<quote> -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, August 08, 2017 5:23 AM To: Tomcat Developers List <dev@tomcat.apache.org> Subject: Test keys and certs
All, Just a heads up. A few days ago I started to look at bug 59423. I saw all sorts of errors when I tried to configure a clean Tomcat build for CLIENT-CERT. As I dug into the errors it appeared that Tomcat wasn't handling an unexpected connection close during the renegotiation. I have a patch for this that I'll commit once I have completed some more testing. I also spent a long time trying to figure out why CLIENT-CERT was failing unexpectedly in some cases. The short answer is that it fails in Chrome but not with FireFox nor with openssl s_client. The failure in Chrome occurs when it tries to find a matching user cert for the provided trusted certs. For some reason Chrome can't match our current user test cert with the CA. My guess is that expects/requires more fields to be populated than just C and CN. I've been experimenting with a new CA created from scratch that populates more of the fields and this does work with Chrome. Therefore, I plan to replace our current test CA with the new one I have created and, therefore, also replace all the test keys and certs used in the unit tests. I'll also update the notes for creating these files and the openssl.cnf with a few more defaults. I might even get around to looking at 59423 ;) Mark [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=59423 --------------------------------------------------------------------- </quote> Is it possible the recent changes [1] has affected it? Chrome no longer looks in CN, which is ignored but rather expects SAN to be filled up. Perhaps Tomcat's test certs lack SAN? [1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
