Re: [TC4] multiple certificates
Warner Onstine wrote: Hi all, It's been a while since I looked at the SSL stuff and I just received a request which I'm not sure how it would be handled in TC4. Would it be possible to handle multiple certificates for SSL per servlet? If this needs further clarification let me know. I guess I don't quite get what you are after. Are you talking about a certificate chain that authenticates an individual user? If so, that is already supported -- the request attribute that you get is an array of certificate objects, with the first one being the certificate of the client principal, and the subsequent ones being the certificates of the certificate authorities vouching for the previous certificate in the chain. If that's not what you are after, could you please explain further? -warner Craig
Re: [TC4] multiple certificates
- Original Message - From: "Craig R. McClanahan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 21, 2000 7:43 PM Subject: Re: [TC4] multiple certificates Warner Onstine wrote: Hi all, It's been a while since I looked at the SSL stuff and I just received a request which I'm not sure how it would be handled in TC4. Would it be possible to handle multiple certificates for SSL per servlet? If this needs further clarification let me know. I guess I don't quite get what you are after. Are you talking about a certificate chain that authenticates an individual user? If so, that is already supported -- the request attribute that you get is an array of certificate objects, with the first one being the certificate of the client principal, and the subsequent ones being the certificates of the certificate authorities vouching for the previous certificate in the chain. Sure, what we're working with is possibly using different server certificates for different servlets, is this at all possible? From what I can tell right now, no. Basically what I see right now is if we turn on ssl support it uses the certificate that you specify for each connection from the SSLServerSocketFactory. The only way I can see doing this is to specify a different port for different certificates, correct? If that's not what you are after, could you please explain further? Craig Thanks, -warner
Re: [TC4] multiple certificates
I believe that the different port idea is correct (for any web server - not just tomcat). Another point to consider is that if tomcat is used in conjunction with a web server (such as apache or IIS), the web server does all of the SSL stuff for the communication with the browser, so you are stuck with web server limitations that are out of tomcat's control. Aaron Knauf Systems Integrator Genie Systems Ltd Auckland, New Zealand Ph. +64-9-573 3310 x812 email: [EMAIL PROTECTED] http://www.geniesystems.com Warner Onstine [EMAIL PROTECTED] 22/11/2000 18:36 Please respond to tomcat-dev To:[EMAIL PROTECTED] cc: Subject:Re: [TC4] multiple certificates - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 21, 2000 7:43 PM Subject: Re: [TC4] multiple certificates Warner Onstine wrote: Hi all, It's been a while since I looked at the SSL stuff and I just received a request which I'm not sure how it would be handled in TC4. Would it be possible to handle multiple certificates for SSL per servlet? If this needs further clarification let me know. I guess I don't quite get what you are after. Are you talking about a certificate chain that authenticates an individual user? If so, that is already supported -- the request attribute that you get is an array of certificate objects, with the first one being the certificate of the client principal, and the subsequent ones being the certificates of the certificate authorities vouching for the previous certificate in the chain. Sure, what we're working with is possibly using different server certificates for different servlets, is this at all possible? From what I can tell right now, no. Basically what I see right now is if we turn on ssl support it uses the certificate that you specify for each connection from the SSLServerSocketFactory. The only way I can see doing this is to specify a different port for different certificates, correct? If that's not what you are after, could you please explain further? Craig Thanks, -warner