All, I've been lazily looking at this issue on SO: http://stackoverflow.com/questions/33688020
I haven't independently verified that Tomcat (or the JRE, more likely) validates expired certificates but I can see arguments in favor of both behaviors: 1. If the client cert (not an intermediate) is in the trust store, the client cert should be trusted, even if it has expired. The CRL is not being used, here. 2. If an intermediate cert is in the trust store, trust the client cert unless it has expired. I think the OP in the SO issue is talking about case #1 above. I haven't dug into the JRE's implementation of a TrustManager under the covers, but I wonder if anyone has experience with this kind of thing to know what's (a) supposed to happen and (b) whether or not Tomcat could change the behavior. The X509TrustManager interface isn't very flexible, though the implementation itself certainly can be. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
