DO NOT REPLY [Bug 34868] allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
https://issues.apache.org/bugzilla/show_bug.cgi?id=34868 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||WONTFIX --- Comment #11 from Mark Thomas ma...@apache.org 2011-04-08 17:52:28 EDT --- Per session trust managers can't possibly work since the SSL connection has to be established before the client can send any data that would identify the session in which to look for the trust manager. I am therefore resolving this as WONTFIX. However, it is worth noting the Tomcat 7 (as a result of fixing bug 48208) now supports custom trust managers which should be sufficient to meet any requirement not meet by the standard trust manager. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 --- Additional Comments From [EMAIL PROTECTED] 2007-09-18 03:00 --- This looks really useful. We want to integrate tomcat with PBAC (http://www.gria.org/documentation/manual/pbac-2-manual/overview) to check client certificates at the SSL layer rather than only at the SOAP message layer. Did this fix or an equivalent solution ever get added to tomcat? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |ASSIGNED --- Additional Comments From [EMAIL PROTECTED] 2006-12-17 00:41 --- Wouldn't it be nice to be able overrule the global truststores by a trustStore object in the session? I guess this would only require to enhance the org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore() to check for this. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 --- Additional Comments From [EMAIL PROTECTED] 2005-12-30 15:37 --- I'would suggest a solution which uses a javax.net.ssl.X509TrustManager that trusts all client certificates. So it is possible to accept untrusted certificates and specially self-signed certifactes. The actual authentication can then be done by a servlet. I've implemented it such that the use of this AllTrustingX509TrustManager can be configured in the server.xml by setting the attribute acceptUntrustedCertifcates for the connector. If then attribute is set to true, then in the initialization of the JSSESocketFactory the actual TrustManager will be wrapped in the AllTrustingX509TrustManager and the SSLContext will be initialized with it. Further I've added the new method isClientCertificateTrusted() to SSLSupport which returns if the client certificate is trusted with respect to the actual TrustManager. The method can be accessed from a servlet through the new Request attribute javax.servlet.request.ClientCertificateTrusted. Created two patches for Tomcat 5.5.13. One for the connectors module and one for the catalina module. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 --- Additional Comments From [EMAIL PROTECTED] 2005-12-30 15:41 --- Created an attachment (id=17296) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=17296action=view) patch for the connectors module -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 [EMAIL PROTECTED] changed: What|Removed |Added Attachment #17296|patch for the connectors|ssl-client-cert patch for description|module |the connectors module -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 [EMAIL PROTECTED] changed: What|Removed |Added Attachment #17296|0 |1 is obsolete|| --- Additional Comments From [EMAIL PROTECTED] 2005-12-30 16:03 --- Created an attachment (id=17298) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=17298action=view) ssl-client-cert patch for the connectors module fixed: added the files missing in the last patch -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34868] - allow to register a trust store for a session that becomes effective before CLIENT-CERT auth is executed on requests
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34868. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34868 --- Additional Comments From [EMAIL PROTECTED] 2005-12-30 16:58 --- Created an attachment (id=17299) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=17299action=view) client certificate authentication example minimum example showing how client certificate authentication can be done after applying my patches (see above) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]