tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Bauman <>
Subject RE: Tomcat 3.2 SSL question
Date Wed, 06 Sep 2000 15:24:23 GMT

It sounds more like what you are describing is a "strong extranet" type of
authentication with client-side as well as server-side certificates are 
utilized (aka SSL v.3)

So the question recast might be: "does Tomcat have support for SSL
v.3"? Surely the SSL libraries used with Tomcat does, which means if
tomcat doesn't have "out-of-box" support for it, you could implement it
via the Interceptor or Valve interfaces / base classes yourself. No?

On Wed, 6 Sep 2000, Stefan Freyr Stefansson wrote:

> Thank you for this reply Costin and I'm sorry for the delay of replying to
> it...
> The problem is that we don't use Apache + Tomcat.  The reason for this is
> that we do not need a high performance http server and Apache would be much
> too big to integrate into our project.  Therefore we are using Tomcat.
> So I would like to get some info on HOW two way authentication in Tomcat is
> done... can anybody point me in the right direction?
> Thanks again in advance.
> Stefan
> -----Original Message-----
> From: Costin Manolache []
> Sent: 30. agust 2000 16:30
> To:
> Subject: Re: Tomcat 3.2 SSL question
> > My first question is the obvious one.  When is Tomcat 3.2 final supposed
> to
> > come out?
> To quote Jon:
> When it's ready.
> Few weeks ago I would have hoped for a faster release, but seeing the
> amount of testing and detailing that's going on I would wait a bit more.
> ( documentations, script improvements, all kind of fixes, etc.). My feeling
> is that's very close.
> > start bugging you guys about it.  But... I would like to know if Tomcat
> 3.2
> > SSL (once I get it up and running) supports two way authentication.  I
> need
> > the client to be able to verify that he/she is talking to the server
> he/she
> > believes he/she is talking to... (a lot of he/she's in there... anything
> to
> > be politically correct ;o) But I also need to be able to verify that the
> > client is who he/she says he/she is (this is ridiculous).  For that I need
> > two way authentication.
> Probably it's he/she/it ( the browser is the client most of the time ).
> I never tested this feature, but I saw few reports that it works.
> If you use Tomcat + Apache then you can just use the Apache's
> SSL for mutual authentication ( it should work faster too )
> > One other thing is about the licencing.  Our plan is to integrate Tomcat
> > into one of our own products.  The product is not a commercial product and
> > very unlikely that anybody could benefit from using this thing except for
> my
> > company...  I would like to know if it is allright to use Tomcat in such a
> > way?  Are there any limitations or fees???  We looked at the licence file
> > that came with the Tomcat download and the way we understood that was that
> > we could basically use it any which way we wanted given that we included
> > some things in our manual and didn't change the headers of the source
> files
> > (you know... the thing whith all the copyright thingys and such).
> AFAIK you can do anything you want except claim it's yours :-)
> This is a frequent question - maybe we should add something on the
> web page.
> Costin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message