Am 2020-02-29 um 12:13 schrieb Mark Thomas:
On 29/02/2020 11:07, Michael Osipov wrote:
Am 2020-02-29 um 12:05 schrieb Mark Thomas:
On 29/02/2020 10:40, Michael Osipov wrote:
<snip/>
Tomcat does not support renegotiation of TLS contexts based
on URLs like HTTPd.
Yes it does.
If you specify CLIENT-CERT auth for a sub-set of URLs Tomcat will
trigger a renegotiation when one of those URLs is requested.
You don't have the same fine-grained control you have in httpd but you
can replicate the typical use cases.
Really? If I say require client cert auth on the connector, it will be
enforced even on those contexts which do not require authentication?!
If you required auth on the connector it always applies.
However, if you don't require it at the connector level you can require
it for a subset of URLs with security constraints and Tomcat will
trigger any required renegotiations.
Mark,
this makes me wonder whether Tomcat properly implements RFC 7540,
section 9.2.1 and RFC 8740, section 3. From my understanding the
configuration you have described MUST fail here.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
