tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Coates" <>
Subject SSL Client Cert Verification
Date Thu, 12 Mar 2009 18:05:21 GMT


I'm looking to issue guidance on Tomcat and verification of client certificates. I'm curious
if Tomcat is performing the following validation actions when a client cert is received. I
took a look through the code and didn't find my answer.

           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true";
           clientAuth="true" sslProtocol="TLS"/>

Here's what I hope is happening for client certificate verification:

1. Verify validity of client cert and each cert in client cert chain (this appears to be happening
in, authenticate)

2. Verify certs in cert chain are actually authorized to issue certificates (ie Subject type
= CA). I didn't see this in the code

3. Verify that none of the certs are on a certificate revocation list. Perhaps this is a configuration

I'm wondering if someone could point me in the right direction. Specifically, is step 2 taking
place somewhere in code that I don't see? Also, if step 3 is a configuration issue, I will
post that question on the appropriate list.


Michael Coates
Senior Application Security Engineer
(301) 604-4882 (work) 
(630) 207-2567 (cell) 
Aspect Security¬ô

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message