You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Patrick Beckmann <to...@patrickbeckmann.de> on 2016/03/13 20:56:49 UTC

[PATCH] HTTP Public Key Pinning for Tomcat

Hello,

As an occasional user of Tomcat I was missing HTTP Public Key Pinning
header support¹. So I have added it to the existing
"HttpHeaderSecurityFilter" class and would like to share it with you in
case you are interested. Please see the attached patch.

Best Regards,
Patrick Beckmann

¹ https://tools.ietf.org/html/rfc7469

Re: [PATCH] HTTP Public Key Pinning for Tomcat

Posted by Mark Thomas <ma...@apache.org>.

On 13/03/2016 19:56, Patrick Beckmann wrote:
> Hello,
> 
> As an occasional user of Tomcat I was missing HTTP Public Key Pinning
> header support¹. So I have added it to the existing
> "HttpHeaderSecurityFilter" class and would like to share it with you in
> case you are interested. Please see the attached patch.

Patches posted directly to the mailing list can easily get lost if they
aren't acted upon immediately. I strongly recommend that you open an
enhancement request in Bugzilla to track this request and add the patch
there.

I've only glanced at the patch but my immediate feedback is:
- why a hard limit of three pins?
- how to support new algorithms as they are added to the spec

I'd like to see a slightly more generic solution.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org