GOMEZ Henri wrote:
>>>>>Cheers
>>>>>
>>>>>Jean-frederic
>>>>>
>>>>>Note:
>>>>>javax.servlet.cert.X509Certificate is in JSSE.
>>>>>java.servlet.cert.X509Certificate is in JDK (even in 1.2.2).
>>>>>
>>>>>
>>>>Not only that, the JSSE version doesn't even inherit from the
>>>>JDK version
>>>>:-(. When using JSSE (i.e. in Tomcat stand-alone) you have to
>>>>convert the
>>>>certificates manually.
>>>>
>>>I've got question not really well covered in spec.
>>>When you got the X509Certificate, you got the certificate
>>>presented by Browser ? So only one certificate isnt'it ?
>>>
>>>That's currently what mod_ssl present :)
>>>
>>>
>>JSSE presents the entire client certificate chain, with the
>>first one in
>>the chain being the cerftificate of the client itself, followed by the
>>certificate of the CA that vouches for the client cert, and so on.
>>
>
> But what did we need to have present in SPEC ?
> client cert and ca cert or only client cert ?
*All* certs in the chain are required for authentication. There could be
several tiers: i.e. CA 1 signs CA 2's cert, then CA 2 signs the
company cert. I don't know what the specs have to say, and I don't know
what the impact on the connectors is, but in order for client
authentication to work correctly, I need the whole chain.
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitié de ma vie a mis l'autre au tombeau.
* ---Corneille
*/
