Return-Path: 
 <tomcat-dev-return-29906-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 48923 invoked by uid 500); 16 Oct 2001 20:36:01 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Delivered-To: moderator for tomcat-dev@jakarta.apache.org
Received: (qmail 83853 invoked from network); 16 Oct 2001 18:47:45 -0000
Sender: Stefan.Wengi@AdNovum.com
Message-ID: <3BCC80D6.F1084B31@adnovum.com>
Date: Tue, 16 Oct 2001 11:47:50 -0700
From: Stefan Wengi <stefan.wengi@adnovum.com>
Organization: AdNovum Software Inc.
X-Mailer: Mozilla 4.78 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
Subject: HTTP and client certificates
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Hi,

some people on user mailing list reported problems getting HTTPS with
client
authentication to work (setting "clientAuth" property to "true").
It seems like the Tomcat SSL server factory ignores the CA certificates
that are stored in the keystore and only sends the Thawte and Verisign
CA info to the client. If you have certificates signed by another CA it
won't work because the browser (at least Netscape 4.7x) looks for a user
certificate signed by a CA known to the server.

We patched the SSLServerSocketFactory class to retrieve additional CA
certs via the TrustManagerFactory. The code already had some
preparations for that although it was disabled.

how can we get the fix into the Tomcat 4 code?

cheers

Stefan