Thank you for your response. Perhaps I was not clear.. what I really want to do is to have Client authentication only for the particular path (/Authn/X509). But it does not seem to kick in and I am wondering if there is any suggestion for troubleshooting.
-Vivien On Thu, Aug 29, 2019 at 12:48 AM Mark Thomas <ma...@apache.org> wrote: > On 28/08/2019 23:09, Vivien Wu wrote: > > Tomcat version: 8.5.14 > > OS: debian 9 (stretch) > > Issues: If using SSLVerifyClient=optional, it seems to work (log > attached, > > assuming config is validated); > > however when trying to use SSLVerifyClient=none, the browser complains > > > > This site can’t provide a secure connection login-test.foo.com sent an > > invalid response. > > ERR_SSL_PROTOCOL_ERROR > > What did you expect? > > You told the Connector - explicitly - not to ask for CLIENT-CERT > authentication. > > You told the application to require CLIENT-CERT authentication. > > It looks like SSLVerifyClient=optional is the correct setting for you > use case. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
