Re: SSLHostConfig configuration

Tue, 10 Sep 2019 05:15:14 -0700 

On Tue, Sep 10, 2019 at 3:46 AM Mark Thomas <ma...@apache.org> wrote

>
> <snip/>
>
> >> Questions:
> >>
> >> 1. What has changed in between Tomcat 8.5.32 --> 8.5.40 that seemingly
> now
> >> requires truststore information in this connector configuration?
>
> > There have have been several changes aimed at making it easier to switch
> > between JSSE and OpenSSL based TLS implementations. Tomcat tries to
> > store all provided keys and certs in an in-memory Java keystore and then
> > provides the connectors with the keys and certs in the format they
> > require. With the wide range of keystores and key formats there have
> > been a few edge cases where the translation process broke. This looks
> > like one of them.
>
> > There are additional fixes in later 8.5.x releases so you may wish to
> > try one of those.
>
> Thank you for the information.  As far as using a newer version of Tomcat
with fixes, we want to go with the 8.5.40 version that is packaged with the
application for support reasons.


> >> 2. What needs to be done to allow this to work in the 8.5.40 Tomcat
> version?
>
> > truststoreFile and truststorePassword should be configured on the
> > SSLHostConfig not on the Certificate element.
>

My apologies for my ignorance here, when you say 'configured on the
SSLHostConfig' are you saying it should NOT be in this block:

 <snip>

<SSLHostConfig hostName="*.example1.com">

<Certificate certificateKeystoreType="PKCS12"
                        certificateKeystoreFile="/app/config/keystore.p12"
                        certificateKeyAlias="example_wildcard"
                        certificateKeystorePassword="maskedpasswd"
                        truststoreFile="/app/config/truststore.p12"
                        truststorePassword="maskedpasswd"
                        type="RSA"/>

</SSLHostConfig>

<snip>

This is how I tried to configure it and we still receive the "trustAnchors
parameter must be non-empty" error.  Can you clarify where you mean the
truststore directives should be defined?

Thanks again,

HB


> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to