Weird error with certificate chain (JSSE security, with a JKS, in 7.0.93)

Thu, 19 Mar 2020 09:25:07 -0700

We maintain a bunch of Tomcat 7 servers for various customers, all using JSSE security, with a JKS.
All of them show a complete certificate chain when accessed from a browser. Some (if TLSv1.2 is not enabled, and especially those running on boxes that don't have Java 7 or Java 8) get complaints about obsolete connection settings, but even they show complete chains. 


For most of them, if I do an SSLLabs scan, SSLLabs shows (and indeed, 
complains about an "anchor present" in) a complete-down-to-root 
certificate chain. But for some of them, it says it has to go out and 
look for the intermediate cert.


I asked about it on the Qualsys board; they suggested I try
> openssl s-client -showcerts -connect <domain:port>


I tried this for one of the ones for which SSLLabs claims it's getting 
an incomplete chain, and sure enough, I get (domain name changed to 
protect the innocent):



depth=0 OU = Domain Control Validated, CN = frobozz.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = frobozz.com
verify error:num=21:unable to verify the first certificate
verify return:1



Whereas, for one of the ones for which SSLLabs *only* complains that the 
chain "contains anchor," I get (all identifying fields changed to 
protect the innocent):



depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 
2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 
2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = GUE, ST = Quendor, L = Flatheadia, O = "Frobnitz, Inc.", CN = 
frobnitz.com
verify return:1



I can't tell any difference in the keystore structure between the two, 
and browsers don't show anything amiss. Does anybody have any insights 
into why the keystores would behave differently in SSLLabs and "openssl 
s-client -showcerts"?


--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to