tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicolas Therrien <>
Subject Question related to mutual authentication
Date Wed, 08 Nov 2017 21:09:11 GMT

I have successfully set up mutual authentication on a Tomcat 9.0.1 server running on CentOS
6.5.  To do my testing, I use a Java program that I wrote to verify my understanding of SSL
and the server configuration. 

My question is about the server-side verification of the client certificate (CertificateRequest
part of handshake). I noticed that the hostname/common name in the client certificate did
not seem to be validated. I can move that certificate on several machines and the server will
always accept it, as long as it is signed by one of the trusted authorities in the server
JVM's truststore. I am puzzled by this behavior because I was expecting the hostname to matter.
If my certificate was set for a machine, I was not expecting it to work on another machine.

My understanding is that when "certificateVerification" is set to "required", the server would
perform the same verification as the client does, that is:

1) Verify the incoming certificate is signed by an authority that is part of the local truststore.
2) Verify that the incoming certificate's common name matches the hostname of the peer we
are communicating with.

Also, should the server behavior be correct, can someone explain to me why it is like that?
   I find it odd that the client certificate can be copied around and used by anyone and still
pass mutual authentication...

Thanks in advance,

Nicolas Therrien ing.
Senior Software Engineer

Airbus DS Communications
home of VESTA®
200 Boul. de la Technologie, Suite 300
Gatineau, QC J8Z 3H6
819.931.2139  (DIRECT)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message