
Does the browser prompt for a certificate?
If you use "openssl s_client -connect [hostname]:[port]" does the
connection show that trusted certificates are presented?
For example:
$ openssl s_client -connect host:port
CONNECTED(00000003)
[server certificate]
Acceptable client certificate CA names
/CN=client-certificate1
/CN=client-certificate2
...
Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS
A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+
SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS
A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+
SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
- ---
SSL handshake has read 2582 bytes and written 138 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: [session key]
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1502814654
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
- ---
[DISCONNECT]
In the above conversation, the server presents the list of acceptable
client certificates to the client. Does that happen for you?
> Can I set the truststore in SSLContext before making outbound call?
> will it trust the client request.
What outbound call? Tomcat only handles incoming HTTP/TLS connections.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmTIpIACgkQHPApP6U8
pFga/g/8DIfIj6QoCQeMaMu3EoPJO2VjCHfCj11OoxXMkWr3NRlbXPkmtEYo6lQ6
qBeokSYok+OrLXlY6EM40ofq5rU/5kTzNf4kb116d5na8gz+9DoaVaDC5S+LNzjH
dKSu2eQXSZA+6OHSo55mH0AGQ1dyY9sZlySCqEJpOSYZMx61lZLz3NjUZqZEZ1wH
BYeLv1VXHhnB59oyEJNuSaUBlST7iinjfGya/T16/H61gQCV3Sz+aIkmv1IWT82A
kVYK7UasYg119wKk/2lJskYqloULngGWIbdZo+BrGoSyvBs0BKipErgSBIKwVFVD
KmTsXPzrftnSmvKuTJgI45QiEYLtWqzVsJof8q2oaGId+KnPJl+HiOAhvIXFaYg5
3zsZfi9JRZwJu59CYwew+UVX/+ogwMhjDMgCMsceaGaXqiTwni0T95s2GqSbbUwr
HSwzXiyCHs7Kh8foWSmrDbrS0OZ1Rs3BvR2vhHMpmvjLxSMbtY0QwUK9arzmcRxJ
+PWlUlAkZaILcwLo5GR1LVNZzx71l5gYcC8FHQZkeBTmH8Rzedvi5riu2g6suRC2
T37R0u1iZ7iQTWNH0jLCHZyOWwy1La0fD7t6er7oB3Rq1F+2njNw/gIkLwRWni3V
YQo+KjoHP5v9ao7tA6Qjs76vqfnj9r1C7IplYeCEbecTnLNTF/w=
=0zTG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
