https://issues.apache.org/bugzilla/show_bug.cgi?id=48208
Mark Thomas <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX --- Comment #3 from Mark Thomas <[email protected]> 2011-01-29 07:19:18 EST --- Then we disagree. Regardless of the complexity of the rules you may wish to apply, for there to be any security at all the client certificates have to be issued by a trusted certificate authority. The AcceptAllTrustManager is sufficiently insecure and its use sufficiently dangerous that I do not believe it should be part of the standard Tomcat distribution. There should be sufficient scope within the current configuration options to install a custom trust manager although I haven't investigated this. If that process is excessively painful then I think an acceptable approach would be to add support for a trustManagerClassName attribute that would override the call to TrustManagerFactory.getTrustManagers() in a similar way to the above patch. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
