Re: svn commit: r1074675 - in /tomcat/trunk: java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ webapps/docs/

Mon, 28 Feb 2011 10:37:26 -0800 

Just a little bit more on this.
I'm not seeing where SSLAuthenticator.java validates that the request came in 
on a SSL connection, and what if the SSL cert came from mod_jk.
I'm not sure what the requirements for CERT authentication is, but if it is that the cert MUST be validated against a trust store, then this valve, must make sure that the validation actually has taken place. 

Filip


On 2/28/2011 11:06 AM, Filip Hanik - Dev Lists wrote:

On 2/27/2011 4:30 AM, Mark Thomas wrote:

On 25/02/2011 20:16, Filip Hanik - Dev Lists wrote:

The simplest solution is, would be to use an individual selector.
Register the socket and issue a select() on the thread you are running on.
If you want to use a shared selector (like NIO does for reads and
writes) it requires a bit more logic.

I have implemented the simple solution and based on a quick test with
the Eclipse debugger the handshake now blocks while waiting for client data.

A review would be good since my understanding of NIO is not as good as
yours.

My initial recommendation is to pull out this change, and as default behavior, throw an exception if the SSLAuthenticator is trying to 
authenticate and the need-client-auth is not configured.



There is much complexity in implementing the renegotiation without a unit test case, as there are both application buffers and network 
buffers in the NIO implementation that will need to be tested more carefully.



So for the sake of not holding up releases, implement the exception case first, where you force the user to configure client 
authentication, until there is a configuration that we are more comfortable with.


best
Filip


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3473 - Release Date: 02/28/11





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to