- Original Message -
From: "Jan Luehe" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Wednesday, October 15, 2003 6:38 PM
Subject: How to make CLIENT-CERT protection work?
> Consider the following scenario:
>
> 1. Client sends POST request (with content type other than
> "application/x-www-form-urlencoded") to SSL-enabled server (with
> client auth turned off).
>
> 2. Server parses request header, and determines that the resource
> identified by the request-URI is CLIENT-CERT protected.
>
> 3. Server's SSLAuthenticator valve reinitiates SSL handshake, w/
> client auth turned on.
>
> 4. The server sends its HelloRequest, and expects to read the client's
> ClientHello. However, what it gets is the POST request's body which
> hadn't been read yet.
>
> 5. SSL handshake fails.
>
>
> In order to avoid this problem, SSLAuthenticator.authenticate()
> "clears" the socket in the case of a POST request by reading the POST
> request's body *before* reinitiating the handshake. To read the POST
> body, it calls CoyoteRequest.getParameterMap(), which reads and
> processes the POST body only if the content type equals
> "application/x-www-form-urlencoded".
>
> Therefore, the SSL re-handshake works according to plan if the content
> type equals "application/x-www-form-urlencoded", but fails for any
> other content type.
>
> Should we always read the POST body in getParameterMap(), and cache it
> in a byte[] if content type is different from
> "application/x-www-form-urlencoded", and have
> CoyoteRequest.getInputStream()/getReader() return wrappers around this
> byte[]?
>
> Any better suggestions?
It would probably be better to remove the POST check from SSLAuthenticator,
and move it to Http11Processor.action. Then when it is processing
ACTION_REQ_SSL_CERTIFICATE, it simply need to add a new InputFilter (say,
BufferedInputFilter) that does a full read of the Request data.
>
> Thanks,
>
>
> Jan
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
