Hi, > Ugh. That *does* point toward a bug in Tomcat itself or something odd with > the JVM.
Yep. >> No, we automatically ship the latest 8.5 tomcat version. However for >> our docker based distribution I was sure that this feature worked at >> some time (I think I used tomcat 8.0 for this). I tried it with the >> latest 8.5.57 on Windows, there everything works correctly. I just >> checked all the versions to see when the "bug" >> was introduced. > Did you find it? I took a quick look at the 8.5.x changelog and nothing > jumped-out at me. I think it is Fix: Refactor the JSSE client certificate validation so that the effectiveness of the certificateVerificationDepth configuration attribute does not depend on the presence of a certificate revocation list. (markt) From the 8.5.5 changelog Shall I file a bug? Are there any other people that can confirm this? I guess client certificates is a more rarely used feature. Best regards, David
