>> WebServer -> Tomcat
>>
>> 1) SEND HEADERS + REQUEST to TC
>> 2) SEND DATA (eventually) to TC
>>
>> 3) WAIT TOMCAT REPLY
>>
>> 4) SEND BACK HEADERS + REPLY TO BROWSER
>>
>> Next in ajp14
>>
>> WebServer -> Tomcat
>>
>> 1) SEND GENERAL HEADERS + REQUEST to TC
>> 2) SEN
>> That something I've got in mind for ajp14, written on that
>> many times allready, with headers and miscs informations
>> to be asked by tomcat to web-server at getAttributes time
>> for example :
>
>+1 ( but not before 3.3 is final ! )
>
Sure, it will be included in ajp14 only, which is JTC
GOMEZ Henri wrote:
>
> >> +1 , and a comment on Readme.txt as is a spec compliance issue
> >>
> >> Until we find a way to cache Client Certificate Chain..
> >
> >Or we add 2 more messages in ajp13/14 - to get the chain when the user
> >request it.
> >
> >In fact, even the client certificate shoul
On Tue, 18 Sep 2001, GOMEZ Henri wrote:
> That something I've got in mind for ajp14, written on that
> many times allready, with headers and miscs informations
> to be asked by tomcat to web-server at getAttributes time
> for example :
+1 ( but not before 3.3 is final ! )
Costin
>
> Currentl
>> +1 , and a comment on Readme.txt as is a spec compliance issue
>>
>> Until we find a way to cache Client Certificate Chain..
>
>Or we add 2 more messages in ajp13/14 - to get the chain when the user
>request it.
>
>In fact, even the client certificate should be retrieved only
>on demand,
>I a
On Tue, 18 Sep 2001, Ignacio J. Ortega wrote:
> > I have found it the 2.2 Spec's (5.7 SSL Attributes).
> > Now I have started to fix Ajp13 in jakarta-tomcat so that it
> > follows the spec's.
> > For the moment I will only return the first certificate.
>
"Ignacio J. Ortega" wrote:
>
> > I have found it the 2.2 Spec's (5.7 SSL Attributes).
> > Now I have started to fix Ajp13 in jakarta-tomcat so that it
> > follows the spec's.
> > For the moment I will only return the first certificate.
> > Re
> I have found it the 2.2 Spec's (5.7 SSL Attributes).
> Now I have started to fix Ajp13 in jakarta-tomcat so that it
> follows the spec's.
> For the moment I will only return the first certificate.
> Returning the complete
> chain is quite a lot of data an
"Clere, Jean-Frederic" wrote:
>
> Hi,
>
> I have patched mod_jk for TC4.0 so that the SSL Attributes follow the spec's
> (SRV.4.7).
> I have not found anything in the 2.2 spec's about it.
>
> I have noted that the "javax.servlet.cert.X509Ce
GOMEZ Henri wrote:
>>I thought the problem was that mod_ssl only passes the one cert. If it
>>somehow allows access to the whole chain, then definitely ...
>>you could
>>cache it like TC4. I'd be willing to help with that =)
>>
>
> As i said previously we only forward SSL_CLIENT_CERT,
> and t
>I thought the problem was that mod_ssl only passes the one cert. If it
>somehow allows access to the whole chain, then definitely ...
>you could
>cache it like TC4. I'd be willing to help with that =)
As i said previously we only forward SSL_CLIENT_CERT,
and to have all you'll have to pass al
Craig R. McClanahan wrote:
>
> JSSE exposes the underlying SSL session and offers an API with storable
> attributes like an HttpSession. Tomcat 4 caches its converted version of
> the cert chain there (to avoid reparsing every single time). Could you do
> something similar and transfer the cer
GOMEZ Henri wrote:
>>Is the "Connector-over-SLL" issue even addressed by the spec? If the
>>front-end web server is handling all of the authentication, then isn't
>>securing the connectors simply securing the communication channel,
>>having nothing to do with authentication?
>>
>
> I doubt th
On Mon, 17 Sep 2001, GOMEZ Henri wrote:
> Date: Mon, 17 Sep 2001 23:40:29 +0200
> From: GOMEZ Henri <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: SSL Attributes
>
> >
> >> But what did we need to have present in
Christopher Cain wrote:
[snip]
> I could be wrong, I'm just asking. If the Tomcat container itself is
> not
> involved in the authentication process, one would not expect that a
> webapp has access to the client cert anyway. Is that right?
To clarify, I meant "access to the full chain." If A
>Is the "Connector-over-SLL" issue even addressed by the spec? If the
>front-end web server is handling all of the authentication, then isn't
>securing the connectors simply securing the communication channel,
>having nothing to do with authentication?
I doubt the connector case (web-server t
Craig R. McClanahan wrote:
>
> On Mon, 17 Sep 2001, GOMEZ Henri wrote:
>
>
>>Date: Mon, 17 Sep 2001 23:17:15 +0200
>>From: GOMEZ Henri <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>To: [EMAIL PROTECTED]
>>Subject: RE: SSL Attributes
>
>> But what did we need to have present in SPEC ?
