Hi Chris, In the above conversation, the server presents the list of acceptable client certificates to the client. Does that happen for you?
[ Yes . It prints the list of acceptable certificate when certificateVerification is set to required. It prints the acceptable certificates from cacerts. Application is not reachable from browser once certificateVerification is set to required. It shows "ERR_BAD_SSL_CLIENT_AUTH_CERT". I have tried setting different trustStore from setenv.bat but doesnt seems to take effect] > Can I set the truststore in SSLContext before making outbound call? > will it trust the client request. What outbound call? Tomcat only handles incoming HTTP/TLS connections. [i meant the web service call. yes I am talking about trusting the incoming TLS connection] On Wed, Aug 16, 2017 at 12:34 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Vinoth, > > On 8/15/17 11:42 AM, Vinoth Raja wrote: > > clientAuth="true" Is not valid attribute for connector in tomcat > > 8.5.15. I have tried setting certificateVerifucation as required > > but application URL is not reachable and it was complaining about > > certificate. > > Does the browser prompt for a certificate? > > If you use "openssl s_client -connect [hostname]:[port]" does the > connection show that trusted certificates are presented? > > For example: > > $ openssl s_client -connect host:port > > CONNECTED(00000003) > [server certificate] > > Acceptable client certificate CA names > /CN=client-certificate1 > /CN=client-certificate2 > ... > Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 > Shared Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS > A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ > SHA1:DSA+SHA1:ECDSA+SHA1 > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > - --- > SSL handshake has read 2582 bytes and written 138 bytes > - --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > Session-ID-ctx: > Master-Key: [session key] > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1502814654 > Timeout : 300 (sec) > Verify return code: 10 (certificate has expired) > - --- > [DISCONNECT] > > In the above conversation, the server presents the list of acceptable > client certificates to the client. Does that happen for you? > > > Can I set the truststore in SSLContext before making outbound call? > > will it trust the client request. > > What outbound call? Tomcat only handles incoming HTTP/TLS connections. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmTIpIACgkQHPApP6U8 > pFga/g/8DIfIj6QoCQeMaMu3EoPJO2VjCHfCj11OoxXMkWr3NRlbXPkmtEYo6lQ6 > qBeokSYok+OrLXlY6EM40ofq5rU/5kTzNf4kb116d5na8gz+9DoaVaDC5S+LNzjH > dKSu2eQXSZA+6OHSo55mH0AGQ1dyY9sZlySCqEJpOSYZMx61lZLz3NjUZqZEZ1wH > BYeLv1VXHhnB59oyEJNuSaUBlST7iinjfGya/T16/H61gQCV3Sz+aIkmv1IWT82A > kVYK7UasYg119wKk/2lJskYqloULngGWIbdZo+BrGoSyvBs0BKipErgSBIKwVFVD > KmTsXPzrftnSmvKuTJgI45QiEYLtWqzVsJof8q2oaGId+KnPJl+HiOAhvIXFaYg5 > 3zsZfi9JRZwJu59CYwew+UVX/+ogwMhjDMgCMsceaGaXqiTwni0T95s2GqSbbUwr > HSwzXiyCHs7Kh8foWSmrDbrS0OZ1Rs3BvR2vhHMpmvjLxSMbtY0QwUK9arzmcRxJ > +PWlUlAkZaILcwLo5GR1LVNZzx71l5gYcC8FHQZkeBTmH8Rzedvi5riu2g6suRC2 > T37R0u1iZ7iQTWNH0jLCHZyOWwy1La0fD7t6er7oB3Rq1F+2njNw/gIkLwRWni3V > YQo+KjoHP5v9ao7tA6Qjs76vqfnj9r1C7IplYeCEbecTnLNTF/w= > =0zTG > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
