-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Tuesday, August 08, 2017 5:23 AM
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Test keys and certs


Just a heads up.

A few days ago I started to look at bug 59423. I saw all sorts of errors when I 
tried to configure a clean Tomcat build for CLIENT-CERT.

As I dug into the errors it appeared that Tomcat wasn't handling an unexpected 
connection close during the renegotiation. I have a patch for this that I'll 
commit once I have completed some more testing.

I also spent a long time trying to figure out why CLIENT-CERT was failing 
unexpectedly in some cases. The short answer is that it fails in Chrome but not 
with FireFox nor with openssl s_client.

The failure in Chrome occurs when it tries to find a matching user cert for the 
provided trusted certs. For some reason Chrome can't match our current user 
test cert with the CA. My guess is that expects/requires more fields to be 
populated than just C and CN.

I've been experimenting with a new CA created from scratch that populates more 
of the fields and this does work with Chrome.

Therefore, I plan to replace our current test CA with the new one I have 
created and, therefore, also replace all the test keys and certs used in the 
unit tests. I'll also update the notes for creating these files and the 
openssl.cnf with a few more defaults.

I might even get around to looking at 59423 ;)


[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=59423



Is it possible the recent changes [1] has affected it? Chrome no longer looks 
in CN, which is ignored but rather expects SAN to be filled up. Perhaps 
Tomcat's test certs lack SAN?

[1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to