tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Bauman <n...@cortexity.com>
Subject RE: Tomcat 3.2 SSL question
Date Wed, 06 Sep 2000 15:24:23 GMT
Stefan,

It sounds more like what you are describing is a "strong extranet" type of
authentication with client-side as well as server-side certificates are 
utilized (aka SSL v.3)

So the question recast might be: "does Tomcat have support for SSL
v.3"? Surely the SSL libraries used with Tomcat does, which means if
tomcat doesn't have "out-of-box" support for it, you could implement it
via the Interceptor or Valve interfaces / base classes yourself. No?

On Wed, 6 Sep 2000, Stefan Freyr Stefansson wrote:

> Thank you for this reply Costin and I'm sorry for the delay of replying to
> it...
> 
> The problem is that we don't use Apache + Tomcat.  The reason for this is
> that we do not need a high performance http server and Apache would be much
> too big to integrate into our project.  Therefore we are using Tomcat.
> 
> So I would like to get some info on HOW two way authentication in Tomcat is
> done... can anybody point me in the right direction?
> 
> Thanks again in advance.
> Stefan
> 
> -----Original Message-----
> From: Costin Manolache [mailto:cmanolache@yahoo.com]
> Sent: 30. agust 2000 16:30
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat 3.2 SSL question
> 
> 
> > My first question is the obvious one.  When is Tomcat 3.2 final supposed
> to
> > come out?
> 
> To quote Jon:
> When it's ready.
> 
> Few weeks ago I would have hoped for a faster release, but seeing the
> amount of testing and detailing that's going on I would wait a bit more.
> ( documentations, script improvements, all kind of fixes, etc.). My feeling
> is that's very close.
> 
> > start bugging you guys about it.  But... I would like to know if Tomcat
> 3.2
> > SSL (once I get it up and running) supports two way authentication.  I
> need
> > the client to be able to verify that he/she is talking to the server
> he/she
> > believes he/she is talking to... (a lot of he/she's in there... anything
> to
> > be politically correct ;o) But I also need to be able to verify that the
> > client is who he/she says he/she is (this is ridiculous).  For that I need
> > two way authentication.
> 
> Probably it's he/she/it ( the browser is the client most of the time ).
> I never tested this feature, but I saw few reports that it works.
> 
> If you use Tomcat + Apache then you can just use the Apache's
> SSL for mutual authentication ( it should work faster too )
> 
> > One other thing is about the licencing.  Our plan is to integrate Tomcat
> > into one of our own products.  The product is not a commercial product and
> > very unlikely that anybody could benefit from using this thing except for
> my
> > company...  I would like to know if it is allright to use Tomcat in such a
> > way?  Are there any limitations or fees???  We looked at the licence file
> > that came with the Tomcat download and the way we understood that was that
> > we could basically use it any which way we wanted given that we included
> > some things in our manual and didn't change the headers of the source
> files
> > (you know... the thing whith all the copyright thingys and such).
> 
> AFAIK you can do anything you want except claim it's yours :-)
> This is a frequent question - maybe we should add something on the
> web page.
> 
> Costin
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 


Mime
View raw message