https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
--- Comment #14 from Mark Thomas <ma...@apache.org> --- OK. I think I have found the problem. Tomcat looks for two pieces of information when looking up client certs. >From AprSSLSupport: int certLength = SSLSocket.getInfoI(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN); byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT); In OpenSSL those map to SSL_SESSION->peer_chain SSL_SESSION->peer The problem is that in d2i_SSL_SESSION when the session is repopulated from the ticket, peer is populated but peer_chain is not. i2d_SSL_SESSION doesn't save the peer certificate chain either. RFC5077 appears to allow full certificate chains to be present in the ticket. Some more digging has unearthed this from the OpenSSL issue tracker: https://rt.openssl.org/Ticket/Display.html?id=2288 It looks like addressing this is not a high priority for OpenSSL. We might be able to work-around this on the Tomcat side to expose the client cert minus the chain and document that as a known restriction when using session tickets. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
