Remy Maucherat <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> >>If PureTLS isn't compatible with IBM JVM, then fine, but I can't see
> >>its usefulness.
> > It shouldn't be incompatible. What's going on here is a provider
> > c
ooks to me like a standard password
conflict. Are you sure you have the right password?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Costin Manolache <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>
> > Dirk-Willem van Gulik <[EMAIL PROTECTED]> writes:
> >
> >> > ID provides a statistical probability of collision so low that
> >> > there is no need to explicitly chec
". This isn't exactly
what I would use but it's roughly equivalent.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
ropose, but it's sort of
like saying "maybe I should wear a helmet at all times
because a meteor might drop on my head". Sure, it could happen,
btu it's not the thing I'd worry about.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
ively the same thing.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Costin Manolache <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>
> > Jim Jagielski <[EMAIL PROTECTED]> writes:
> >
> >> Eric Rescorla wrote:
> >> >
> >> > Glenn Olander <[EMAIL PROTECTED]> writes:
> >> > &g
ently wide session
ID provides a statistical probability of collision so low that
there is no need to explicitly check for uniqueness.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
ern security
depends on this.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Jim Jagielski <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> >
> > Glenn Olander <[EMAIL PROTECTED]> writes:
> > > 5) The strength of the PRNG is largely irrelevant
> > >
> > > As a user, I wouldn't trust any solution which lacks
plausible position in view
of the fact that all of our security mechanisms absolutely
depend on statistical uniqueness of randomly generated large
numbers.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail:
Dirk-Willem van Gulik <[EMAIL PROTECTED]> writes:
> On 9 Jan 2003, Eric Rescorla wrote:
>
> > Remy Maucherat <[EMAIL PROTECTED]> writes:
> > > - A MD5 hash occurs after getting the SecureRandom. This looks like a
> > > mistake, and decreases the
is pointless but it shouldn't decrease the
quality of the randomness to any interesting degree.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional c
"Bill Barker" <[EMAIL PROTECTED]> writes:
> As far as I can tell, ManagerBase could really use your expertise on this.
> The current algorithm is really bad :-(
Ok. I've read the current code, which, as you say, is rather complicated.
As far as I can tell, here's how it works:
INITIALIZATION
(1) G
stem data.
the probability that two sufficiently long random numbers
(e.g. 16 bytes) will collide is vanishing. (E.g. with a 16-byte
session ID, you'd have to generate > 2^60 session IDs to have
a reasonable chance of collision.
-Ekr
--
[Eric Rescorla [E
et.
That said, you're probably better off using self-signed RSA
certificates since a fair number of SSL/TLS implementations
do not support anonymous DH (e.g. almost no browsers do.)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
-
-1. I like the current style better. I have lots of different
> Tomcat 4.x repositories (4.0.4-b3, 4.0.x, 4.1.x, 4.0.3), and if the build
> was ../build, I'd have lots of nasty conflicts between the different copies.
I agree with Remy here.
-Ekr
--
[Eric Rescorla
CTION_REQ_SSL_ATTRIBUTE).
This code calls the sslSupport class which automatically translates
from the underlying implementation to a vector j.s.c.X509Certificate.
The actual translators live in o.a.t.u.net.{JSSE,PureTLS}Support.
-Ekr
--
[Eric Rescorla [EMAIL PRO
iguration
perspective (they take different keying material and slightly
different configuration flags) so this is a support problem.
It sounds like you're suggesting that in some future release we
should simply use PureTLS rather than switch-hitting. Is that
what you meant?
-Ekr
--
[E
t enough to not try to build these if you
don't have JSSE. I'm still not completely clear on the circumstances
in which these classes would get used.
In any case, the future we're moving toward will be all Coyote
in which case you won't need these classes at all.
#x27;t have a complete
regression harness either. (Incidentally, does someone have such a thing
that can be run before checkin?)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
nt of the commits I made today, but it would be nice
if someone could test them or look them over or something before we call
them soup :)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:
Eric Rescorla <[EMAIL PROTECTED]> writes:
> "Bill Barker" <[EMAIL PROTECTED]> writes:
> > What I'm suggesting is to change o.a.c.tc4.CoyoteRequest.getAttribute to
> > something like:
> >
> > public Object getAttribute(String name
o be
> consistent.
What changes would we need here?
Thanks,
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
"Bill Barker" <[EMAIL PROTECTED]> writes:
> From: "Eric Rescorla" <[EMAIL PROTECTED]>
> > "Bill Barker" <[EMAIL PROTECTED]> writes:
> > > Also, somebody in o.a.c.tomcat4 needs to fire the
> ACTION_REQ_SSL_ATTRIBUTE
> > >
the code
for this already in Tomcat somewhere?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
ction of spec changes
> between 2.2 & 2.3 than design).
I tend to agree. I'll put it in postParseRequest unless someone
objects.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
"Bill Barker" <[EMAIL PROTECTED]> writes:
> From: "Eric Rescorla" <[EMAIL PROTECTED]>
> I assume you mean actions. They are defined in o.a.c.ActionCode, and
> processed by somebody implementing o.a.c.ActionHook (both under the "coyote"
Nick Betteridge <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> >
> > This didn't make it out the first time so I'm resending...
> >
> > I'm looking at what needs to be done to make the 3.3 SSL portablity
> > stuff work properly with
t location)?
I can arrange for this to get called, but I'm not even sure where
to look to arrange it.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For addit
This didn't make it out the first time so I'm resending...
