All, Just a heads up.
A few days ago I started to look at bug 59423. I saw all sorts of errors when I tried to configure a clean Tomcat build for CLIENT-CERT. As I dug into the errors it appeared that Tomcat wasn't handling an unexpected connection close during the renegotiation. I have a patch for this that I'll commit once I have completed some more testing. I also spent a long time trying to figure out why CLIENT-CERT was failing unexpectedly in some cases. The short answer is that it fails in Chrome but not with FireFox nor with openssl s_client. The failure in Chrome occurs when it tries to find a matching user cert for the provided trusted certs. For some reason Chrome can't match our current user test cert with the CA. My guess is that expects/requires more fields to be populated than just C and CN. I've been experimenting with a new CA created from scratch that populates more of the fields and this does work with Chrome. Therefore, I plan to replace our current test CA with the new one I have created and, therefore, also replace all the test keys and certs used in the unit tests. I'll also update the notes for creating these files and the openssl.cnf with a few more defaults. I might even get around to looking at 59423 ;) Mark [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=59423 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
