tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: cvs commit: jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11 Http11Processor.java
Date Wed, 18 Sep 2002 20:02:41 GMT

----- Original Message -----
From: "Craig R. McClanahan" <craigmcc@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, September 18, 2002 12:34 PM
Subject: Re: cvs commit:
jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11
Http11Processor.java


>
>
> On Wed, 18 Sep 2002, Bill Barker wrote:
>
> > Date: Wed, 18 Sep 2002 12:06:50 -0700
> > From: Bill Barker <wbarker@wilshire.com>
> > Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> > To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> > Subject: Re: cvs commit:
> >     jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11
> >     Http11Processor.java
> >
> >
> > ----- Original Message -----
> > From: <bobh@apache.org>
> > To: <jakarta-tomcat-connectors-cvs@apache.org>
> > Sent: Wednesday, September 18, 2002 9:44 AM
> > Subject: cvs commit:
> > jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11
> > Http11Processor.java
> >
> >
> > > bobh        2002/09/18 09:44:35
> > >
> > >   Modified:    .        gump.xml
> > >                coyote/src/java/org/apache/coyote Request.java
> > >                http11/src/java/org/apache/coyote/http11
> > >                         Http11Processor.java
> > >   Log:
> > >   - This associates the socket with the Request.  This is so the
> > >   CertificatesValve.verify() can tell where (which socket) the Request
> > >   is comeing from.  Without this association,
CertificatesValve.verify()
> > >   returns with no SSL Handshake.
> > >   - this change is in part based on feed back from; Vivek N. Yingxian
> > >   Wang (JSSE), Craig M., Qingqing Ouyang
> > >
> >
> > I'm -1 on this, since having a socket in the Request makes no sense for
Jk2.
> > CertificatesValve is only for use with the deprecated HttpConnector.
With
> > Coyote, the SSL handling has moved to the connector (where it belonged
in
> > the first place).
> >
>
> The current Tomcat standalone implementation does not appear to meet the
> spec requirements for exposing a certificate chain, or for implementing
> CLIENT-CERT authentication.  For the latter, the container needs to
> challenge the client to send a certificate if they didn't do so already.
>
> How do you propose to meet those requirements for Tomcat stand-alone
> without access to the underlying SSL socket?  (For the connectors, you'll
> obviously need to provide an alternative solution to meet the spec
> requirements).

The correct place to fix it is
o.a.t.u.net.JSSESupport.getPeerCertificateChain (called from
o.a.c.http11.Http11Processor.action).  The code there was so heavily cribbed
from CertificatesValve, that I should probably add you to the @author. :-)

I'm strongly against reverting TC 4/5 back to only supporting JSSE (which
would be the effect of requiring CertificatesValve).

>
> Craig
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message