RE: Submission: Portable SSL Support
It compiles with or without JSSE, and runs fine without an SSL connector. However, I haven't actually gotten around to doing the whole keystore thing here, so the (big) one thing I haven't tried (yet) is to run it with an JSSE-SSL connection. Nota to interested people that PureTLS require : cryptix32-r3.2.0 (for recent JDK) cryptix-asn1 (from puretls site) which are both BSD like licence :) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
Bill Barker [EMAIL PROTECTED] writes: It compiles with or without JSSE, and runs fine without an SSL connector. However, I haven't actually gotten around to doing the whole keystore thing here, so the (big) one thing I haven't tried (yet) is to run it with an JSSE-SSL connection. I just did a CVS update and checked it against PureTLS. It runs fine. The other thing that would be nice is to be able to access the SessionId, (via request.getAttribute(javax.servlet.request.ssl_session)). There is already optional support to validate HttpSession access against this for SSL sessions in 3.3.x. Currently it is only supported if you are connecting via Apache, but stand-alone (at least for PureTLS) would also be a nice feature. That's certainly easy to add. I just didn't know what attribute string to use since I didn't see it in the Servlet 2.3 spec. Which spec is this string defined in? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
The Ajp13 spec? :) - Original Message - From: Eric Rescorla [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED]; Tomcat Developers List [EMAIL PROTECTED] Sent: Friday, December 07, 2001 6:59 AM Subject: Re: Submission: Portable SSL Support Bill Barker [EMAIL PROTECTED] writes: It compiles with or without JSSE, and runs fine without an SSL connector. However, I haven't actually gotten around to doing the whole keystore thing here, so the (big) one thing I haven't tried (yet) is to run it with an JSSE-SSL connection. I just did a CVS update and checked it against PureTLS. It runs fine. The other thing that would be nice is to be able to access the SessionId, (via request.getAttribute(javax.servlet.request.ssl_session)). There is already optional support to validate HttpSession access against this for SSL sessions in 3.3.x. Currently it is only supported if you are connecting via Apache, but stand-alone (at least for PureTLS) would also be a nice feature. That's certainly easy to add. I just didn't know what attribute string to use since I didn't see it in the Servlet 2.3 spec. Which spec is this string defined in? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
- Original Message - From: Bill Barker [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED]; EKR [EMAIL PROTECTED] Sent: Thursday, December 06, 2001 10:43 PM Subject: Re: Submission: Portable SSL Support It compiles with or without JSSE, and runs fine without an SSL connector. However, I haven't actually gotten around to doing the whole keystore thing here, so the (big) one thing I haven't tried (yet) is to run it with an JSSE-SSL connection. It seems to run fine with JSSE, even if I put the JSSE jars under lib/container. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
Since no one else responded, I've gone ahead and checked in Eric's changes. I haven't actually tried to build against PureTLS, but I assume that Eric has. If I've missed anything in this commit, please let me know and I'll try and include it asap. - Original Message - From: Eric Rescorla [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Saturday, December 01, 2001 7:20 AM Subject: Re: Submission: Portable SSL Support [EMAIL PROTECTED] writes: What remains to be done is getting jk to reuse the same abstractions for ssl support - that would make the code cleaner. But it can wait a while, there are bigger changes going on there. That's what I figured. I took a look at that and it doesn't look very difficult so if someone just pings me when it's ready to be adapted :) -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
Bill Barker [EMAIL PROTECTED] writes: Since no one else responded, I've gone ahead and checked in Eric's changes. I haven't actually tried to build against PureTLS, but I assume that Eric has. I did, but I'll check it out myself and make sure that it works. You did check that it works in the absence of PureTLS, right? If I've missed anything in this commit, please let me know and I'll try and include it asap. I'll take a look. Big CVS imports like this are always hairy since it's so easy to miss a file :( -Ekr -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
It compiles with or without JSSE, and runs fine without an SSL connector. However, I haven't actually gotten around to doing the whole keystore thing here, so the (big) one thing I haven't tried (yet) is to run it with an JSSE-SSL connection. The other thing that would be nice is to be able to access the SessionId, (via request.getAttribute(javax.servlet.request.ssl_session)). There is already optional support to validate HttpSession access against this for SSL sessions in 3.3.x. Currently it is only supported if you are connecting via Apache, but stand-alone (at least for PureTLS) would also be a nice feature. - Original Message - From: Eric Rescorla [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Thursday, December 06, 2001 9:52 PM Subject: Re: Submission: Portable SSL Support Bill Barker [EMAIL PROTECTED] writes: Since no one else responded, I've gone ahead and checked in Eric's changes. I haven't actually tried to build against PureTLS, but I assume that Eric has. I did, but I'll check it out myself and make sure that it works. You did check that it works in the absence of PureTLS, right? If I've missed anything in this commit, please let me know and I'll try and include it asap. I'll take a look. Big CVS imports like this are always hairy since it's so easy to miss a file :( -Ekr -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
[EMAIL PROTECTED] writes: What remains to be done is getting jk to reuse the same abstractions for ssl support - that would make the code cleaner. But it can wait a while, there are bigger changes going on there. That's what I figured. I took a look at that and it doesn't look very difficult so if someone just pings me when it's ready to be adapted :) -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Submission: Portable SSL Support
Hi Eric, I looked at the patch - it seems ok. I think we should wait few more days for more people to have a chance to look at the code. It's great having an SSL expert around :-) What remains to be done is getting jk to reuse the same abstractions for ssl support - that would make the code cleaner. But it can wait a while, there are bigger changes going on there. Costin On Fri, 30 Nov 2001, Eric Rescorla wrote: I've finished patching Tomcat to support both PureTLS and JSSE (and it would be trivial to add pretty much any other SSL implementation if there was a need). Essentially, what I did was take the current support for JSSE and generalize it so that it could support any implementation. This required adding a fair amount of abstraction. (1) Each implementation is encapsulated by a subclass of SSLImplementation. As before, PoolTCPConnector is responsible for detecting that SSL has been called for and loading up the right implementation but it does it by using SSLImplementation. (2) SSLImplementation.getInstance() automatically chooses whatever implementation is active. (There's a parameter to tell it to use a specific one). (3) In order to get a socket you first get the appropriate socketFactory from the SSLImplementation. You then use socketFactory.getSocket() as before. (4) All the special things you can do with an SSL socket are encapsulated in SSLSupport. SSLImplementation.getSSLSuport(Socket sock) lets you get the SSLSupport for a given socket. (5) Currently you can get the attributes: javax.servlet.request.cipher_suite javax.servlet.request.X509Certificate What's supposed to be at: javax.servlet.request.key_size is extremely vague. I'll implement it once I hear back from Sun about the value. (6) Changes to the doc to explain this stuff. The changes are of three types: (1) A patch file. (2) A mess of new source files which live in org/apache/tomcat/util/net. (3) The following file needs to be deleted from the repository: org/apache/tomcat/util/net/SSLSocketFactory.java Due to the size of the changes I've put the patch and new source files up at http://www.rtfm.com/tomcat-changes-20011130.tar.gz. If someone wants them mailed to the list I'm happy to do so. Note: These changes only work properly with the latest PureTLS snapshot: 20011130 (though they should work fine if you're compiling without PureTLS at all as well). -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]