tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: SSL Attributes
Date Tue, 18 Sep 2001 16:45:06 GMT
GOMEZ Henri wrote:
> 
> >> +1 , and a comment on Readme.txt as is a spec compliance issue
> >>
> >> Until we find a way to cache Client Certificate Chain..
> >
> >Or we add 2 more messages in ajp13/14 - to get the chain when the user
> >request it.
> >
> >In fact, even the client certificate should be retrieved only
> >on demand,
> >I assume most pages will not deal with certificates ( except maybe
> >some initial page ), and sending even the first cert over the
> >wire would
> >be wasted.
> >
> >Long ago we did some tests and looked into a number of servlets - it's
> >likely 1/2 of what we send by default can be eliminated ( including
> >most of the headers ), very few servlets will do getHeaders(). The
> >impact on performance was visible ( with a small penalty for the
> >requests using getHeaders == one extra roundtrip ).
> >
> >I assume that's something for ajp14/warp ( including customization
> >of what's send and what's not).
> 
> That something I've got in mind for ajp14, written on that
> many times allready, with headers and miscs informations
> to be asked by tomcat to web-server at getAttributes time
> for example :
> 
> Currently
> 
> WebServer       ->      Tomcat
> 
> 1) SEND HEADERS + REQUEST to TC
> 2) SEND DATA (eventually) to TC
> 
> 3) WAIT TOMCAT REPLY
> 
> 4) SEND BACK HEADERS + REPLY TO BROWSER
> 
> Next in ajp14
> 
> WebServer       ->      Tomcat
> 
> 1) SEND GENERAL HEADERS + REQUEST to TC
> 2) SEND DATA (eventually) to TC
> 
> 3) WAIT TOMCAT REPLY OR TOMCAT ENQUIRIES
> 3a) IF ENQURIES, REPLY TO TC ENQUIRIES
>     ie CERTIFICATE CHAIN which may be more than
>     x certs....
> 
> 4) SEND BACK HEADERS + REPLY TO BROWSER

For example:
request.getAttribute("javax.servlet.request.X509Certificate");
1 - Tomcat send a message to the webServer - Want X509Certificates -
2 - WebServer reads its enviromnemt (or send the client a request for the client
certificate *).
3 - WebServer answer with the received cerficate.
Why? because it is the servlet application that decides it needs the client
certificate. Actualy that is a parameter in httpd.conf that makes it very
difficult to use.

*) Must be possible because mod_ssl allows per-directory context for
SSLVerifyClient require.

Mime
View raw message