tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: cvs commit:jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11Http11Processor.java Http11Protocol.java
Date Thu, 05 Jun 2003 20:04:03 GMT

----- Original Message -----
From: "Jan Luehe" <Jan.Luehe@Sun.COM>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Thursday, June 05, 2003 12:05 PM
Subject: Re: cvs
commit:jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11Htt
p11Processor.java Http11Protocol.java


> Remy/Bill,
>
> > Ouch, that's one nasty hack.
> > -1, please revert it.
> >
> > There are callbacks to the processor to evaluate the SSL related
> > attributes. If something is broken, this should be fixed, but using that
> > pattern. I believe get/setSocket are useless, and the calls should be
> > entierely removed.
>
> I noticed the ActionHook calls to get SSL related attributes, however,
> CertificatesValve needs the SSLSocket in order to renegotiate an SSL
> handshake if the requested resource is from a webapp with this
> authentication constraint:
>
>    <login-config>
>       <auth-method>CLIENT-CERT</auth-method>
>    </login-config>
>
> If the request was received through an SSL-enabled connector that does
> not enforce SSL client authentication, the handshake needs to be
> reinitiated, with client authentication enforced. In order to do that,
> CertificatesValve needs access to the SSLSocket, in order to call its
> startHandshake() method.
>
> If the only purpose of CertificatesValve is to support the deprecated
> Http11Connector, which component is going to replace it and implement SSL
> handshake renegotiation?
>

SSLAuthenticator makes a request for a special Request attribute
("org.apache.coyote.request.X509Certificate"), which fires off an Action
hook (ACTION_REQ_SSL_CERTIFICATE) to renegotiate the handshake if necessary.

I changed TC 5 a little while back to do a lazy-evaluation of the SSL
attributes.  If you are seeing problems, that might be where.

>
> Jan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message