> Similarly for the servlet transport, though instead of a
> straight copy, in this case you'd be using a different
> mechanism for retrieving the cipher suite and peer cert (e.g.
> for Tomcat, probably the
> org.apache.tomcat.util.net.SSLSupport mechanism, dunno about
> other containers).
Actually scratch that point about the tomcat SSLSupport API.
Obviously we'd want to keep the servlet transport agnostic to the
underlying servlet container, so instead you'd be looking at pulling out
this info from the ServletRequest using the standard attributes ...
String ciphers = (String)req.getAttribute("javax.net.ssl.cipher_suite");
X509Certificate certs[] =
(X509Certificate[])req.getAttribute("javax.net.ssl.peer_certificates");
Cheers,
Eoghan
