tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Racine Faye <>
Subject Re: Tomcat 8.5.15 Client Authentication Trust Store Changes
Date Wed, 21 Jun 2017 19:53:21 GMT
Thanks for the reply Christopher. The way tomcat has always worked in
the past(Before 8.5.15) , is that your trust store is what tomcat uses
to decide what certificates the browser should show to the user
because it only shows them certificates that are in the certificate
chain of whatever you import into your trust store. So if you import a
root certificate it will show everything that has that root
certificate in its chain but if you import in an intermediate it will
only show the certificates that the intermediate accepts. So the way
it works for DoD is that on each CAC there are 2 client authentication
certificates one Email Cert and one ID cert. They contain different
information mainly the email address is only contained in the Email
cert. When users are prompted to select a certificate they are only
supposed to be given the selection of what certificates are in the
trust store because it knows that anything not in that trust store
won't be accepted anyways. When you set the clientAuth to true in the
connector that is what makes it so Tomcat then asks for a certificate
from the user for validation. I have used both IE and Chrome and I get
the same results in both. I am pretty sure it is not a browser issue
though because I have both Tomcat 8.5.15 and 8.5.14 running on the
same server using the same trust store and 8.5.14 asks for only
Certificates that are in the Chain of the Intermediates that I
imported in and 8.5.15 asks for all of the certificates. Unfortunately
I am not able to run openssl as I am on a goverment network and the
software we can use is restricted.
The previous link  has a pretty good explanation of the way Tomcat has
always worked in the past in the comments and explains about the
behavior I am expecting.

On Wed, Jun 21, 2017 at 1:16 PM, Christopher Schultz
<> wrote:
> Hash: SHA256
> Racine,
> On 6/21/17 12:38 PM, Racine Faye wrote:
>> I have noticed that in Tomcat 8.5.15 on the Windows Server 2008
>> Operating System that the way that tomcat presents user
>> certificates has changed. I have a trust store that I use on the
>> tomcat 8.5.14 version that has only DoD intermediate Email
>> certificates which makes it so when users go to the site they are
>> prompted for only their email cert.
>> When upgrading to 8.5.15 I used the same trust store and it now
>> prompts for all certificates on the computer.
> What prompts for all certificates on the computer?
>> I am not sure if that is intended behavior or an oversight but it
>> is kind of confusing to users to be presented certificates that
>> they can't use.
> I don't believe Tomcat is presenting any certificates to the user, is
> it? It's the browser that is showing the certificate selection to the
> user. What browser are you using?
>> Another reason for having them only select the email cert is that
>> only the email certificate contains the information that we need
>> to get their user ID.
> This is informative, but not really relevant. Theoretically, the user
> can provide any certificate that has been signed by a certificate in
> the trust store. So if the user decides to provide a signed
> certificate that does *not* have the email address in it, then your
> application needs to be the one signalling an error.
>> I want to see if anyone else is having this issue or if anyone has
>> noticed that when specifying a trust store in Tomcat 8.5.15 that it
>> will present the user with all the certificates they have rather
>> than only the ones that the trust store will accept.
>> To rule out an issue with my server xml I have installed both
>> 8.5.15 and 8.5.14 on the server and used the exact same server.xml
>> file and I see that the 8.5.14 version will ask the user for only 1
>> cert and that the 8.5.15 version will ask the user for all certs.
>> If anyone has a fix for this or might know what is going on or if
>> there is an extra configuration needed that would be helpful.
> Are you using the same web browser with both Tomcat versions? What
> browser(s) are you using? Versions? What OS?
> Are you able to run openssl s_client against your Tomcat server? That
> can tell you what the server is providing as part of the TLS
> handshake... you may be able to tell the difference between what certs
> are being sent back with the handshake.
> - -chris
> Comment: GPGTools -
> Comment: Using GnuPG with Thunderbird -
> pFhKFw//S1RAkI/aB2dJ0jhRM3VuzNBXOW3cvO+LdB0cUA+B2az9VKskPrRSgAPx
> Pu4uIcadJrda7PlLHEP/W5MxQRrBBPONybyIM/AUOx3t0halXRXAb+IUKPnZ0IH8
> /cS4vcI4C55mUh393hxVTcNPHh8egHvd1cJSm3nWwx+ZJwmfnjiLlssoMdgs3Lla
> 3NvAqVajCrVksgygkXr23qkcfH1utNxXZnTAxRXF4PmLgFk46M3Jnu6cJVhFNO3s
> Bc1zI+XYJwsX9fICE4dkmmWJ/ZblWgjG5nh4bSSq3Ons6MJg1anUcy0p7GsNUvaU
> 8uPUQiz2Xz4t/qPA2kBfsZUYwm/besLDdSp+CYr9VweT6apAp0Kr6kJu79W40MfR
> w4Qpo+8wEkLDjPL/VBBU9yEso4PCGkpFHFsCnfSPf/L+eltyCZkaQfaQK5OehUaa
> px1suyhbYe9xbMdq1WD06CSQYTlDuc7XxuNVgr8Nd1q3nQvkLZJAB/jIkEUhZ174
> GXw+Sqzp09YPSKleQuetPvsP1iqmqsikX40Asl70UdEmEvW55KUrzD+DzY68cGjn
> dcq6hEKVlLZ+0X96k3UEU8yRN7rCOexvypK0lfX2U0jgB2nZld4F5c0dwvqPy+UZ
> xnwJToijUlnCDh4t0+6WEggVizYEEuXZf04aI00WZeC96WfgJG8=
> =4E5V
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message