tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "JNDI_startTLs_HowTo" by FelixSchumacher
Date Sat, 28 Aug 2010 15:57:19 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "JNDI_startTLs_HowTo" page has been changed by FelixSchumacher.
The comment on this change is: Corrected Name and added a note about certificate/hostname
check..
http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo?action=diff&rev1=2&rev2=3

--------------------------------------------------

       contextFactory="tc.startTLS.LdapTlsContextFactory />
  }}}
  
- Using the code provided by Felix Schumann in this post: http://www.mail-archive.com/users@tomcat.apache.org/msg80693.html
- You can download it here: [[attachment:LdapTlsContextFactory.java]].
+ Using the code provided by Felix Schumacher in this post: http://www.mail-archive.com/users@tomcat.apache.org/msg80693.html
- You can download it here: [[attachment:LdapTlsContextFactory.java]].
- We have to compile it into a JAR and put in a place where Tomcat can find it: `lib`. Then
we simply reference its full name in `contextFactory`. `LdapTlsContextFactory` will now do
the negotiation initialization. Afterwards the created object will be used for every authentication
attempt.
+ We have to compile it into a JAR and put in a place where Tomcat can find it: `lib`. Then
we simply reference its full name in `contextFactory`. `LdapTlsContextFactory` will now do
the negotiation initialization. Afterwards the created object will be used for every authentication
attempt. Beware that the code will not check the hostname of the server with respect to its
certificate. If you don't want this behaviour remove the call to `tls.setHostNameVerifier(...)`.
  
  == Further Steps ==
  The code probably needs auditing. More testing. And definitely more tightening: e.g.: When
starting the negotiation the client (Tomcat + `LdapTlsContextFactory`) sends an `SSLv2Hello`,
which is anything but desirable. This could be due to Sun’s poor defaults in their SSL implementation,
an oversight in the code, or because I’ve missed out a JVM startup options.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message