Remy/Bill,
> Ouch, that's one nasty hack.
> -1, please revert it.
>
> There are callbacks to the processor to evaluate the SSL related
> attributes. If something is broken, this should be fixed, but using that
> pattern. I believe get/setSocket are useless, and the calls should be
> entierely removed.
I noticed the ActionHook calls to get SSL related attributes, however,
CertificatesValve needs the SSLSocket in order to renegotiate an SSL
handshake if the requested resource is from a webapp with this
authentication constraint:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
If the request was received through an SSL-enabled connector that does
not enforce SSL client authentication, the handshake needs to be
reinitiated, with client authentication enforced. In order to do that,
CertificatesValve needs access to the SSLSocket, in order to call its
startHandshake() method.
If the only purpose of CertificatesValve is to support the deprecated
Http11Connector, which component is going to replace it and implement SSL
handshake renegotiation?
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
