On 4.4.2014 0:27, Toby Lazar wrote:
As others have noted here on other threads, you can use:
http://portecle.sourceforge.net/
to see exactly which certificates your server is providing clients (Examine
SSL/TLS connection). Viewing server certificates via browsers can be
misleading since they don't distinguish within the chain between
certificates provided by the server and those already trusted by the client
(browser).
You also may double check your chain using other online tools like:
https://www.ssllabs.com/ssltest/
http://www.digicert.com/help/
I never used SSLShopper, so I don't know how reliable it is.
Another way to check certificate chain directly in server keystore is
keytool -list -keystore server.jks -v
To check Chris' assumption about missing ROOT certificate on the client,
you may turn on TLS debugging on the client using JVM option
-Djavax.net.debug=all
At start it will print all root certificates trusted by the client. It
may reveal that your system ROOT CA list on the client is outdated,
messed up, or overriden with e.g. JVM option -Djavax.net.ssl.trustStore.
It will also print TLS handshake details.
Jefferey:
> The hostname (www.xxxxxxxxxx.net) is correctly listed in the
certificate. Common name: www.xxxxxxxxx.net
> SANs: www.xxxxxxxxxx.net, xxxxxxxxxx.net
Check if your Java code indeed uses one of those URL's listed in the
certificate (www.xxxxxxxxxx.net, xxxxxxxxxx.net), and not some third one
not listed in the certificate, or IP address.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
