Re: Prevent Sending of SSL Root Certificate
On Thu, Mar 10, 2016 at 4:22 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Tad, ... > > And what tool is telling you that the root cert is being served along > with the server and intermediate certs? > > So the cert chain goes like this? > > server <- intermediate <- cross < CA (not present in keystore) > > ? > Exactly. The tool is openssl s_client -showcerts -connect pointed towards my server.
Re: Prevent Sending of SSL Root Certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tad, On 3/10/16 5:12 PM, Tad Marko wrote: > On Thu, Mar 10, 2016 at 3:59 PM, Christopher Schultz >wrote: >> Tad, >> >> On 3/10/16 4:03 PM, Tad Marko wrote: >>> Is it possible to tell tomcat to NOT send the root for a >>> certificate chain? >> >> Yep. >> >> ... >> >> Just remove the root cert from your keystore, and Tomcat will >> stop sending it. >> >> If you have further questions, please post the output of the >> following command in your next post: >> >> $ keytool -keystore -list >> > > The CA is not in my keystore: > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > my.domain.tld, Mar 10, 2016, PrivateKeyEntry, Certificate > fingerprint (SHA1): > AE:DB:AF:8D:19:D6:38:D8:EB:5A:C1:5D:E6:D2:C4:8B:5F:58:84:6F > intermed, Mar 10, 2016, trustedCertEntry, Certificate fingerprint > (SHA1): > 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 cross, > Mar 10, 2016, trustedCertEntry, Certificate fingerprint (SHA1): > 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64 And what tool is telling you that the root cert is being served along with the server and intermediate certs? So the cert chain goes like this? server <- intermediate <- cross < CA (not present in keystore) ? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbh86MACgkQ9CaO5/Lv0PBH1QCfWroMlqsA1UEZmhW8R9/RGn/P uJEAn0OpPeDIqaJ2qXPez8w9fdoIs4qB =3MRE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Prevent Sending of SSL Root Certificate
On Thu, Mar 10, 2016 at 3:59 PM, Christopher Schultzwrote: > Tad, > > On 3/10/16 4:03 PM, Tad Marko wrote: > > Is it possible to tell tomcat to NOT send the root for a > > certificate chain? > > Yep. > > ... > > Just remove the root cert from your keystore, and Tomcat will stop > sending it. > > If you have further questions, please post the output of the following > command in your next post: > > $ keytool -keystore -list > The CA is not in my keystore: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries my.domain.tld, Mar 10, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): AE:DB:AF:8D:19:D6:38:D8:EB:5A:C1:5D:E6:D2:C4:8B:5F:58:84:6F intermed, Mar 10, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 cross, Mar 10, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Prevent Sending of SSL Root Certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tad, On 3/10/16 4:03 PM, Tad Marko wrote: > Is it possible to tell tomcat to NOT send the root for a > certificate chain? Yep. > I am trying to support some old VeriFone terminals that are pretty > limited what they expect when dealing with SSL. I've gotten a new > domain certificate issued by Go Daddy, and in my keystore I've > installed this along with the Go Daddy intermediate cert and the > cross that links it back to the older SHA-1 root that my devices > understand. When negotiating an SSL connection, tomcat is sending > the domain, intermediate and cross certs that are in my keystore, > but it is also finding the root and sending that down. This is > confusing my devices as they interpret this to mean this is a > self-signed key chain and they then refuse to talk to my server. Just remove the root cert from your keystore, and Tomcat will stop sending it. If you have further questions, please post the output of the following command in your next post: $ keytool -keystore -list - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbh7jYACgkQ9CaO5/Lv0PCSdACfbKVVaStFZ+hkmftdHnHhvZrp UYwAoKSoHTTHZW/FeVlJVW7ysp7tpVGu =qllo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Prevent Sending of SSL Root Certificate
Howdy! Is it possible to tell tomcat to NOT send the root for a certificate chain? I am trying to support some old VeriFone terminals that are pretty limited what they expect when dealing with SSL. I've gotten a new domain certificate issued by Go Daddy, and in my keystore I've installed this along with the Go Daddy intermediate cert and the cross that links it back to the older SHA-1 root that my devices understand. When negotiating an SSL connection, tomcat is sending the domain, intermediate and cross certs that are in my keystore, but it is also finding the root and sending that down. This is confusing my devices as they interpret this to mean this is a self-signed key chain and they then refuse to talk to my server. Thanks, Tad