tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <>
Subject Re: Feature Request: Optional No Cert validation on SSL connector
Date Mon, 27 Jun 2005 11:30:00 GMT
Hey guys,
  I was wondering if there were any thoughts on this particular
suggestion.  I hadn't seen anything on the list.

Chad La Joie wrote:
> Good Morning,
>   I work on the Internet2 Shibboleth project and we've run in to an
> issue with client cert authentication in a stand alone Tomcat
> environment (i.e. without Apache HTTPD in front of it).  Shibboleth
> clients use client cert auth when talking with the Shibboleth server,
> however, the certificate chains for the clients are not in a Java
> keystore.  Instead they are in XML files that contain a large amount of
> metadata needed by both the client and the server.
>   Our current, supported, deployment configuration is to have Apache
> HTTPD in front of Tomcat and to use "SSLVerifyClient optional_no_ca"
> HTTPD directive.  This allows the client to send its certificate, but
> instead of HTTPD trying to validate the cert, it just passes the cert on
> to the Shibboleth server.  This allows us to validate the certificate
> against the cert chains in the metadata files within the server code (a
> huge support boon for us).  What we'd like to request is a similar
> option for the SSL connector when client cert auth is used so that we
> can support a stand alone Tomcat set up too.
>   Would this be possible?

Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message