You're (both) quite right, my apologies.
(this is embarrassing)
In my defense, I've been bouncing back and forth between my personal
desktop machine (windows 10)
where I was having this issue...
and a development server, where this was working just fine.
While at lunch, it occurred to me to wonder if I had the same Tomcat and
TC-Native bits on each .. confirmed after lunch that these were different.
(tc-native 1.2.21 on the desktop, 1.2.19 on the server)
Changed those on my desktop to match those of the server, same issue...
compared the server.xml files and found that on the desktop, where I had
put back the older (7.x) format Connector stuff and - (the mistake) - left
the clientAuth setting at "want" rather than "true".
corrected that, working as expected.
Went back to the OpenSSL Connector format and saw new errors...
(useServerCipherSuitesOrder="true" in the Connector section caused a
_default_hostConfig (something like that) error...PROBABLY because I had
moved the SSLProtocls to theSSLHostConfig section.... moved the
useServerCipherSuitesOrder attribute to the SSLHostConfig section and
renamed it to honorCipherOrder to fix that).
Also found I had to add the truststoreType and truststorePassword
attributes to the SSLHostConfig element.... (docs seem to say that's ONLY
for JSSE syntax - but I may be misunderstanding that),
long story short, I now have a Connector element that works correctly:
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
<SSLHostConfig
protocols="+TLSv1.2+TLSv1.3"
honorCipherOrder="true"
certificateVerification="required"
truststoreFile="C:/certs/trustStore.pfx"
truststoreType="PKCS12"
truststorePassword="password"
>
<Certificate
certificateKeystoreFile="C:/certs/servername.pfx"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="password"
/>
</SSLHostConfig>
</Connector>
retested with tc-native 1.2.21 on the desktop... and its working as
expected.
(Still not sure what was going on previously).
thanks, again.
On Tue, Feb 12, 2019 at 12:27 PM Mark Thomas <ma...@apache.org> wrote:
> On 12/02/2019 17:21, John Palmer wrote:
> > using the old Connector/clientAuth="true" or the new
> > Connector/SSLHostConfig/ certificateVerification="REQUIRED"
> (tried
> > lowercase and without the D) format..doesn't seem to work properly.
> >
> > no matter what value I use or which format... the behavior seems to be
> that
> > the client cert is prompted for, but is optional.... (the web pages are
> > shown whether a cert is selected or Cancel is selected on the prompt.
> > (in the latter case, a JSP scriplet that shows X509 certificate content
> > throws an error, confirming that the client certifcate was not sent).
> >
> > (Openssl s_client cmd confirms that the "Acceptable client certificate CA
> > names"
> > from the trustStore specified ARE being sent).
> >
> > I don't doubt that I'm missing (mistyping or misunderstanding) something
> > (again), but I'm gonna ask for help a little sooner this time rather
> than
> > continuing to beat a dead horse :) ...
>
> Maybe. Or you might have hit a Tomcat bug.
>
> So, starting with a clean build of the latest 8.5.x source...
>
> Enable TLS (uncomment the second of the comment out TLS connectors in
> the default server.xml), switch it to NIO2 from APR/native and copy the
> key, cert, etc. into the correct locations.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Can connect with Chrome.
>
> Add certificateVerification="required" to the SSLHostConfig and restart.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
> rejected. Ah. No trust store configured on the connector.
>
> Add caCertificateFile="conf/ca-rsa-cert.pem" to SSLHostConfig and restart.
>
> Starts with TLS enabled with NIO2 (JSSE) on 8443. Connection from Chrome
> rejected. Realised I tried to use OpenSSL config and I'm using JSSE.
> Removed caCertificateFile="conf/ca-rsa-cert.pem" and added
> truststoreFile="conf/ca-rsa.jks" to SSLHostConfig.
>
> Starts with TLS enabled with NIO2 on 8443. Connection from Chrome
> prompts for client cert. Click cancel - connection rejected. As
> expected. Try again, this time selecting a certificate - connection
> allowed.
>
> All working as expected.
>
> Add Tomcat Native (so OpenSSL is usedd for TLS).
>
> Tomcat starts with NIO2 (OpenSSL) on port 8443.
>
> Prompted for user certificate. Click cancel. Connection refused.
>
> Try again. Prompted for certificate. Select valid cert. Connection
> refused. Ah. the trust store again. Switch back to the OpenSSL config.
>
> Tomcat starts with NIO2 (OpenSSL) on port 8443.
>
> Prompted for user certificate. Click cancel. Connection refused.
>
> Try again. Prompted for certificate. Select valid cert. Connection allowed.
>
> All seems to be working as expected here.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
