Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 39359 invoked from network); 28 Aug 2010 15:57:43 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 28 Aug 2010 15:57:43 -0000 Received: (qmail 69015 invoked by uid 500); 28 Aug 2010 15:57:42 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 68946 invoked by uid 500); 28 Aug 2010 15:57:42 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 68937 invoked by uid 99); 28 Aug 2010 15:57:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 28 Aug 2010 15:57:41 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.131] (HELO eos.apache.org) (140.211.11.131) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 28 Aug 2010 15:57:41 +0000 Received: from eosnew.apache.org (localhost [127.0.0.1]) by eos.apache.org (Postfix) with ESMTP id EA6DCAB3 for ; Sat, 28 Aug 2010 15:57:19 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Apache Wiki To: Apache Wiki Date: Sat, 28 Aug 2010 15:57:19 -0000 Message-ID: <20100828155719.67799.58430@eosnew.apache.org> Subject: =?utf-8?q?=5BTomcat_Wiki=5D_Update_of_=22JNDI=5FstartTLs=5FHowTo=22_by_Fe?= =?utf-8?q?lixSchumacher?= Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for ch= ange notification. The "JNDI_startTLs_HowTo" page has been changed by FelixSchumacher. The comment on this change is: Corrected Name and added a note about certif= icate/hostname check.. http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo?action=3Ddiff&rev1=3D2&re= v2=3D3 -------------------------------------------------- contextFactory=3D"tc.startTLS.LdapTlsContextFactory /> }}} = - Using the code provided by Felix Schumann in this post: http://www.mail-a= rchive.com/users@tomcat.apache.org/msg80693.html - You can download it here= : [[attachment:LdapTlsContextFactory.java]]. + Using the code provided by Felix Schumacher in this post: http://www.mail= -archive.com/users@tomcat.apache.org/msg80693.html - You can download it he= re: [[attachment:LdapTlsContextFactory.java]]. - We have to compile it into a JAR and put in a place where Tomcat can find= it: `lib`. Then we simply reference its full name in `contextFactory`. `Ld= apTlsContextFactory` will now do the negotiation initialization. Afterwards= the created object will be used for every authentication attempt. + We have to compile it into a JAR and put in a place where Tomcat can find= it: `lib`. Then we simply reference its full name in `contextFactory`. `Ld= apTlsContextFactory` will now do the negotiation initialization. Afterwards= the created object will be used for every authentication attempt. Beware t= hat the code will not check the hostname of the server with respect to its = certificate. If you don't want this behaviour remove the call to `tls.setHo= stNameVerifier(...)`. = =3D=3D Further Steps =3D=3D The code probably needs auditing. More testing. And definitely more tight= ening: e.g.: When starting the negotiation the client (Tomcat + `LdapTlsCon= textFactory`) sends an `SSLv2Hello`, which is anything but desirable. This = could be due to Sun=E2=80=99s poor defaults in their SSL implementation, an= oversight in the code, or because I=E2=80=99ve missed out a JVM startup op= tions. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org