tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: Tomcat to support other keystore types?
Date Wed, 07 Nov 2001 20:26:13 GMT
"Bill Barker" <wbarker@wilshire.com> writes:
> And, indeed, for tomcat+apache, we don't use JSSE (except to allow for url
> rewriting ;).  I'm in favor of Eric's approach for exactly Costin's reason:
> having a separate interface  would decouple the SSL info from the socket
> factory.
> 
> Of course, if Eric wants to provide patches to save me typing I'm even more
> in favor of it.
I'm happy to provide patches but I want to make sure there's
rough consensus on what I'm going to do before I start. [0]

Creation of SSL sockets will be the same as before (at least
for now [1]) : you'll specify an appropriate socketFactory and that
will create ServerSockets (which in turn will create Sockets).

Each Socket created (transitively) by SSLSocketFactory must
implement interface SSLSocketExtensions. This will look something
like this:

interface SSLSocketExtensions {
	java.security.cert.Certificate[] getCertificateChain();
	String getCipherSuite();
	byte[] getSessionID();
	
	... (more methods as required)
}

Then, all Tomcat code can just do (for instance):
	java.security.cert.Certificate[] certs;

	certs=((SSLSocketExtensions)socket).getCertificateChain();

Does this seem acceptable?

-Ekr

[0] Normally I'm not this cautious but I'm new to Tomcat and 
don't want to come barging in and step on people's toes. :)

[1] In the future we might wish to standardize interfaces to
the SocketFactory to permit standardized policy/configuration
information to be communicated.

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message