Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38553

A lack of certs is normal if the user doesn't have a trusted cert. Return 401, not 400 in this case.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@740684 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 9cfc6cb..1c4220a 100644 (file)
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -140,7 +140,7 @@ public class SSLAuthenticator
         if ((certs == null) || (certs.length < 1)) {
             if (containerLog.isDebugEnabled())
                 containerLog.debug("  No certificates included with this request");
-            response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                                sm.getString("authenticator.certificates"));
             return (false);
         }