tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad La Joie <laj...@georgetown.edu>
Subject Re: Feature Request: Optional No Cert validation on SSL connector
Date Tue, 28 Jun 2005 13:51:52 GMT


jean-frederic clere wrote:
> Chad La Joie wrote:
> 
>> Yeah, I know what mod-ssl says, and for most cases it's probably right,
>> however the optional_no_ca option is interesting to us because it
>> provides exactly the functionality that we need; accepting the client
>> cert, putting it in a standard place, and allowing our application to do
>> the verification for us.
>>
>> As you said, PKCS12 wouldn't help us.  The problem isn't that the Java
>> keystore is some how flawed.  It's that that's just not a viable
>> mechanism for us.  Our certificates are communicated in SAML2 metadata
>> files.  These files change periodically (when new service or identity
>> providers come online or old ones go offline).  We had discussed a
>> process whereby we'd extract the certs from the file and create a
>> keystore but that has and unacceptable drawback, in our opinion.  With
>> the SAML2 metadata files we can get fresh copies of those files and use
>> them immediately in a running system.  With the keystore mechanism
>> Tomcat would need to be restarted because the keystore, or at least part
>> of it, is cached in memory and as far as I can tell, the cache is never
>> refreshed.  Given the indeterminate frequency for metadata updates, we
>> do not see this as a viable solution for a production level system.
> 
> 
> I am not sure I got it right...
> 
> If you have clients that use client certificates you only need to get
> them signed by a CA that is known by Tomcat or do you want to change the
> server certificate Tomcat is using?

That's the problem, Tomcat might not know the CA that signed the cert.
All certificate information, including CA(s), are expressed in the SAML2
metadata file.  It could be that the CA that signed the client cert was
something like Verisign, but it's much more likely to be the case that
it's some organization's CA, which Tomcat wouldn't know about.
-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message