On Tue, Sep 10, 2019 at 3:46 AM Mark Thomas <ma...@apache.org> wrote

> <snip/>
> >> Questions:
> >>
> >> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly
> now
> >> requires truststore information in this connector configuration?
> > There have have been several changes aimed at making it easier to switch
> > between JSSE and OpenSSL based TLS implementations. Tomcat tries to
> > store all provided keys and certs in an in-memory Java keystore and then
> > provides the connectors with the keys and certs in the format they
> > require. With the wide range of keystores and key formats there have
> > been a few edge cases where the translation process broke. This looks
> > like one of them.
> > There are additional fixes in later 8.5.x releases so you may wish to
> > try one of those.
> Thank you for the information.  As far as using a newer version of Tomcat
with fixes, we want to go with the 8.5.40 version that is packaged with the
application for support reasons.

> >> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat
> version?
> > truststoreFile and truststorePassword should be configured on the
> > SSLHostConfig not on the Certificate element.

My apologies for my ignorance here, when you say 'configured on the
SSLHostConfig' are you saying it should NOT be in this block:


<SSLHostConfig hostName="*.example1.com">

<Certificate certificateKeystoreType="PKCS12"



This is how I tried to configure it and we still receive the "trustAnchors
parameter must be non-empty" error.  Can you clarify where you mean the
truststore directives should be defined?

Thanks again,


> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to