On 22/03/18 15:27, Richard Tearle wrote: > On 22 March 2018 at 14:49, Mark Thomas <ma...@apache.org> wrote:
<snip/> >> What we have so far is: >> >> 8.0.x, http-nio-nnnn (this is always JSSE in 8.0.x), clientAuth="true" >> This works. > > Yes this works. > >> 8.5.x, http-nio-openssl-nnnn, certificateVerification="required" >> This fails intermittently > > Its https-openssl-nio-nnnn and yes this fails intermittently. > >> 8.5.x, http-nio-jsse-nnnn, certificateVerification="required" >> This works > > Its https-jsse-nio-nnnn, and yes this works > >> Is this correct? >> >> Thanks, >> >> Mark >> > > Also working is 8.5.x, https-openssl-nio-nnnn, certificateVerification="none" OK. Time to think about this. NIO + JSSE works whereas NIO + OpenSSL doesn't with the same configuration apart from the presence of the native library. That points to something OpenSSL specific. Disabling client verification fixes the problem. So it looks to be something to do with how OpenSSL handles client verification. It feels like configuration at this point rather than a bug but it needs some more thought. There will probably be some configuration combinations to experiment with but if they fail, something we can use to reproduce this is going to be the next step. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
