tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Client not able with perform client-cert authentication with Tomcat 6.0.29 on APR
Date Fri, 12 Nov 2010 16:38:02 GMT
On 12/11/2010 16:27, Goo Sam Kong wrote:
> Hi
> 
> I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.

APR/native connector version? SSL re-negotiation wasn't supported until
recently and the CVE-2009-3555 fixes further complicate things.

> <Connector SSLCACertificateFile="C:\usr-files\client-cert-ca.crt"
>            SSLCertificateFile="C:\usr\tomcat\tomcat.crt"
>            SSLCertificateKeyFile="C:\usr\tomcat\tomcat.key"
>            SSLCipherSuite="AES128-SHA:DES-CBC3-SHA"
>            SSLEnabled="true"
>            SSLEngine="on"
>            SSLVerifyClient="optional"
>            maxThreads="150"
>            port="8443"
>            protocol="HTTP/1.1"
>            scheme="https"
>            secure="true"
>            sslProtocol="TLS" />

Is SSLEngine a valid attribute here? I don't see it in the Connector docs.
SSLVerifyClient="optional" can (should?) be removed.
Is that SSLCipherSuite compatible with your client? Try removing that
setting until everything else is working.

The following settings are known to work:

<Connector
  port="8443"
  protocol="org.apache.coyote.http11.Http11AprProtocol"
  SSLEnabled="true"
  maxThreads="150"
  scheme="https"
  secure="true"
  SSLCertificateFile="${catalina.base}/conf/tomcathost-cert.pem"
  SSLCertificateKeyFile="${catalina.base}/conf/tomcathost-key.pem"
  SSLCACertificateFile="${catalina.base}/conf/cacert.pem" />

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message