**Configured tomcat (on Ubuntu) for client authentication by setting Server.xml **

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               maxParameterCount="1000">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig certificateVerification="required" protocols="TLSv1.2" certificateVerificationDepth="10">
    <Certificate certificateFile="conf/zemm.in.cert.pem" certificateKeyFile="conf/zemm.in.key.pem" certificateChainFile="conf/ca-chain.cert.pem" type="RSA" />
    </SSLHostConfig>
    </Connector>

**Trust store is initialized by setting **

    CLIENT_CERT="$CATALINA_HOME"/conf/myTrustStore
    export CATALINA_OPTS="-Djavax.net.ssl.trustStore=$CLIENT_CERT 
    -Djavax.net.ssl.trustStorePassword=changeit"

Here myTrustStore contains only few CAs (Self signed) but i am seeing that in SSL dump that server hello Certificate request contains Distinguished name all the CA enteries installed in /etc/ssl/certs

we expect the Distinguihsed name should contain only CA mentioned in myTrustStore. is this default behavior of SSL implementation on ubuntu.

i tried taking other truststores and in logs i can see that proper KeyStore and Truststore are taken while initializing connecters

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-8443], TLS virtual host [default], certificate type [RSA] configured from key [conf/zemm.in.key.pem], certificate [conf/zemm.in.cert.pem] and certificate chain [conf/ca-chain.cert.pem] with trust store [/opt/tomcat/conf/cacerts]