tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Armstrong <>
Subject Re: SSL - NES / DOMINO
Date Thu, 07 Jun 2001 23:25:40 GMT
Andy Armstrong wrote:
> There's a bug in the current release of the Domino connector that means
> that it doesn't properly recognise SSL requests, which means it doesn't
> is_ssl in the jk_ws_service structure. I've fixed this now, but I don't
> seem to be able to recover values for ssl_cert, ssl_cipher or
> ssl_session from Domino. I also find that if I these fields are set as
> follows
>   s->is_ssl       = 1;    /* i.e. it is an SSL request... */
>   s->ssl_cert_len = 128;
>   s->ssl_cert     = NULL; /* ...but we don't have these values */
>   s->ssl_cipher   = NULL;
>   s->ssl_session  = NULL;
> I'm getting a null pointer exception in at
> this code:
>          case SC_A_SSL_CERT     :
>                  isSSL = true;
>   --->          attributes.put("javax.servlet.request.X509Certificate",
>                                            msg.getString());
>          break;
> It seems that msg.getString() is probably returning a null. This may be
> because I'm working with Tomcat 3.2.1 tonight, so I'm just grabbing a
> copy of 3.3 to see if that problem has been fixed.

I've now had a look at the 3.3 source for ajp13 and I think I understand
the problem. Look at this:

    if(s->ssl_cert_len) {
        if(0 != jk_b_append_byte(msg, SC_A_SSL_CERT) ||
           0 != jk_b_append_string(msg, s->ssl_cert)) {
            jk_log(l, JK_LOG_ERROR, 
                   "Error ajp13_marshal_into_msgb - Error appending the
SSL certificates\n");

            return JK_FALSE;

I've been assuming that ssl_cert_len and ssl_cert are independent
variables, and specifically that it's possible, and desirable, to know
the length of the cert without actually having the cert. However, the
ajp13 code assumes that if you know the length of the cert you also have
the cert. If ssl_cert_len != 0 then it assumes that ssl_cert != NULL and
attempts to send it.

Is this correct? Is it never useful to know the cert's length without
having the cert itself?

Andy Armstrong, Tagish

View raw message