Just a little bit more on this.
I'm not seeing where SSLAuthenticator.java validates that the request came in on a SSL connection,
and what if the SSL cert came from mod_jk.
I'm not sure what the requirements for CERT authentication is, but if it is that the cert
MUST be validated against a trust store, then this
valve, must make sure that the validation actually has taken place.
Filip
On 2/28/2011 11:06 AM, Filip Hanik - Dev Lists wrote:
> On 2/27/2011 4:30 AM, Mark Thomas wrote:
>>> On 25/02/2011 20:16, Filip Hanik - Dev Lists wrote:
>>>> The simplest solution is, would be to use an individual selector.
>>>> Register the socket and issue a select() on the thread you are running on.
>>>> If you want to use a shared selector (like NIO does for reads and
>>>> writes) it requires a bit more logic.
>> I have implemented the simple solution and based on a quick test with
>> the Eclipse debugger the handshake now blocks while waiting for client data.
>>
>> A review would be good since my understanding of NIO is not as good as
>> yours.
> My initial recommendation is to pull out this change, and as default behavior, throw
an exception if the SSLAuthenticator is trying to
> authenticate and the need-client-auth is not configured.
>
> There is much complexity in implementing the renegotiation without a unit test case,
as there are both application buffers and network
> buffers in the NIO implementation that will need to be tested more carefully.
>
> So for the sake of not holding up releases, implement the exception case first, where
you force the user to configure client
> authentication, until there is a configuration that we are more comfortable with.
>
> best
> Filip
>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>> -----
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
|