Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 69343 invoked from network); 22 Jan 2004 20:52:51 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 22 Jan 2004 20:52:51 -0000 Received: (qmail 86476 invoked by uid 500); 22 Jan 2004 20:52:36 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 86207 invoked by uid 500); 22 Jan 2004 20:52:35 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 86193 invoked from network); 22 Jan 2004 20:52:35 -0000 Received: from unknown (HELO victor.wilshire.com) (209.0.86.70) by daedalus.apache.org with SMTP; 22 Jan 2004 20:52:35 -0000 Received: from thunderbird.wilshire.com (thunderbird.wilshire.com [192.168.14.20]) by victor.wilshire.com (8.12.3/8.12.3/Debian-6.6) with ESMTP id i0MKqMaG011702 for ; Thu, 22 Jan 2004 12:52:22 -0800 Received: from bbarkerxp (host1-129.wilshire.com [192.168.1.129] (may be forged)) by thunderbird.wilshire.com (8.12.10/8.12.9) with SMTP id i0MKqMeF028643 for ; Thu, 22 Jan 2004 12:52:22 -0800 (PST) Message-ID: <013a01c3e129$afde5c40$ec66a8c0@bbarkerxp> From: "Bill Barker" To: "Tomcat Developers List" References: Subject: Re: JSSE 1.4: 'Want' vs. 'Need' Client Certificate Authentication Date: Thu, 22 Jan 2004 12:52:45 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_1074804743-3214-384" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Archived: msg.XXjmjWDa@thunderbird X-Scanned-By: MIMEDefang 2.38 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ------------=_1074804743-3214-384 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline This has been on my list for awhile (just not very high :). I am leaning in the direction of 1): change the clientAuth parameter to be a String of the form: 'true', 'false', or 'want'. It's the simplest, and cleanest. Getting the PureTLS implementation caught up with the JSSE implementation is another item on my list :). ----- Original Message ----- From: "Becker, Michael" To: Sent: Thursday, January 22, 2004 10:38 AM Subject: JSSE 1.4: 'Want' vs. 'Need' Client Certificate Authentication One of the additional features that has been introduced in JSSE 1.4 is the ability to 'want' client certificates instead of 'require'ing them (http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.ht ml#NewMethods). It also appears that this functionality is not available in the PureTLS implementation of the SSL protocol (at least that I could find). This feature could be useful in scenarios where some users have client side certificates and some do not. This would still allow both sets of users to connect to the same host, but using different modes of authentication. Another nice thing that this feature would give us is the ability to provide a friendly "You don't have a client certificate and contact this help desk to get your client certificate" instead of not allowing any requests to get into the container. Considering the fact that this is only applicable to a JDK 1.4.x VM, is this something that could be built into the current distribution? Here are some options that I came up with to get this functionality in Tomcat. 1. Provide an additional argument to the org.apache.coyote.tomcat4.CoyoteServerSocketFactory in server.xml to 'want' certificate authentication. If the underlying SSL implementation does not support that feature, log an error/warning and revert to 'need' certificate authentication. 2. For the org.apache.tomcat.util.net.jsse.JSSE14* classes, change the functionality to 'want' certificates instead of 'need' them. This gives the application and container the ability to give the user an error if they do not have a certificate instead of closing the socket and making the browser show the 'Page can not be displayed' error. This would change existing behavior and thus could be a really bad thing to do. 3. Make my own modifications and don't incorporate into the default distribution. Regards, Mike Becker --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org ------------=_1074804743-3214-384 Content-Type: text/plain; name="disclaimer.txt" Content-Disposition: inline; filename="disclaimer.txt" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. ------------=_1074804743-3214-384 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org ------------=_1074804743-3214-384--