I'm looking at what needs to be done to make the 3.3 SSL portablity
stuff work properly with Coyote. For the most part, this work has been
done--if you set the SSLImplementation appropriately and the correct
factory gets invoked. However,
t
> > methods ( req.getAttribute() or similar ).
>
> Yes, unfortunately, I don't see a way to make it work.
Yes, it sounds like the calling code will have to change. How bad
will that be?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
the right thing ( like getAttribute for certs, etc ).
>
> I'm not sure about it, but it doesn't look like client-cert would work with
> PureTLS.
Hmm... I need to dig into this. Why do you think it wouldn't?
-Ekr
--
[Eric Rescorla [EMAIL PRO
te.
(2) The server has the appropriate CA for that certificate?
What do the server log files say?
You might try using ssldump (http://www.rtfm.com/ssldump) to
see what's going on.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://w
Nick Betteridge <[EMAIL PROTECTED]> writes:
> I've written the TLS socket but haven't been able to get around to
> testing it yet - swamped.
I know how that is.
> The socket also has a certificate factory to enable certificates to be
> read from a variety of sources.
This seems like a nice additi
nately, if someone
can commit to giving my code a thorough review, I'll take a crack
at it myself.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
>
> +1 [ ] I support the release, and I will help
> +0 [ ] I support the release
> -0 [ ] I don't support
I haven't had
time to move the 3.3. patches over to 4.0. If someone else
wants to do it, I'll be happy to advise. Otherwise I'll shoot
for sometime in March.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To uns
rts
both (most do) uses the same abstraction for both with a control
flag to indicate which ones to support.
> Just one question - are tls socket factories available for tomcat?
Yes. The PureTLS and JSSE socket factories support SSLv3 and TLS.
-Ekr
--
[Eric Rescorla
rg.apache.catalina.startup.Catalina.process(Catalina.java:179)
> at java.lang.reflect.Method.invoke(Native Method)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
>
> Is there any answer?
I'd guess that this is a password problem.
-Ekr
uot; the client or server?
(2) Does the other side give you an error (i.e. check the server
logs).
(3) Can you capture an ssldump (http://www.rtfm.com/ssldump) of the
transaction?
If you really get stuck, you can always use PureTLS, which can
use OpenSSL-generated certs directly :)
-Ekr
--
[Er
n recently) that they will
resume that previous session. Clients and servers can flush the
session cache at any time.
Session IDs aren't really a complete substitute for cookies.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and
to use since I didn't see it in the Servlet 2.3 spec. Which spec
is this string defined in?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
"Bill Barker" <[EMAIL PROTECTED]> writes:
> Since no one else responded, I've gone ahead and checked in Eric's changes.
> I haven't actually tried to build against PureTLS, but I assume that Eric
> has.
I did, but I'll check it out myself and make sure that it works.
You did check that it works i
it doesn't look very
difficult so if someone just pings me when it's ready to be adapted :)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
gz. If someone
wants them mailed to the list I'm happy to do so.
Note: These changes only work properly with the latest PureTLS snapshot:
20011130 (though they should work fine if you're compiling without
PureTLS at all as well).
-Ekr
--
[Eric Rescorla [E
I'd finished adding portable SSL support to Tomcat and was
testing it when I ran into an interesting snag. Roughly,
the way things work is as follows (spread out over a number
of classes)
Socket s=accept();
PushbackInputStream is=new PushbackInputStream
(s.getInputStrea
tually performing
client auth. Can you get an ssldump trace of the connection?
(you can get ssldump from http://www.rtfm.com/ssldump). You'll
want to use the -A and -N flags.
Once we know what's happening we can try to figure out why.
-Ekr
--
[Eric Rescorla
h Ajp as well. For the moment,
though, I agree that it belongs in Http10Interceptor.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
"William Barker" <[EMAIL PROTECTED]> writes:
> > jean-frederic clere <[EMAIL PROTECTED]> writes:
> > > Eric Rescorla wrote:
> > > > A few issues remain:
> > > > (I) Is portability to JDK 1.1.x desirable/a requirement?
jean-frederic clere <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> > A few issues remain:
> > (I) Is portability to JDK 1.1.x desirable/a requirement? Both the
> > existing JSSE code and my new code rely upon java.security.cert.*
> > which was introduced
chain, etc)
and store that as individual attributes.
>From a cursory scan of the code it's not clear to me what would
be most consistent with traditional practice. Do people have
opinions?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author
jean-frederic clere <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> > <[EMAIL PROTECTED]> writes:
> > > One simple workaround could be to abstract acceptSocket() too ( i.e. make
> > > it a method in ServerSocketFactory or SSLSupport).
> > Yes
ce for
SSLSupport to allow the possibility of not having wrapper classes
in some situations.
That said, having lots of interfaces does seem to be the Java way, no?
(Worse yet, I've been switching back and forth between Java and C++ so
I suffer from idiom inertia.)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
jean-frederic clere <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> >
> > As discussed on the list previously, I'm working on changing the SSL
> > interfaces in Tomcat to make them more portable to various SSL
> > toolkits, in particular Pure
As discussed on the list previously, I'm working on changing the SSL
interfaces in Tomcat to make them more portable to various SSL
toolkits, in particular PureTLS. In the process I've run into some
issues that I wanted to run by the list.
1. I don't see how to make the switch-hit via a configura
56 matches
Mail list logo
