SSL Configuration HOW-TO

Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 56601 invoked from network); 24 Dec 2006 16:30:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 24 Dec 2006 16:30:28 -0000 Received: (qmail 18704 invoked by uid 500); 24 Dec 2006 16:30:27 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 18655 invoked by uid 500); 24 Dec 2006 16:30:27 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 18644 invoked by uid 500); 24 Dec 2006 16:30:27 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 18641 invoked by uid 99); 24 Dec 2006 16:30:27 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Dec 2006 08:30:27 -0800 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Dec 2006 08:30:19 -0800 Received: by eris.apache.org (Postfix, from userid 65534) id 834491A981A; Sun, 24 Dec 2006 08:29:28 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r490037 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java webapps/docs/config/http.xml webapps/docs/ssl-howto.xml Date: Sun, 24 Dec 2006 16:29:28 -0000 To: tomcat-dev@jakarta.apache.org From: yoavs@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20061224162928.834491A981A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: yoavs Date: Sun Dec 24 08:29:27 2006 New Revision: 490037 URL: http://svn.apache.org/viewvc?view=rev&rev=490037 Log: Bugzilla 34643: better documentation of per-user / per-session clientAuth usage. Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java tomcat/container/tc5.5.x/webapps/docs/config/http.xml tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java?view=diff&rev=490037&r1=490036&r2=490037 ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java Sun Dec 24 08:29:27 2006 @@ -38,6 +38,9 @@ * An Authenticator and Valve implementation of authentication * that utilizes SSL certificates to identify client users. * + * You will likely want to read the SSL HowTo in the Tomcat documentation: + * http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html + * * @author Craig R. McClanahan * @version $Revision$ $Date$ */ Modified: tomcat/container/tc5.5.x/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/http.xml?view=diff&rev=490037&r1=490036&r2=490037 ============================================================================== --- tomcat/container/tc5.5.x/webapps/docs/config/http.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/config/http.xml Sun Dec 24 08:29:27 2006 @@ -423,7 +423,8 @@ value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. See the - SSL HowTo for an example.

+ SSL HowTo for an example. That SSL HowTo + also contains tips on using per-user or per-session certificate-based clientAuth.

Modified: tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml?view=diff&rev=490037&r1=490036&r2=490037 ============================================================================== --- tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml Sun Dec 24 08:29:27 2006 @@ -8,7 +8,7 @@ Christopher Cain - Yoav Shapira + Yoav Shapira SSL Configuration HOW-TO @@ -288,7 +288,7 @@

Note: your private key password and keystore password should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key, as documented in -Bugzilla issue 38217, +Bugzilla 38217, which contains further references for this issue.

@@ -350,6 +350,9 @@ all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn't presented. + For using clientAuth on a per-user or per-session basis, check out + the tips in + Bugzilla 34643. @@ -558,6 +561,13 @@ For additional discussion on this area, please see Bugzilla.

+ +

For tips on using clientAuth on a per-user or per-session basis, and also for +using clientAuth with self-signed or expired client certificates, please see the +discussion in +Bugzilla 34643. +

+ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org