Craig R. McClanahan wrote:
>
> On Mon, 17 Sep 2001, GOMEZ Henri wrote:
>
>
>>Date: Mon, 17 Sep 2001 23:03:36 +0200
>>From: GOMEZ Henri <[EMAIL PROTECTED]>
>>Reply-To: [EMAIL PROTECTED]
>>To: [EMAIL PROTECTED]
>>Subject: RE: SSL Attributes
>>
>>
>>>Even in the 2.2 spec, this was required to be an array of certificates.
>>>
>>>What did Tomcat 3.2 do? If 3.2 does it right, this would seem to be a
>>>regression.
>>>
>>TC 3.2 also have it like a string and it's bad.
>>I'm strongly to have TC 3.3 handling as indicated by SPEC.
>>
>>
>>>>Cheers
>>>>
>>>>Jean-frederic
>>>>
>>>>Note:
>>>>javax.servlet.cert.X509Certificate is in JSSE.
>>>>java.servlet.cert.X509Certificate is in JDK (even in 1.2.2).
>>>>
>>>>
>>>Not only that, the JSSE version doesn't even inherit from the
>>>JDK version
>>>:-(. When using JSSE (i.e. in Tomcat stand-alone) you have to
>>>convert the
>>>certificates manually.
>>>
>>I've got question not really well covered in spec.
>>When you got the X509Certificate, you got the certificate
>>presented by Browser ? So only one certificate isnt'it ?
>>
>>That's currently what mod_ssl present :)
>>
>>
>
> JSSE presents the entire client certificate chain, with the first one in
> the chain being the cerftificate of the client itself, followed by the
> certificate of the CA that vouches for the client cert, and so on.
>
> Craig
That's essentially my question about the current code JF patched in the
connectors. I need to examine the issue a little further, but I don't
believe that this would correctly address the client cert auth issue
(dunno about how the connectors work). I need to build the entire cert
chain.
Now the classes for managing cert chains are in the JSSE. Are there any
compatibility issues WRT JDK 1.1 and JSSE?
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitié de ma vie a mis l'autre au tombeau.
* ---Corneille
*/
