On 15/04/2020 12:06, Osipov, Michael wrote: > Folks, > > is there any way to access the server certififace from a valve which has > been used to establish the TLS context? I haven't found an easy way. I > don't want to traverse request.getConnector().findSslHostConfigs() > because it would make it more complex than necessary or even unreliable, > especially when SANs are used. > > I'd like to evaluate RFC 5929 for the paranoid.
This is fairly easy with a small patch to Tomcat. The non-specification compliant request attribute javax.servlet.request.ssl_session_mgr gives you an instance of org.apache.tomcat.util.net.SSLSupport If you add a method to that interface. I suggest: java.security.cert.Certificate [] getLocalCertificates(); That is then trivial to implement in JSSESupport. It is a little more work for AprSLSupport but SSL_INFO_SERVER_CERT should get you what you want. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
