Dear Sirs, To communicate you a behaviour with Apache Tomcat 7.0.59 Apache Tomcat 7.0.59 is running with: - RHEL6.6 - java jdk 1.8.0.74 - OpenSSL 1.0.2g
We have a client - server communication. The Client certificate is produced via keytool and we have same problem highlighted here http://stackoverflow.com/questions/33688020/configuring-apache-tomcat-7-0-to-reject-connections-with-expired-client-certific and http://stackoverflow.com/questions/5206859/java-trustmanager-behavior-on-expired-certificates What we got reading all flow, is that to solve our problem we should implement a new X509TrustManager which creates our original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted. Did we get well ? If yes, it sounds to us as a hole in the security and so a bug in Tomcat, is there any chance to have this behaviour (refuse connection at expired certificates) as standard in later Apache tomcat 7.0.x release ? Any of this community can support us ? Best Regards Francesco FRANCESCO LEONE Eng. Ericsson francesco.le...@ericsson.com www.ericsson.com Legal entity: TEI, registered office in Pagani. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
