On 21/03/18 12:14, Mark Thomas wrote:
> On 21/03/18 08:35, Richard Tearle wrote:
>> On 20 March 2018 at 19:58, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 20/03/18 14:49, Richard Tearle wrote:
>>> OK. Can you share you configuration and the steps you used to create the
>>> self-signed certificate. I'd like to see if I can reproduce this.
>>>
>>>
>>> Mark
>>>
>>
>> I thought it might be easier to drop the configuration and certificate
>> generating scripts into a ZIP on dropbox:
>>
>> https://www.dropbox.com/s/ib98y6ti2bem53v/TomcatCertsIssue.zip?dl=0
>>
>> In the root of the ZIP contains two scripts, run the create-cert.sh,
>> to generate them.
>>
>> Our Java installation has the Java Cryptography Extension (JCE)
>> installed, and generally we run with the java security manager
>> enabled, but I've tested running without it doesn't seem to affect the
>> error we get.
>
> Perfect. I tweaked the scripts slightly but that was a lot easier than
> starting from scratch.
>
> I can reproduce the problem. I need to do some more research to figure
> out what is going wrong and if we can fix it.
Progress.
Tomcat 8.0.x is more relaxed about the content of PKCS12 trust stores
then 8.5.x because of a change[1] made so that the effectiveness of the
certificateVerificationDepth configuration attribute did not depend on
the presence of a certificate revocation list.
The PKCS12 store the scripts you provided creates includes the private
key of the trusted certificate. This is ... unusual. 8.5.x skips this
cert as it does not expect a trusted cert to include the private key.
I've tried various ways to get openssl to create a PKCS12 file without
the private key but with the certificate without success. In the end I
used keytool to do this and that worked. Something along these lines:
keytool -storetype pkcs12 -importcert -file ca-cert.pem \
-keystore ca-truststore.p12
With the modified trust store 8.5.x started with the same configuration
as 8.0.x.
Please can you test your set-up with 8.5.x, the modified trust store and
the same configuration as 8.0.x (NIO, JSSE). That should help us track
down where the problem may lie.
Thanks,
Mark
[1] https://svn.apache.org/viewvc?view=revision&revision=1757578
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
