On 16/11/2015 15:59, Ognjen Blagojevic wrote: > Mark, > > On 15.11.2015 13:42, Mark Thomas wrote: >>> * SSLTest also reports that APR/native does not serve full >>> certificate >>> chain; instead, it serves only server certificate. The same APR config >>> serves full chain with Tomcat 8.0.28 + Native 1.2.2, so it seems to be a >>> regression. Not serving full chain might be a problem for some clients >>> -- browsers will probably work, but other clients may fail to establish >>> TLS connection. >> >> Hmm. I'm sure this was working at one point. I'll retest it. > > Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile" > [1]. Tomcat 9 docs, does not list such attribute (neither in "SSL > Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support - > Connector - APR/Native (deprecated)"). I also check the class > SSLHostConfigCertificate, and couldn't find a field for the chain.
You use the same attribute as for the cert. i.e. you provide the full chain rather than just the cert. docs might need updating to make that clear. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
