I'm currently looking (again) at Tomcat's default TLS configuration with SSLLabs. The initial results are promising. A few tweaks has got the default Tomcat 9 + NIO with JSSE to a grade A.
I'm currently looking at Tomcat 9 + NIO with OpenSSL. The grade is capped at B because we don't send the full certificate chain. Looking at the code in o.a.t.u.n.openssl.OpenSSLContext that is because we don't set it. It looks like we need to create a new native method addChainCertificateRaw() that hooks into OpenSSL's SSL_CTX_add0_chain_cert. I can look at this but we all know how bad my C code is. Review and/or help will be appreciated. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
