Re: [OT] Openssl Connector configuration for Dynamic Client Authorization does not work.

Wed, 22 Jan 2025 09:15:19 -0800 

Mark,

On 1/22/25 10:04 AM, Mark Thomas wrote:

On 21/01/2025 19:08, Timothy Resh wrote:

Good afternoon,

If I use this configuration, then the prompts for the client auth work,
where the intermediate.p12 file has all the intermediates from DOD ID CAx
imported. I do not see where the caCertificatePath can be used in this
configuration.

<Connector URIEncoding="UTF-8"
            port="8443"
            address="192.168.1.151"
            connectionTimeout="60000"
            maxThreads="300"
            maxConnections="300"
            protocol="org.apache.coyote.http11.Http11AprProtocol"
            enableLookups="false"
            scheme="https"
            secure="true"
            SSLEnabled="true"
            keystoreFile="C:\\Certificate\\Keystore\\Tomcat SAMM Vessel.p12" 
            keystorePass="MyPassword"
            keystoreType="PKCS12"
            SSLProtocol="TLSv1.2"
            SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:! MD5:!kRSA" 
            truststoreFile="C:\\Certificates\\CA\\intermediate.P12"
            truststorePass="MyPassword"
            truststoreType="PKCS12"
            SSLVerifyClient="optional"
/>
OK. That configuration is using the APR/native connector with OpenSSL providing the TLS implementation and Tomcat's APR/Native connector providing the I/O.
This must be Tomcat 9 since that is the only currently supported major version of Tomcat that supports the APR/native connector.
This must be Tomcat Native 1.3 (hopefully 1.3.1) since support for the APR/Native connector was removed on Tomcat Native 2.x onwards.
The TLS configuration is using JSSE keystores and Tomcat is automatically converting the data from the JSSE keystore to the format expected by OpenSSL.
Tomcat allows JSSE or OPenSSL style configuration to be used independently of whether JSSE or OPenSSL is providing the TLS implementation. The reason is that it allows users to switch quickly from one implementation to another without having to convert their configuration.
I was 99% sure this was true, but the documentation still indicates that most of those configuration settings can ONLY be used with JSSE or OpenSSL. Let's (separately) discuss how to make that language more clear and update the documentation. 

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to