Juan,
On 4/6/25 9:36 AM, juan wrote:
I read it
But couldn't make it work
After hours i got it :
<Connector
SSLEnabled="true"
maxThreads="150"
port="8448"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
defaultSSLHostConfigName="duba">
<SSLHostConfig hostName="duba"
truststoreFile="/home/german/Developement/eclipseAngular/tomcat-server.jks"
certificateVerification="required"
protocols="all">
<Certificate
certificateKeystoreFile="/home/german/Developement/eclipseAngular/tomcat-server.jks"
certificateKeystorePassword="password"
type="RSA"
/>
</SSLHostConfig>
</Connector>
This configuration looks acceptable at first glance. When you use this
configuration, you said you "couldn't make it work". Can you be more
specific? Were there any error messages in the log on startup? Were
there any error messages in the log when trying to make HTTP requests?
What did the user experience?
-chris
On Sun, 6 Apr 2025 at 00:57, Chuck Caldarale <n82...@gmail.com> wrote:
On 2025 Apr 5, at 12:49, juan <bobenag...@gmail.com> wrote:
Yes, I read it, but can't find which attributes from sslhostconfig
should I
use
And on internet couldn't find any examples, all of them use clientAuth
If you read the 9.0.x documentation for clientAuth, it says this:
clientAuth
This is an alias for the certificateVerification attribute of the
SSLHostConfig <
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>
element with the hostName of _default_. If thisSSLHostConfig <
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>
element is not explicitly defined, it will be created.
Is that not clear that you should now be using certificateVerification
within SSLHostConfig?
- Chuck
On Sat, 5 Apr 2025, 19:13 Chuck Caldarale, <n82...@gmail.com> wrote:
On 2025 Apr 5, at 10:55, juan <bobenag...@gmail.com> wrote:
Hi
I'm migrating from tomcat 9 to tomcat 11.0.5
I need a client cert validation. Mi server.xml in tomcat 9 :
<Connector SSLEnabled="true" *clientAuth="true"
*keyAlias="karun-tomcat-server-cert"
keystoreFile="/home/german/Developement/eclipseAngular/tomcat-server.jks"
keystorePass="pass" maxThreads="150"
port="8448" protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" sslProtocol="TLS"
truststoreFile="/home/german/Developement/eclipseAngular/tomcat-server.jks"
truststorePass="pass"/>
Adding clientAuth="true" does the trick, and my client has to have a
certificate provided by me.
But in tomcat 11 clientAuth doesn't exist in connector and even reading
documentation i can't find how to do it in tomcat 11
If you look at the 9.0.x SSL documentation, you’ll see that clientAuth
was
deprecated even then, and was replaced by attributes of the
SSLHostConfig
element.
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html#SSL_Support
- Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
