tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Armstrong <a...@tagish.com>
Subject Re: SSL - NES / DOMINO
Date Fri, 08 Jun 2001 00:55:41 GMT
Andy Armstrong wrote:
[snip]
> I've now had a look at the 3.3 source for ajp13 and I think I understand
> the problem. Look at this:
> 
>     if(s->ssl_cert_len) {
>         if(0 != jk_b_append_byte(msg, SC_A_SSL_CERT) ||
>            0 != jk_b_append_string(msg, s->ssl_cert)) {
>             jk_log(l, JK_LOG_ERROR,
>                    "Error ajp13_marshal_into_msgb - Error appending the
> SSL certificates\n");
> 
>             return JK_FALSE;
>         }
>     }
> 
> I've been assuming that ssl_cert_len and ssl_cert are independent
> variables, and specifically that it's possible, and desirable, to know
> the length of the cert without actually having the cert. However, the
> ajp13 code assumes that if you know the length of the cert you also have
> the cert. If ssl_cert_len != 0 then it assumes that ssl_cert != NULL and
> attempts to send it.
> 
> Is this correct? Is it never useful to know the cert's length without
> having the cert itself?

I've now found where Domino stashes the cert/cert length and am now
passing them through to Tomcat. I'll make a new release tomorrow when
I've had a chance to test against an NT Domino server.

Incidentally, is it the case that the SSL Cert contains, in effect,
arbitrary binary data? If so the code I quoted above from ajp13 seems to
be flawed in that it uses jk_b_append_string() (which expects a null
terminated string) to append the cert to the message. If there happens
to be a zero byte in the cert it will be truncated at that point.

-- 
Andy Armstrong, Tagish

Mime
View raw message