Re: SSLHostConfig configuration

2019-09-10 Thread Herb Burnswell
On Tue, Sep 10, 2019 at 5:38 AM Mark Thomas  wrote:

> On 10/09/2019 13:14, Herb Burnswell wrote:
>
> 
>
> > My apologies for my ignorance here, when you say 'configured on the
> > SSLHostConfig' are you saying it should NOT be in this block:
> >
> >  
> >
> > 
> >
> >  >
>  certificateKeystoreFile="/app/config/keystore.p12"
> > certificateKeyAlias="example_wildcard"
> > certificateKeystorePassword="maskedpasswd"
> > truststoreFile="/app/config/truststore.p12"
> > truststorePassword="maskedpasswd"
> > type="RSA"/>
> >
> > 
> >
> > 
> >
> > This is how I tried to configure it and we still receive the
> "trustAnchors
> > parameter must be non-empty" error.  Can you clarify where you mean the
> > truststore directives should be defined?
>
> > You need to move the trust store config from the Certificate to the
> > SSLHostConfig like this:
>
> >  >hostName="*.example1.com"
> >truststoreFile="/app/config/truststore.p12"
> >   truststorePassword="maskedpasswd"
> >>
>
> > >certificateKeystoreType="PKCS12"
> >certificateKeystoreFile="/app/config/keystore.p12"
> >certificateKeyAlias="example_wildcard"
> >certificateKeystorePassword="maskedpasswd"
> >type="RSA"
> >/>
>
> > 
>
> > Mark
>

Thank you Mark, that appears to have done the trick.  Greatly appreciated..

HB

>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: SSLHostConfig configuration

2019-09-10 Thread Mark Thomas
On 10/09/2019 13:14, Herb Burnswell wrote:



> My apologies for my ignorance here, when you say 'configured on the
> SSLHostConfig' are you saying it should NOT be in this block:
> 
>  
> 
> 
> 
>  certificateKeystoreFile="/app/config/keystore.p12"
> certificateKeyAlias="example_wildcard"
> certificateKeystorePassword="maskedpasswd"
> truststoreFile="/app/config/truststore.p12"
> truststorePassword="maskedpasswd"
> type="RSA"/>
> 
> 
> 
> 
> 
> This is how I tried to configure it and we still receive the "trustAnchors
> parameter must be non-empty" error.  Can you clarify where you mean the
> truststore directives should be defined?

You need to move the trust store config from the Certificate to the
SSLHostConfig like this:







Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLHostConfig configuration

2019-09-10 Thread Herb Burnswell
On Tue, Sep 10, 2019 at 3:46 AM Mark Thomas  wrote

>
> 
>
> >> Questions:
> >>
> >> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly
> now
> >> requires truststore information in this connector configuration?
>
> > There have have been several changes aimed at making it easier to switch
> > between JSSE and OpenSSL based TLS implementations. Tomcat tries to
> > store all provided keys and certs in an in-memory Java keystore and then
> > provides the connectors with the keys and certs in the format they
> > require. With the wide range of keystores and key formats there have
> > been a few edge cases where the translation process broke. This looks
> > like one of them.
>
> > There are additional fixes in later 8.5.x releases so you may wish to
> > try one of those.
>
> Thank you for the information.  As far as using a newer version of Tomcat
with fixes, we want to go with the 8.5.40 version that is packaged with the
application for support reasons.


> >> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat
> version?
>
> > truststoreFile and truststorePassword should be configured on the
> > SSLHostConfig not on the Certificate element.
>

My apologies for my ignorance here, when you say 'configured on the
SSLHostConfig' are you saying it should NOT be in this block:

 









This is how I tried to configure it and we still receive the "trustAnchors
parameter must be non-empty" error.  Can you clarify where you mean the
truststore directives should be defined?

Thanks again,

HB


> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: SSLHostConfig configuration

2019-09-10 Thread Mark Thomas
On 09/09/2019 23:28, Herb Burnswell wrote:



> Questions:
> 
> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly now
> requires truststore information in this connector configuration?

There have have been several changes aimed at making it easier to switch
between JSSE and OpenSSL based TLS implementations. Tomcat tries to
store all provided keys and certs in an in-memory Java keystore and then
provides the connectors with the keys and certs in the format they
require. With the wide range of keystores and key formats there have
been a few edge cases where the translation process broke. This looks
like one of them.

There are additional fixes in later 8.5.x releases so you may wish to
try one of those.

> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat version?

truststoreFile and truststorePassword should be configured on the
SSLHostConfig not on the Certificate element.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org