You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Mayne, Peter" <Pe...@ap.spherion.com> on 2003/07/02 03:18:28 UTC

Using my own TrustManager for SSL doesn't work in Tomcat

Tomcat 4.1.24-LE, Sun JDK 1.4.1_01-b01, Windows XP 

I need to install my own TrustManager to handle client SSL connections. 

If I write a standalone test program to use my own TrustManager (with
HttpURLConnection), it works fine. 

If I install my own TrustManager in a servlet, the result is exactly as if I
hadn't installed my TrustManager at all. 

I've put the code from my source program into a servlet and done some
comparisons. 

In the standalone program, the HTTPS connection is implemented by
sun.net.www.protocol.https.HttpsURLConnectionImpl, so setting the default
SSL socket factory with HttpsURLConnection.setDefaultSSLSocketFactory()
works fine.

In the servlet, the HTTPS connection is implemented by
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl, so
setting the default SSL socket factory as above doesn't work. Instead, I
have to use HttpsURLConnectionOldImpl.setDefaultSSLSocketFactory(), which
(unsurprisingly) is deprecated.

Why does Tomcat cause a different implementation of HttpsURLConnection to be
used? How do I get it to use the non-deprecated implementation?

The only vaguely relevant thing I can find is in
SSLServerSocketFactory.java, which explicitly adds
"com.sun.net.ssl.internal.www.protocol" to the "java.protocol.handler.pkgs"
system property. In 1.4, this is not only unnecessary, but will use an old
version of HttpsURLConnection, so this could be construed as a bug. (See
JDKdirectory/docs/guide/security/jsse/JSSERefGuide.html#HttpsURLConnectionEx
.) However, I'm not using an SSLServerSocket, and I don't have any SSL in my
server.xml, so I'm not sure what affect it has.

Thanks. 

PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777

The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.