Hi, Bill: Sorry for getting back a bit late. I was trying to track down the exact spec for the claim I am about to make. But the JSSE contact person is not available today.
I took a look at the changes you made in the coyote connector, it seems to me that the implementation there still does not take into the consideration that the second handshake is asynchronous. Basically, the SSLSession.getPeerCertificateChain() will not return anything valid until the handshake has gone through. The JDK API doc for javax.net.ssl.SSLSocket startHandshake() method states that it "is synchronous for the initial handshake". I think I remembered reading somewhere that the second handshake, which is what the connector is doing, is async. In order to make sure the SSLSession.getPeerCertitificateChain() returns the valid certificates, you will have to register a javax.net.ssl.HandshakeCompletedListener, which should be responsible in supplying the Request with the appropriate client certificates. (I'll find out which spec actually states that and email it to you). In any case, this also seems to be the behavior I am observing. I downloaded your fix but the client cert authentication still fails because SSLSession.getPeerCertificateChain() contains no valid certificates. Thoughts? Thanx, Q^2 Bill Barker wrote: > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, September 20, 2002 11:50 PM > Subject: cvs commit: > jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator > SSLAuthenticator.java > > > >>billbarker 2002/09/20 23:50:30 >> >> Modified: catalina/src/share/org/apache/catalina/authenticator >> SSLAuthenticator.java >> Log: >> Final level in replacing CertificatesValve under Coyote. >> >> This is a little hackish, but is portable to 4.x without changing the > > API. Here, it should probably change once Coyote is properly exposed to > Catalina. > >> If there aren't any major complaints, I'll port to the 4.1 branch later. >> > > > SSL authentication should be working now for TC 5.0/Coyote-standalone (at > least for JSSE). I've no doubt that there is a better implementation (since > everyone knows that I'm very far from a Catalina expert :). But that is why > I've only committed the functional changes to the 5.0 branch. Peer review > is very much welcome. > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
