tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject RE: Tomcat and OCSP
Date Fri, 08 Dec 2006 21:11:36 GMT
 

> -----Original Message-----
> From: Mark Claassen [mailto:mclaassen@ocie.net] 
> Sent: Friday, December 08, 2006 12:49 PM
> To: 'Tomcat Developers List'
> Subject: RE: Tomcat and OCSP
> 
> I am really not sure what is involved...as I have not done 
> all the necessary
> research.
> 
> My understanding is that the location of the revocation 
> server is built into
> the certificates themselves somehow.
> 
> Several months ago I looked around, and thought I saw where 
> you did the
> certificate validation.  I believe it was done manually, not using the
> standard Java APIs.  (My assumption was that this 
> functionality pre-dated
> the Java API.)
> 

No, Tomcat uses the regular Java API.  You don't see it, since it is buried
in the SSL Handshake code.  Then, just for fun, if you are using CLIENT-CERT
auth, Tomcat checks all the dates again (but not the trust).

> I was hoping that all that would be involved would be to 
> locate that area
> and try to use the Java certificate validation APIs instead 
> of these custom
> ones.  Then, hopefully the OSCP stuff would just work.
> 
> There is a lot of "Hope" in this, but hey, it's Christmas! :)
> 
> Mark
>  
> -----Original Message-----
> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On 
> Behalf Of Yoav
> Shapira
> Sent: Friday, December 08, 2006 3:26 PM
> To: Tomcat Developers List
> Subject: Re: Tomcat and OCSP
> 
> Hi,
> Wouldn't you need OCSP revocation handling at the SSL 
> connector processing
> point?  That's the patch I was thinking of, but I'm not an 
> expert in this
> area, so I might be off-base.
> 
> Yoav
> 
> On 12/8/06, Filip Hanik - Dev Lists <devlists@hanik.com> wrote:
> > is a patch even required? or is OSCP something you just 
> turn on since 
> > its built into the JDK Mark, do you have anymore details what this 
> > would involve?
> > Filip
> >
> > Yoav Shapira wrote:
> > > Mark,
> > > If you submit a patch for OCSP support, I'll gladly 
> review it, and I 
> > > imagine several other people would be interested as well.
> > >
> > > Yoav
> > >
> > > On 12/8/06, Mark Claassen <mclaassen@ocie.net> wrote:
> > >> I asked this on the user list, but perhaps this is a question 
> > >> better for here.  I have been using Tomcat for a while, but have 
> > >> not been developing yet really (although I did submit a patch a 
> > >> while ago to the CGIServlet).
> > >> However, this OCSP issue has potential to really hit the 
> fan for us 
> > >> and if there is something that needs to be done, I would like to 
> > >> try.
> > >>
> > >> -----Original Message-----
> > >>
> > >> Now that I see Tomcat 6.0 is on it's way, I was 
> wondering if OCSP 
> > >> is going to be included?  This is being required by more 
> and more 
> > >> people these days (like the US government).
> > >>
> > >> If there are no plans to include it yet, how can this issue be 
> > >> escalated?  I see that OCSP support is bundled into the 
> new JDKs, 
> > >> does this mean that it would not be too difficult for an 
> > >> enterprising (and desperate) developer to tackle?
> > >>
> > >> Mark
> > >>
> > >> -----Original Message-----
> > >> From: Velpi [mailto:velpi@industria.be]
> > >> Sent: Monday, July 31, 2006 4:33 AM
> > >> To: Tomcat Users List
> > >> Subject: Re: Tomcat and OCSP
> > >>
> > >> > Does the new support for OCSP in Java 5.0 have any 
> impact on how 
> > >> > certificates are handled in Tomcat?
> > >> > 
> http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> > >> >
> > >> > It looks like it might just work if it is set up right in the 
> > >> > java property files.  I checked the mailing list archives and 
> > >> > found a few old references to OCSP, but nothing 
> definitive.  Any 
> > >> > guidance would be
> > >> greatly appreciated.
> > >>
> > >> I'm trying to set this up too. Did you get it up and running 
> > >> properly yet?
> > >> (any
> > >> hints?)
> > >>
> > >>
> > >> -- Velpi
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > >> additional commands, e-mail: dev-help@tomcat.apache.org
> > >>
> > >>
> > >
> > > 
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional
> commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message