Hi all, It's come to my attention that most servlet container vendors totally ignore the requirements laid out Servlet API 2.3 SRV 4.7. These requirements are to expose various attributes of an SSL connection via the javax.servlet.request.cipher_suite, javax.servlet.request.key_size, and javax.servlet.request.X509Certificate request attributes.
My theory is that server vendors don't support this requirement because Watchdog (and presumably the official TCK) don't actually check it, thus giving server vendors a false sense of compatibility. Whether my theory's true or not, I'm confident that if Watchdog (and thus the official TCK) started checking this requirement then soon enough all servlet container vendors would support it. I think that's pretty important because banks and such need access to these attributes to ensure a secure connection. To that end, I'd like to get a sense of the thoughts here for if Watchdog can add these sorts of tests. I don't actually see any SSL-based tests happening right now, but perhaps I'm not looking in the right place. Was that intentional, because of the difficulty setting up an SSL server? Is there another reason not to test for the SSL-related requirements? How much work would it be to add SSL-related testing? I'm happy to help to the extent I have time, but would appreciate hearing the conventional wisdom surrounding these issues. -jh- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
