tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Any way to fix bug 46950 without a change to tcnative?
Date Thu, 16 Apr 2009 10:38:26 GMT
William A. Rowe, Jr. wrote:
> William A. Rowe, Jr. wrote:
>> Mark Thomas wrote:
>>> Folks,
>>>
>>> I have been looking at bug 46950 [1]. Everything is fine with the BIO
>>> connector but with APR the renegotiation fails to trigger a request for
>>> the user's certificate. I assume that this is because the socket is
>>> still associated with an SSLContext where the SSLVerifyClient is
>>> something other than "require".
>>>
>>> I can't see any obvious ways to fix this without either modifying the
>>> native code or adding a new method to the native interface. Can anyone
>>> see differently? Any pointers to a pure Java solution would be great.
>> I'd expect this to be solved in tcnative, at least exposing the correct
>> hooks.  It's non-trivial, you might have a look at how mod_ssl handles
>> renegotiation.
> 
> I meant to add...
> 
> tcnative or otherwise, it's critical to exhaust the client's transmission
> prior to initiating the renegotiation sequence.  Often this means slurping
> the entire contents of the POST body prior to negotiating the client cert.

Thanks for the confirmation. The request is already read and buffered.
We 'just' need to renegotiation to require an SSL cert.

I'll try and take a look at this but I'll probably need some help with
the C code. First step will be to get tcnative building and I haven't
looked at that since I moved to 64-bit Windows.

All good fun :)

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message