tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Story Henry <henry.st...@bblfish.net>
Subject HOWTO setup a client auth ssl connection without verification
Date Mon, 07 Apr 2008 15:48:25 GMT
Hi,

I was looking for how I could set up a SSL connection in Tomcat 6.x in  
order to force clients to present a client Certificate. But I don't  
want the server to do any verification of the certificates given to  
it. As long the server can make sure that the client knows the private  
key of the certificate I am happy.

I then want to program a servlet (or whatever the right abstraction  
level should be) to work with the X501 client key information and an  
extra header, to decide whether it can or not trust the client. The  
client os not a normal web browser btw, but a semantic address book  
written in Java.

Bruno Harbulot suggested I use the optional_no_ca option of Apache HTTPD
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
but I was hoping to be able to get the same effect without needing to  
use apache (as that makes setup just one step more complex).

To give you a bit of background on what I am attempting to do you can  
read up on the post I wrote recently
http://blogs.sun.com/bblfish/entry/rdfauth_sketch_of_a_buzzword

That post led Toby Inkster to suggest the following even simpler  
protocol:



Mime
View raw message