Craig R. McClanahan wrote:
>
> On Mon, 17 Sep 2001, GOMEZ Henri wrote:
>
>
>>Date: Mon, 17 Sep 2001 23:17:15 +0200
>>From: GOMEZ Henri <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>To: [EMAIL PROTECTED]
>>Subject: RE: SSL Attributes
>>
>>
>>
>>>>>>Cheers
>>>>>>
>>>>>>Jean-frederic
>>>>>>
>>>>>>Note:
>>>>>>javax.servlet.cert.X509Certificate is in JSSE.
>>>>>>java.servlet.cert.X509Certificate is in JDK (even in 1.2.2).
>>>>>>
>>>>>>
>>>>>Not only that, the JSSE version doesn't even inherit from the
>>>>>JDK version
>>>>>:-(. When using JSSE (i.e. in Tomcat stand-alone) you have to
>>>>>convert the
>>>>>certificates manually.
>>>>>
>>>>I've got question not really well covered in spec.
>>>>When you got the X509Certificate, you got the certificate
>>>>presented by Browser ? So only one certificate isnt'it ?
>>>>
>>>>That's currently what mod_ssl present :)
>>>>
>>>>
>>>JSSE presents the entire client certificate chain, with the
>>>first one in
>>>the chain being the cerftificate of the client itself, followed by the
>>>certificate of the CA that vouches for the client cert, and so on.
>>>
>>But what did we need to have present in SPEC ?
>>client cert and ca cert or only client cert ?
>>
>>
>
> 2.2 just says "an array".
>
> 2.3 says "The order of this array is defined as being in ascending
> order of trust. The first certificate in the chain is the one set by the
> client, the next is the one used to authenticate the first, and so on."
>
> Craig
Is the "Connector-over-SLL" issue even addressed by the spec? If the
front-end web server is handling all of the authentication, then isn't
securing the connectors simply securing the communication channel,
having nothing to do with authentication?
I could be wrong, I'm just asking. If the Tomcat container itself is not
involved in the authentication process, one would not expect that a
webapp has access to the client cert anyway. Is that right?
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitié de ma vie a mis l'autre au tombeau.
* ---Corneille
*/