Has anything crucial changed regarding SSL in Tomcat between Tomcat 8 and Tomcat 9?

Question

This is the situation summed up.

The configuration below is identical in server.xml in Tomcat 8.5.8 and Tomcat 9.0.64. The JKS-file used is created by keytool in Java 8.

Expected behaviour is that when using HTTPS in URL (mysite.org), NetID will start giving me a choice of client certificates from my card, I choose correct certificate, and give my PIN-code, then the webpage will be shown.

This works with Tomcat 8.5.8 on Java 8.

But when starting with Tomcat 9.0.64 on Java 8 or Java 17 it throws the error:

ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS

Any idea why doesn't Tomcat 9 like this configuration?

 <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
            sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            maxThreads="150" scheme="https" secure="true"  clientAuth="true" sslProtocol="TLSv1.2"
            keystoreFile="/srv/archive/Cert/archivelux.jks" keystorePass="xxxx"
            truststoreFile="/srv/archive/Cert/archivelux.jks" truststorePass="xxxx" truststoreType="JKS"/>

Answer 1

Yes, something appears to have changed between Tomcat 8 and Tomcat 9.

The parameter sslProtocol="TLSv1.2" is accepted by Tomcat 8, but not by Tomcat 9.

There the parameter must be SSLProtocol="TLSv1.2"

Restart, and it will work.

/Paul