No, Tomcat uses the regular Java API. You don't see it, since it is buried in the SSL Handshake code. Then, just for fun, if you are using CLIENT-CERT auth, Tomcat checks all the dates again (but not the trust).
Yeah, I am looking at that now in the JSSESocketFactory. When I first checked, I looked in the Tomcat5.0 source, since that is what we are using now. I will have to look at that again and see if I just misread something. Maybe it will just work and all it will take is someone to jump through the myriad of hoops necessary to test it. Painful, but I may just be the guy to do it. Mark -----Original Message----- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Friday, December 08, 2006 4:12 PM To: 'Tomcat Developers List' Subject: RE: Tomcat and OCSP > -----Original Message----- > From: Mark Claassen [mailto:[EMAIL PROTECTED] > Sent: Friday, December 08, 2006 12:49 PM > To: 'Tomcat Developers List' > Subject: RE: Tomcat and OCSP > > I am really not sure what is involved...as I have not done all the > necessary research. > > My understanding is that the location of the revocation server is > built into the certificates themselves somehow. > > Several months ago I looked around, and thought I saw where you did > the certificate validation. I believe it was done manually, not using > the standard Java APIs. (My assumption was that this functionality > pre-dated the Java API.) > No, Tomcat uses the regular Java API. You don't see it, since it is buried in the SSL Handshake code. Then, just for fun, if you are using CLIENT-CERT auth, Tomcat checks all the dates again (but not the trust). > I was hoping that all that would be involved would be to locate that > area and try to use the Java certificate validation APIs instead of > these custom ones. Then, hopefully the OSCP stuff would just work. > > There is a lot of "Hope" in this, but hey, it's Christmas! :) > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Yoav Shapira > Sent: Friday, December 08, 2006 3:26 PM > To: Tomcat Developers List > Subject: Re: Tomcat and OCSP > > Hi, > Wouldn't you need OCSP revocation handling at the SSL connector > processing point? That's the patch I was thinking of, but I'm not an > expert in this area, so I might be off-base. > > Yoav > > On 12/8/06, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote: > > is a patch even required? or is OSCP something you just > turn on since > > its built into the JDK Mark, do you have anymore details what this > > would involve? > > Filip > > > > Yoav Shapira wrote: > > > Mark, > > > If you submit a patch for OCSP support, I'll gladly > review it, and I > > > imagine several other people would be interested as well. > > > > > > Yoav > > > > > > On 12/8/06, Mark Claassen <[EMAIL PROTECTED]> wrote: > > >> I asked this on the user list, but perhaps this is a question > > >> better for here. I have been using Tomcat for a while, but have > > >> not been developing yet really (although I did submit a patch a > > >> while ago to the CGIServlet). > > >> However, this OCSP issue has potential to really hit the > fan for us > > >> and if there is something that needs to be done, I would like to > > >> try. > > >> > > >> -----Original Message----- > > >> > > >> Now that I see Tomcat 6.0 is on it's way, I was > wondering if OCSP > > >> is going to be included? This is being required by more > and more > > >> people these days (like the US government). > > >> > > >> If there are no plans to include it yet, how can this issue be > > >> escalated? I see that OCSP support is bundled into the > new JDKs, > > >> does this mean that it would not be too difficult for an > > >> enterprising (and desperate) developer to tackle? > > >> > > >> Mark > > >> > > >> -----Original Message----- > > >> From: Velpi [mailto:[EMAIL PROTECTED] > > >> Sent: Monday, July 31, 2006 4:33 AM > > >> To: Tomcat Users List > > >> Subject: Re: Tomcat and OCSP > > >> > > >> > Does the new support for OCSP in Java 5.0 have any > impact on how > > >> > certificates are handled in Tomcat? > > >> > > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html > > >> > > > >> > It looks like it might just work if it is set up right in the > > >> > java property files. I checked the mailing list archives and > > >> > found a few old references to OCSP, but nothing > definitive. Any > > >> > guidance would be > > >> greatly appreciated. > > >> > > >> I'm trying to set this up too. Did you get it up and running > > >> properly yet? > > >> (any > > >> hints?) > > >> > > >> > > >> -- Velpi > > >> > > >> > ------------------------------------------------------------------- > > >> -- To start a new topic, e-mail: users@tomcat.apache.org To > > >> unsubscribe, > > >> e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > >> > ------------------------------------------------------------------- > > >> -- To start a new topic, e-mail: users@tomcat.apache.org To > > >> unsubscribe, > > >> e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > >> > ------------------------------------------------------------------- > > >> -- To unsubscribe, e-mail: [EMAIL PROTECTED] For > > >> additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > > -------------------------------------------------------------------- > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For > > > additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] For > > additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For > additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For > additional commands, e-mail: [EMAIL PROTECTED] > > > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
