-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martynas,
On 7/30/17 4:35 PM, Martynas Jusevičius wrote: > Hey list, > > I need my webapp to accept all SSL client certificates and do its > own validation. > > I'm upgrading server.xml from the JSSE SSL Connector which used > clientAuth="want" and a custom trustManagerClassName in order to do > that. > > The 8.5.16 docs indicate that this should be replaced with > SSLHostConfig certificateVerification="optionalNoCA". I have done, > and also using OpenSSL implementation now: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > <UpgradeProtocol > className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig > certificateVerification="optionalNoCA"> <Certificate > certificateKeyFile="/usr/local/ssl/tomcat.key.pem" > certificateFile="/usr/local/ssl/tomcat.cert.pem" type="RSA" /> > </SSLHostConfig> </Connector> > > However, I'm getting an exception that shows my client certificate > is validated and rejected by Tomcat/OpenSSL: > > tomcat_1 | https-openssl-apr-8443-exec-3, > handling exception: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, > IOException in getSession(): javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > tomcat_1 | https-openssl-apr-8443-exec-3, > called close() tomcat_1 | > https-openssl-apr-8443-exec-3, called closeInternal(true) > > Am I missing something? certificateVerification="optional" exhibits > the same behaviour. Can you please post the complete stack trace? You don't have a trust store configured. Is that intentional? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZf3xgAAoJEBzwKT+lPKRY7aUP/AtH3vUr3BbkCEDh6xKPtbr/ uy0VLj2obvNa793kuv9l8bWa/GIZZCmcH3X8obmaOA3mgT0N5kFTgwsVLXJHymCg bNI4LZl1ALJXvepxjz7+Ni4vgyjwybNEN2WE19qkJBjazK6hIRVvAb3YBvHS8F6D BCNj1ZgmN28DzsbbkP+JQ6IfURBqKm11U/PYZ3hVmefSTvhL/OrclHHfr4gFVM9N x5xGDZUVVtwvObQYSajyPylZ7t4EB72lzILGpiZ2jRARa9inpGRPQf0JbpzWBTxD kRCWZ58hfvcYAUXOXCpa0NR1fQpSWUMi/oIR19pebr1hXiNNyXurIHtn5aowZlYm 054G9ynFWEd5cKYGxOv3QrG2GDNkdckUaQKfih7pu7rZ9v31dUkGv5G/tuUh79NP J25l0p8oguUsK0cDmlS3obDcWTFipzig+l9GJtymp5JW9dPNKvCXJpAtZIl4Ldkh RO97uYE5T8ax6/svNq7VHM/aJEUXFFccvrtx3EgOGVF2xEBMc2VyYZJfgytqWZsy qBOQJVcR9O5xyVzboC7YFfSyyA/1TxKvCmjsI/C2Mq4mFFuhdXRy16DYuTiTtLaz Z8SoxSDiUPt2u0hbQIAf5I2wYjgvF54sXd2IjE2ms+hS9JHah9p3WF1C6U/F+sUQ 962NiU9VCGVGmJuYHVLg =XNGJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org