2016-03-30 10:38 GMT-05:00 Mark Thomas <ma...@apache.org>: > I'm currently looking (again) at Tomcat's default TLS configuration with > SSLLabs. The initial results are promising. A few tweaks has got the > default Tomcat 9 + NIO with JSSE to a grade A. > > I'm currently looking at Tomcat 9 + NIO with OpenSSL. The grade is > capped at B because we don't send the full certificate chain. Looking at > the code in o.a.t.u.n.openssl.OpenSSLContext that is because we don't > set it. It looks like we need to create a new native method > addChainCertificateRaw() that hooks into OpenSSL's > SSL_CTX_add0_chain_cert. I can look at this but we all know how bad my C > code is. > > Review and/or help will be appreciated. > > Yes, that makes a lot of sense to me (only the certificate is set at the moment, not the chain). So we'll add it to the todo list.
Rémy
