RE: Truststore in HTTPS Connector does not work with Linux

[David Weisgerber]

I think I was able to figure out the problem (more or less):
Using two distinct keystores for trusted certificates and server keys solves 
the problem. But don't ask me why there is a difference between Windows and 
Linux on this topic.
It also does not work to use an empty keystore (on Linux).

-----Original Message-----
From: David Weisgerber <david.weisger...@ms-gmbh.de> 
Sent: Thursday, 17 September 2020 09:29
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Truststore in HTTPS Connector does not work with Linux

Hi,

> Ugh. That *does* point toward a bug in Tomcat itself or something odd with 
> the JVM.

Yep.

>> No, we automatically ship the latest 8.5 tomcat version. However for 
>> our docker based distribution I was sure that this feature worked at 
>> some time (I think I used tomcat 8.0 for this). I tried it with the 
>> latest 8.5.57 on Windows, there everything works correctly. I just 
>> checked all the versions to see when the "bug"
>> was introduced.

> Did you find it? I took a quick look at the 8.5.x changelog and nothing 
> jumped-out at me.

I think it is
Fix:  Refactor the JSSE client certificate validation so that the effectiveness 
of the certificateVerificationDepth configuration attribute does not depend on 
the presence of a certificate revocation list. (markt) From the 8.5.5 changelog

Shall I file a bug? Are there any other people that can confirm this? I guess 
client certificates is a more rarely used feature.

Best regards,
David
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B