tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Brown <jer...@cadre5.com>
Subject Re: SSLPeerUnverifiedException
Date Thu, 29 Apr 2004 16:02:34 GMT
QM wrote:

>On Thu, Apr 29, 2004 at 11:17:43AM -0400, Jeremy Brown wrote:
>: Just checking once more...does anyone know how I can get this message 
>: out of the logs, aside from commenting it out and recompiling Tomcat?
>
>: [included exceptions for the archives]
>: >javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>: >com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA6275) 
>: >org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)

>
>Two ways, both of which require some reading on JSSE and SSL:
>
>1/ import the client certs (preferably, the client certs' CAs) into the
>keystore used by Tomcat.
>
>2/ Specify a different TrustManager, one that lets any client cert 
>   through with blind trust.
>
>#1 is clearly the safer way, if you're using client certs to
>authenticate.
>  
>

I don't *think* we're using client certs to authenticate.  I've 
generated a server SSL cert for the HTTPS connector Tomcat uses, and I 
signed it with a custom CA cert.  Is this what you're referring to?

>I don't know whether #2 is possible going through Tomcat, but chances
>are you can specify the class on the commandline with a "-D" (similar
>to how you can specify which XML toolkit to use).  Read up on the 
>TrustManager class and write an impl that doesn't check the cert.
>  
>

The problem's not that it won't let users connect (I've certainly had no 
problems), it's just that it prints the debug message to the log several 
times on every page hit by every SSL user, which on a production machine 
translates into some huge log files.  So for what I want to accomplish, 
#2 would likely involve just grepping the Tomcat source for the 
appropriate occurrence of SSLPeerUnverifiedException in its own 
TrustManager implementation, and commenting it out (since everything 
else works fine).

Thanks,

Jeremy

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message