tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: svn commit: r1074675 - in /tomcat/trunk: java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ webapps/docs/
Date Mon, 28 Feb 2011 18:36:58 GMT
Just a little bit more on this.
I'm not seeing where SSLAuthenticator.java validates that the request came in on a SSL connection,
and what if the SSL cert came from mod_jk.
I'm not sure what the requirements for CERT authentication is, but if it is that the cert
MUST be validated against a trust store, then this 
valve, must make sure that the validation actually has taken place.

Filip


On 2/28/2011 11:06 AM, Filip Hanik - Dev Lists wrote:
> On 2/27/2011 4:30 AM, Mark Thomas wrote:
>>> On 25/02/2011 20:16, Filip Hanik - Dev Lists wrote:
>>>> The simplest solution is, would be to use an individual selector.
>>>> Register the socket and issue a select() on the thread you are running on.
>>>> If you want to use a shared selector (like NIO does for reads and
>>>> writes) it requires a bit more logic.
>> I have implemented the simple solution and based on a quick test with
>> the Eclipse debugger the handshake now blocks while waiting for client data.
>>
>> A review would be good since my understanding of NIO is not as good as
>> yours.
> My initial recommendation is to pull out this change, and as default behavior, throw
an exception if the SSLAuthenticator is trying to 
> authenticate and the need-client-auth is not configured.
>
> There is much complexity in implementing the renegotiation without a unit test case,
as there are both application buffers and network 
> buffers in the NIO implementation that will need to be tested more carefully.
>
> So for the sake of not holding up releases, implement the exception case first, where
you force the user to configure client 
> authentication, until there is a configuration that we are more comfortable with.
>
> best
> Filip
>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>> -----
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message