Wolfgang Hoschek wrote:
>
> Sorry, I am posting to tomcat-dev although not subscribed...
>
> Two suggestions:
>
> - Perhaps it is a good idea to also describe in the SSL HOWTO ways to
> configure SSL without stuffing libs into jre/lib/ext. Some sites run
> multiple versions/vendors of jdks, TC, JSSE, et al from (secure) read-only
> shared file systems. In such an environment products and versions are
> delibarately kept separate from each other in order to avoid having to
> maintain countless permutations. Startup scripts "link" everything together
> via env vars. This is also convenient to test different permutations. The
> jre/lib/ext mechanism is not an option, due too the read-only nature.
Hmmm ... that's interesting. It's true that the JSSE libs don't
necessarily have to be an installed extension, and it's easy enough to
include a quick phrase about the classpath instead. I'm reluctant to
encourage users to put them into the internal Tomcat classloader
directories, since that is a rather sketchy configuration (someone will
eventually add JSSE to the classpath as well, which will cause Tomcat to
fail on startup unless the internal versions are removed).
So in your environment, it sounds like you would be simply specifying
the JSSE jars in classpath passed to TC, yes?
> - The other point: I recall a discussion some time ago about the sluggish
> performance of session id generation and the idea of using /dev/random to
> speed this up. The cryptix JCE CryptixRandom provider can be useful here
> (see below a conversation with a sun security engineer).
LOL! I'm a developer on the Cryptix project ... nice to see people
recommending us ;-)
You've actually forced me into tipping my hand a little early, but I was
going to try and persuade the dev list to let me create a dependency on
Cryptix for a few other security proposals that I have not yet
completed. Assuming that I can sell it, I would of _course_ be more than
happy to examine the feasibility of the CryptixRandom class within
Tomcat. It would certainly have the added benefit of also being an
OS-independent solution.
Cryptix JCE ... you made my week with that one =)
- Christopher
