tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <>
Subject Feature Request: Optional No Cert validation on SSL connector
Date Tue, 21 Jun 2005 15:47:22 GMT
Good Morning,
  I work on the Internet2 Shibboleth project and we've run in to an
issue with client cert authentication in a stand alone Tomcat
environment (i.e. without Apache HTTPD in front of it).  Shibboleth
clients use client cert auth when talking with the Shibboleth server,
however, the certificate chains for the clients are not in a Java
keystore.  Instead they are in XML files that contain a large amount of
metadata needed by both the client and the server.
  Our current, supported, deployment configuration is to have Apache
HTTPD in front of Tomcat and to use "SSLVerifyClient optional_no_ca"
HTTPD directive.  This allows the client to send its certificate, but
instead of HTTPD trying to validate the cert, it just passes the cert on
to the Shibboleth server.  This allows us to validate the certificate
against the cert chains in the metadata files within the server code (a
huge support boon for us).  What we'd like to request is a similar
option for the SSL connector when client cert auth is used so that we
can support a stand alone Tomcat set up too.
  Would this be possible?
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message