I've finished patching Tomcat to support both PureTLS and JSSE (and it
would be trivial to add pretty much any other SSL implementation if
there was a need). Essentially, what I did was take the current
support for JSSE and generalize it so that it could support any
implementation. This required adding a fair amount of abstraction.
(1) Each implementation is encapsulated by a subclass of SSLImplementation.
As before, PoolTCPConnector is responsible for detecting that SSL has
been called for and loading up the right implementation but it
does it by using SSLImplementation.
(2) SSLImplementation.getInstance() automatically chooses whatever
implementation is active. (There's a parameter to tell it to use a
specific one).
(3) In order to get a socket you first get the appropriate
socketFactory from the SSLImplementation. You then use
socketFactory.getSocket() as before.
(4) All the special things you can do with an SSL socket are
encapsulated in SSLSupport. SSLImplementation.getSSLSuport(Socket
sock) lets you get the SSLSupport for a given socket.
(5) Currently you can get the attributes:
javax.servlet.request.cipher_suite
javax.servlet.request.X509Certificate
What's supposed to be at:
javax.servlet.request.key_size
is extremely vague. I'll implement it once I hear back from Sun about
the value.
(6) Changes to the doc to explain this stuff.
The changes are of three types:
(1) A patch file.
(2) A mess of new source files which live in
org/apache/tomcat/util/net.
(3) The following file needs to be deleted from the repository:
org/apache/tomcat/util/net/SSLSocketFactory.java
Due to the size of the changes I've put the patch and new source files
up at http://www.rtfm.com/tomcat-changes-20011130.tar.gz. If someone
wants them mailed to the list I'm happy to do so.
Note: These changes only work properly with the latest PureTLS snapshot:
20011130 (though they should work fine if you're compiling without
PureTLS at all as well).
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
