On 05/12/2016 18:33, Jim Weill wrote: > > > On 12/5/2016 8:43 AM, Mark Thomas wrote: >> On 05/12/2016 16:13, Mark Thomas wrote: >>> On 01/12/2016 22:17, Jim Weill wrote: >>>> sslEnabledProtocols is now just protocols for one thing. And you >>>> have to >>>> put your certificate stuff in an <SSLHostConfig> sub-section to the >>>> connector now. >>> That should not be necessary. Tomcat should handle the conversion for >>> you under the hood. >>> >>> I've tested this with a JKS store but not a pkcs12 store. Let me see if >>> there is something extra we need to do in the pkcs12 case. >> Confirmed. This is working as expected. The following works with 8.0.x >> and 8.5.x. I've built both from trunk but there are no relevant changes >> since the last release of each. >> >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" >> SSLEnabled="true" >> scheme="https" >> secure="true" >> clientAuth="false" >> sslProtocol="TLS" >> keystoreFile="conf/localhost-rsa.p12" >> keystoreType="PKCS12" >> keyPass="changeit" /> >> >> Mark >> > > > So what might have changed with tomcat between 7.0 and 8.5 then? I > upgraded from 7.0 to 8.5 and had to do the separate SSLHostConfig > section and change to the more updated connector syntax when a single > connector string as shown above used to work.
The auto-switching to use the OpenSSL encryption could be a factor. Although any error is likely to include OpenSSL support classes in the stack trace. Another possibility is alias handling although that also looks to be OpenSSL related. I've found at one case where a keystore with a single key/cert/chain fails. I'm currently working on a patch for that. It should make it into a release in the new year. Tracking down the root cause is likely to involve debugging both the TLS handshake and the TLS connector initialisation. If you are able to that, great. If not, if you can provide a sample configuration - including dummy keys, certs and chains - that fails that others can use to debug then that would very helpful. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
