Re: Prevent Sending of SSL Root Certificate

2016-03-10 Thread Tad Marko 
On Thu, Mar 10, 2016 at 4:22 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Tad,
​...

>
> And what tool is telling you that the root cert is being served along
> with the server and intermediate certs?
>
> So the cert chain goes like this?
>
> server <- intermediate <- cross < CA (not present in keystore)
>
> ?
>

​Exactly. The tool is openssl s_client -showcerts -connect pointed towards
my server.

Re: Prevent Sending of SSL Root Certificate

2016-03-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tad,

On 3/10/16 5:12 PM, Tad Marko wrote:
> On Thu, Mar 10, 2016 at 3:59 PM, Christopher Schultz 
>  wrote:
>> Tad,
>> 
>> On 3/10/16 4:03 PM, Tad Marko wrote:
>>> Is it possible to tell tomcat to NOT send the root for a 
>>> certificate chain?
>> 
>> Yep.
>> 
>> ...
>> 
>> Just remove the root cert from your keystore, and Tomcat will
>> stop sending it.
>> 
>> If you have further questions, please post the output of the
>> following command in your next post:
>> 
>> $ keytool -keystore  -list
>> 
> 
> The CA is not in my keystore:
> 
> Keystore type: JKS Keystore provider: SUN
> 
> Your keystore contains 3 entries
> 
> my.domain.tld, Mar 10, 2016, PrivateKeyEntry, Certificate
> fingerprint (SHA1): 
> AE:DB:AF:8D:19:D6:38:D8:EB:5A:C1:5D:E6:D2:C4:8B:5F:58:84:6F 
> intermed, Mar 10, 2016, trustedCertEntry, Certificate fingerprint
> (SHA1): 
> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 cross,
> Mar 10, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 
> 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64

And what tool is telling you that the root cert is being served along
with the server and intermediate certs?

So the cert chain goes like this?

server <- intermediate <- cross < CA (not present in keystore)

?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbh86MACgkQ9CaO5/Lv0PBH1QCfWroMlqsA1UEZmhW8R9/RGn/P
uJEAn0OpPeDIqaJ2qXPez8w9fdoIs4qB
=3MRE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Prevent Sending of SSL Root Certificate

2016-03-10 Thread Tad Marko 
On Thu, Mar 10, 2016 at 3:59 PM, Christopher Schultz
 wrote:
> Tad,
>
> On 3/10/16 4:03 PM, Tad Marko wrote:
> > Is it possible to tell tomcat to NOT send the root for a
> > certificate chain?
>
> Yep.
>
> ...
>
> Just remove the root cert from your keystore, and Tomcat will stop
> sending it.
>
> If you have further questions, please post the output of the following
> command in your next post:
>
> $ keytool -keystore  -list
>

The CA is not in my keystore:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

my.domain.tld, Mar 10, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
AE:DB:AF:8D:19:D6:38:D8:EB:5A:C1:5D:E6:D2:C4:8B:5F:58:84:6F
intermed, Mar 10, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
cross, Mar 10, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Prevent Sending of SSL Root Certificate

2016-03-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tad,

On 3/10/16 4:03 PM, Tad Marko wrote:
> Is it possible to tell tomcat to NOT send the root for a
> certificate chain?

Yep.

> I am trying to support some old VeriFone terminals that are pretty
> limited what they expect when dealing with SSL. I've gotten a new
> domain certificate issued by Go Daddy, and in my keystore I've
> installed this along with the Go Daddy intermediate cert and the
> cross that links it back to the older SHA-1 root that my devices
> understand. When negotiating an SSL connection, tomcat is sending
> the domain, intermediate and cross certs that are in my keystore,
> but it is also finding the root and sending that down. This is
> confusing my devices as they interpret this to mean this is a 
> self-signed key chain and they then refuse to talk to my server.

Just remove the root cert from your keystore, and Tomcat will stop
sending it.

If you have further questions, please post the output of the following
command in your next post:

$ keytool -keystore  -list

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbh7jYACgkQ9CaO5/Lv0PCSdACfbKVVaStFZ+hkmftdHnHhvZrp
UYwAoKSoHTTHZW/FeVlJVW7ysp7tpVGu
=qllo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Prevent Sending of SSL Root Certificate

2016-03-10 Thread Tad Marko 
Howdy!

Is it possible to tell tomcat to NOT send the root for a certificate chain?
I am trying to support some old VeriFone terminals that are pretty limited
what they expect when dealing with SSL. I've gotten a new domain
certificate issued by Go Daddy, and in my keystore I've installed this
along with the Go Daddy intermediate cert and the cross that links it back
to the older SHA-1 root that my devices understand. When negotiating an SSL
connection, tomcat is sending the domain, intermediate and cross certs that
are in my keystore, but it is also finding the root and sending that down.
This is confusing my devices as they interpret this to mean this is a
self-signed key chain and they then refuse to talk to my server.

Thanks,
Tad