>> client cert and ca cert or only client cert ?
>
>*All* certs in the chain are required for authentication.
>There could be
> several tiers: i.e. CA 1 signs CA 2's cert, then CA 2 signs the
>company cert. I don't know what the specs have
On Mon, 17 Sep 2001, GOMEZ Henri wrote:
> Date: Mon, 17 Sep 2001 23:17:15 +0200
> From: GOMEZ Henri <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: SSL Attributes
>
>
> >> >> Cheers
> >
GOMEZ Henri wrote:
>Cheers
>
>Jean-frederic
>
>Note:
>javax.servlet.cert.X509Certificate is in JSSE.
>java.servlet.cert.X509Certificate is in JDK (even in 1.2.2).
>
>
Not only that, the JSSE version doesn't even inherit from the
JDK version
:-(. Wh
Craig R. McClanahan wrote:
>
> On Mon, 17 Sep 2001, GOMEZ Henri wrote:
>
>
>>Date: Mon, 17 Sep 2001 23:03:36 +0200
>>From: GOMEZ Henri <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>To: [EMAIL PROTECTED]
>>Subject: RE: SSL Attributes
>&g
>> >> Cheers
>> >>
>> >> Jean-frederic
>> >>
>> >> Note:
>> >> javax.servlet.cert.X509Certificate is in JSSE.
>> >> java.servlet.cert.X509Certificate is in JDK (even in 1.2.2).
>> >>
>> >
>> >Not only that, the JSSE version doesn't even inherit from the
>> >JDK version
>> >:-(. When using JSSE (
On Mon, 17 Sep 2001, GOMEZ Henri wrote:
> Date: Mon, 17 Sep 2001 23:03:36 +0200
> From: GOMEZ Henri <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: SSL Attributes
>
> >Even in the 2.2 spec, this was required to be an arra
>Even in the 2.2 spec, this was required to be an array of certificates.
>
>What did Tomcat 3.2 do? If 3.2 does it right, this would seem to be a
>regression.
TC 3.2 also have it like a string and it's bad.
I'm strongly to have TC 3.3 handling as indicated by SPEC.
>> Cheers
>>
>> Jean-frederic
>I have patched mod_jk for TC4.0 so that the SSL Attributes
>follow the spec's
>(SRV.4.7).
>I have not found anything in the 2.2 spec's about it.
>
>I have noted that the "javax.servlet.cert.X509Certificate" of
>TC3.3 is a String
>not an array of j
to do so, please do it ASAP ..
>
> Saludos ,
> Ignacio J. Ortega
>
>
>
>>-Mensaje original-
>>De: Christopher Cain [mailto:[EMAIL PROTECTED]]
>>Enviado el: lunes 17 de septiembre de 2001 20:42
>>Para: [EMAIL PROTECTED]
>>Asunto: Re: SSL Att
lient Certificates from IIS...
Saludos ,
Ignacio J. Ortega
> -Mensaje original-
> De: Larry Isaacs [mailto:[EMAIL PROTECTED]]
> Enviado el: lunes 17 de septiembre de 2001 21:53
> Para: '[EMAIL PROTECTED]'
> Asunto: RE: SSL Attributes
>
>
> My prefe
My preference is to have this in Tomcat 3.3 RC1.
Larry
> -Original Message-
> From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]]
> Sent: Monday, September 17, 2001 3:16 PM
> To: '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: SSL Attribut
This is the message i recal from JF :)
> What should we do?:
> 1 - Update TC3.3 code so that is compatible with 2.3 spec's.
+1
Saludos ,
Ignacio J. Ortega
-Mensaje original-
> De: Christopher Cain [mailto:[EMAIL PROTECTED]]
> Enviado el: lunes 17 de septiembre de 2001 20:42
> Para: [EMAIL PROTECTED]
> Asunto: Re: SSL Attributes
>
>
>
> [EMAIL PROTECTED] wrote:
> > On Mon, 17 Sep 2001, jean-frederic clere wrote:
>
[EMAIL PROTECTED] wrote:
> On Mon, 17 Sep 2001, jean-frederic clere wrote:
>
>
>>Hi,
>>
>>I have patched mod_jk for TC4.0 so that the SSL Attributes follow the spec's
>>(SRV.4.7).
>>I have not found anything in the 2.2
On Mon, 17 Sep 2001, jean-frederic clere wrote:
> Hi,
>
> I have patched mod_jk for TC4.0 so that the SSL Attributes follow the spec's
> (SRV.4.7).
> I have not found anything in the 2.2 spec's about it.
>
> I have noted that the "javax.servlet.cert.X509Cer
On Mon, 17 Sep 2001, jean-frederic clere wrote:
> Date: Mon, 17 Sep 2001 19:00:06 +0200
> From: jean-frederic clere <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Subject: SSL Attributes
Hi,
I have patched mod_jk for TC4.0 so that the SSL Attributes follow the spec's
(SRV.4.7).
I have not found anything in the 2.2 spec's about it.
I have noted that the "javax.servlet.cert.X509Certificate" of TC3.3 is a String
not an array of java.servlet.request.X509Certific
34 matches
Mail list logo
