- Original Message -
From: Jan Luehe [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Wednesday, October 15, 2003 6:38 PM
Subject: How to make CLIENT-CERT protection work?
Consider the following scenario:
1. Client sends POST request (with content type other than
application/x-www-form-urlencoded) to SSL-enabled server (with
client auth turned off).
2. Server parses request header, and determines that the resource
identified by the request-URI is CLIENT-CERT protected.
3. Server's SSLAuthenticator valve reinitiates SSL handshake, w/
client auth turned on.
4. The server sends its HelloRequest, and expects to read the client's
ClientHello. However, what it gets is the POST request's body which
hadn't been read yet.
5. SSL handshake fails.
In order to avoid this problem, SSLAuthenticator.authenticate()
clears the socket in the case of a POST request by reading the POST
request's body *before* reinitiating the handshake. To read the POST
body, it calls CoyoteRequest.getParameterMap(), which reads and
processes the POST body only if the content type equals
application/x-www-form-urlencoded.
Therefore, the SSL re-handshake works according to plan if the content
type equals application/x-www-form-urlencoded, but fails for any
other content type.
Should we always read the POST body in getParameterMap(), and cache it
in a byte[] if content type is different from
application/x-www-form-urlencoded, and have
CoyoteRequest.getInputStream()/getReader() return wrappers around this
byte[]?
Any better suggestions?
It would probably be better to remove the POST check from SSLAuthenticator,
and move it to Http11Processor.action. Then when it is processing
ACTION_REQ_SSL_CERTIFICATE, it simply need to add a new InputFilter (say,
BufferedInputFilter) that does a full read of the Request data.
Thanks,
Jan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
