On 2/17/10, Mark Thomas <ma...@apache.org> wrote: > CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for using client certificate authentication on a per-webapp basis. Requiring my customers to enable a feature (allowUnsafeLegacyRenegotiation) that exposes them to a potential man-in-the-middle attack doesn't seem like a good idea! (Heck, it even says "Unsafe" in the property name!) I saw mention of overriding the SSL implementation with sslImplementation="classname"... does that still work in 6.x? Is that a good option? And what about an Authentication Valve, is that the right direction? Thanks! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
