[Bug 59940] New: Connector attribute certificateVerification in the new SSLHostConfig section is not requiring a client certificate

Wed, 03 Aug 2016 14:01:52 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59940

            Bug ID: 59940
           Summary: Connector attribute certificateVerification in the new
                    SSLHostConfig section is not requiring a client
                    certificate
           Product: Tomcat 8
           Version: 8.5.4
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]

Connector attribute "certificateVerification" in the new SSLHostConfig section
is not requiring a client certificate in Tomcat 8.5.4.

In Tomcat 8.0.33 I was using the clientAuth="true" connector attribute.  I
moved it over to the new certificateVerification="required" in the
SSLHostConfig section.

I have removed all client certificates and I am not getting rejected.  I
connect to a Tomcat 8.0.33 with not certificate and get rejected.  If I add the
client certificate back and connect to the 8.0.33 I am good.  

I have set Tomcat logs to debug and have not found any error messages, issues
starting the connector or issues with bad attributes.  I have used both IE and
Chrome browsers.  It seems as if the certificateVerification isn't being set. 
I searched for any issues for the certificateVerification attribute and could
not find anything.

I apologize up front if I missed the fix when searching for one.

Here is my server.xml portion for SSL:
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation with the JSSE engine. When
         using the JSSE engine, the JSSE configuration attributes must be used.
    -->

    <Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true"
               maxThreads="150" 
           scheme="https" 
           secure="true"
           maxKeepAliveRequests="15"
           connectionTimeout="60000"
           acceptCount="100"
           connectionUploadTimeout="300000"
           compression="force"
           enableLookups="true"
           disableUploadTimeout="false" >
        <SSLHostConfig>
           truststoreFile="?:\?\?.jks"
           truststorePass="*********"
           certificateVerification="required"
           protocols="TLSv1,TLSv1.1,TLSv1.2" >
            <Certificate certificateKeystoreFile="?:\?\?.jks"
             certificateKeystorePassword="***********"
              certificateKeyAlias="1"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to