"GOMEZ Henri" <[EMAIL PROTECTED]> writes:
> >> Hum, JSSE is still required in part of the code, outside HTTP
> >> connector world.
> >>
> >> org.apache.catalina.net.SSLServerSocketFactory require JSSE.
> >>
> >> JCERT is needed by org.apache.catalina.valves.CertificatesValve.
> >Well, Ant is smart enough to not try to build these if you
> >don't have JSSE. I'm still not completely clear on the circumstances
> >in which these classes would get used.
> >
> >In any case, the future we're moving toward will be all Coyote
> >in which case you won't need these classes at all. Is that your
> >understanding as well?
>
> Yes, I hope we could in fine use the OSS's PureTLS/Cryptix
> instead of JSSE for all cert/net/ssl, instead of JSSE,
> even if this one is present in JDK 1.4.
>
> But in the interim, we'll have to use the same mecanism that
> the one present in TC 3.3.1, ie auto detection of present
> API (JSSE/PURETLS) and use of the corresponding factories
It seems to me that there are three issues:
(1) What's the status of the current direct JSSE-using code in Catalina?
As far as I can tell, the current direct JSSE-using code in Catalina
(i.e. o.a.c.valves.CertificateValce and o.a.c.net.SSLServerSocketFactory)
is completely superseded by the switch-hitting code in Coyote. Are
there some circumstances under which these classes will be required
at all? If not, let's remove them.
(2) Does PureTLS work with 4.1.3b1?
Prior to my checkin on May 28, the switch-hitting support in Coyote
didn't work properly with PureTLS. The right stuff is in the tree,
so this is presumably just a version skew problem.
(3) What SSL implementation should Tomcat use?
The current code in Coyote switch-hits between JSSE and PureTLS
depending on what's there. This has the advantage that people
who want to use JSSE can. It has the disadvantage that JSSE
and PureTLS are not direct substitutes from a configuration
perspective (they take different keying material and slightly
different configuration flags) so this is a support problem.
It sounds like you're suggesting that in some future release we
should simply use PureTLS rather than switch-hitting. Is that
what you meant?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
