David,

On 9/17/20 11:31, David Weisgerber wrote:
> I think I was able to figure out the problem (more or less):
>
> Using two distinct keystores for trusted certificates and server keys
> solves the problem. But don't ask me why there is a difference
> between Windows and Linux on this topic.
That *is* odd.

> It also does not work to use an empty keystore (on Linux).

That would never be expected to work, as the secure connector requires a
key to start successfully.

I think it's worth filing a bug to see if there is a way to get that
handled via Tomcat. There is no conceptual reason you should be unable
to use the same foostore as both keystore and truststore. It's just
uncommon because the keystore is usually considered a high-security
asset from a "read" perspective while the truststore should really only
be protected from a "write" perspective.

I never put trusted certificates into a keystore mostly because I don't
want to bugger-up my keystore and break the server itself. (I also
happen to hate keystores, but that's kind of beside the point.)

-chris

> -----Original Message-----
> From: David Weisgerber <david.weisger...@ms-gmbh.de> 
> Sent: Thursday, 17 September 2020 09:29
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: RE: Truststore in HTTPS Connector does not work with Linux
> 
> Hi,
> 
>> Ugh. That *does* point toward a bug in Tomcat itself or something odd with 
>> the JVM.
> 
> Yep.
> 
>>> No, we automatically ship the latest 8.5 tomcat version. However for 
>>> our docker based distribution I was sure that this feature worked at 
>>> some time (I think I used tomcat 8.0 for this). I tried it with the 
>>> latest 8.5.57 on Windows, there everything works correctly. I just 
>>> checked all the versions to see when the "bug"
>>> was introduced.
> 
>> Did you find it? I took a quick look at the 8.5.x changelog and nothing 
>> jumped-out at me.
> 
> I think it is
> Fix:  Refactor the JSSE client certificate validation so that the 
> effectiveness of the certificateVerificationDepth configuration attribute 
> does not depend on the presence of a certificate revocation list. (markt) 
> From the 8.5.5 changelog
> 
> Shall I file a bug? Are there any other people that can confirm this? I guess 
> client certificates is a more rarely used feature.
> 
> Best regards,
> David
> B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  
> [  X  ܚX KK[XZ[
>  \ \  ][  X  ܚX P X ]
>  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
>  \ \  Z[ X ]
>  \X K ܙ B 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to