Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 2/12/19 13:27, Mark Thomas wrote:
> Try again. Prompted for certificate. Select valid cert. Connection 
> refused. Ah. the trust store again. Switch back to the OpenSSL
> config.

This is a real point of confusion for users... the difference between
configuring for OpenSSL versus JSSE (especially when using OpenSSL via
JSSE).

Is there any technical reason why we can't accept either type of
certificate for either type of connector? I can't think of a reason
why we couldn't convert from one to the other if necessary.

Sure, it's a bunch of plumbing code that we have to babysit, but the
configuration will be *so* much nicer, regardless of the user's
preference (e.g. PEM-encoded DER files, just like $diety intended, or
the hellspawn that is certificate keystores).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxjSBgACgkQHPApP6U8
pFi4gA/+NjUUGQaEpE1XDrbE/mC47tZUhGQD1iZakwIgqtE159lAiK8ddZcDC073
xc2oWYRRKuqyzKQ/d7NowfU1FuZc/78dME/M0OJ0PQ/HFx1MKSx3qZnl6jWsIUV8
nayBPG4fKbJfDy7L+brUk/jdxTwE+5NRB2jdE4DcG5uqH4b2OQI2W3aZcNL3wqRW
LbvwyPtRVpm63G3ct8eB81kSlkRo/664bgQNzA+ZV1AiVu17cArKlHS7eyQJHf5A
Btn8WunosrG1haOGGjCM1yEN/aClbmrgoy3sWO6RK22SCgWFkP6CXKkYf5Q+E/4d
vfZWg25YwHQm7uPMEdBhDth9dIm9uZnoxDbzvmE3J7FIT30orJmb+MDLod1hAIYH
CWgJ4oF7uWgk5Q2/+EkF3tSy9OAF6fY3x/y24dH+NHDBWfj/2PXv90ohY/+IMeJQ
oYUuBwZd49BmdJiofw1IoRaDrtlJjw9aIFlszyS+bn87TSe2JozhMymmxhtPPb8C
T9KCMbQGpRkNFm1/PgKNKFi8SaqAdd+wl2f7h88qA8HJ5Xyjmn88VJfHjFdMUoAe
fgK1tcN1J4szSHO3ivCBMnqUeJPUgcWqJC8qh2likk77Mx+Qw3CMzfB0i4Ry7r1g
kg3T1/uRekmyaVTowb4vuVGwYP3p9BCBBFezSEKCGELa8RrQ3rI=
=m+qr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [OT] tomcat 8.5.37, Http11Nio2Protocol (OpenSSL), clientAuth or certificateVerification options

[Mark Thomas <ma...@apache.org>]

On 12/02/2019 22:26, Christopher Schultz wrote:
> Mark,
> 
> On 2/12/19 13:27, Mark Thomas wrote:
>> Try again. Prompted for certificate. Select valid cert. Connection
>> refused. Ah. the trust store again. Switch back to the OpenSSL
>> config.
> 
> This is a real point of confusion for users... the difference between
> configuring for OpenSSL versus JSSE (especially when using OpenSSL via
> JSSE).
> 
> Is there any technical reason why we can't accept either type of
> certificate for either type of connector? I can't think of a reason
> why we couldn't convert from one to the other if necessary.
> 
> Sure, it's a bunch of plumbing code that we have to babysit, but the
> configuration will be *so* much nicer, regardless of the user's
> preference (e.g. PEM-encoded DER files, just like $diety intended, or
> the hellspawn that is certificate keystores).

Some of that is already in place but there are gaps.

Likewise we have merged some of the configuration options but could
probably do more.

A good starting point would be a wiki page or similar that documented
the current state and then we could start to fill in the gaps.

Just thinking out loud, a nice way to test this would be with a single
set of key/cert files and multiple connectors on different ports that
each used a different combination. Testing would then be a case of start
Tomcat and check the homepage on a handful of different ports (which
could easily be made into a unit test).

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org