For some reason on one of my servers, SSL with mutual auth is not enforced. The same server.xml config on another server does end up enforcing it.
So I am reaching out to you guys, do you know why this server.xml configuration allows the user to access the page WITHOUT asking for an SSL client certificate?
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
server="Apache" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="path-to-server-ssl-keystore" keystorePass="hidden"
clientAut="true" sslProtocol="TLS" truststoreFile="path-to-truststore" truststorePass="hidden"/>
My trustore contains only one Certificate (I ensured that to make sure my testing was valid), and my HMTL client is NOT configure with this certificate.
When I reach to https://URL:8444/webappname/foo.html, it works! As you can see in the wireshark trace below, the server is not asking for the client certificate.
On the other servers, I see the server asking for a Client certificate, as shown here:
At the moment I am simply trying to ensure the mutual auth is enforced so I am expecting to see an SSL error.
Any input would be welcome, thanks in advance.
