I think I was able to figure out the problem (more or less): Using two distinct keystores for trusted certificates and server keys solves the problem. But don't ask me why there is a difference between Windows and Linux on this topic. It also does not work to use an empty keystore (on Linux).
-----Original Message----- From: David Weisgerber <david.weisger...@ms-gmbh.de> Sent: Thursday, 17 September 2020 09:29 To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: Truststore in HTTPS Connector does not work with Linux Hi, > Ugh. That *does* point toward a bug in Tomcat itself or something odd with > the JVM. Yep. >> No, we automatically ship the latest 8.5 tomcat version. However for >> our docker based distribution I was sure that this feature worked at >> some time (I think I used tomcat 8.0 for this). I tried it with the >> latest 8.5.57 on Windows, there everything works correctly. I just >> checked all the versions to see when the "bug" >> was introduced. > Did you find it? I took a quick look at the 8.5.x changelog and nothing > jumped-out at me. I think it is Fix: Refactor the JSSE client certificate validation so that the effectiveness of the certificateVerificationDepth configuration attribute does not depend on the presence of a certificate revocation list. (markt) From the 8.5.5 changelog Shall I file a bug? Are there any other people that can confirm this? I guess client certificates is a more rarely used feature. Best regards, David B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B