You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Apache Wiki <wi...@apache.org> on 2015/04/14 02:27:30 UTC
[Tomcat Wiki] Update of "JNDI_startTLs_HowTo" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "JNDI_startTLs_HowTo" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/JNDI_startTLs_HowTo?action=diff&rev1=4&rev2=5
Comment:
Add link to BZ 49785. Note that this feature is available from Tomcat proper.
+ '''Note:''' Nowadays StartTLS support is implemented in JDNIRealm of Tomcat — starting with Tomcat 7.0.60, 8.0.21 ([[https://bz.apache.org/bugzilla/show_bug.cgi?id=49785|BZ 49785]]).
+
+ This old page describes an alternative solution and is kept as a historic reference. Note that BZ 49785 has a [[https://bz.apache.org/bugzilla/show_bug.cgi?id=49785#c1|link]] to this page.
+
+ == JNDI StartTLS HowTo ==
+
In reference to: http://www.mail-archive.com/users@tomcat.apache.org/msg80660.html this Howto describes the configuration of a JNDI Realm connecting to an LDAP directory using StartTLS for connection establishment.
StartTLS is the method of negotiating a TLS connection. For LDAP it was first time in RFC 2830, then refined in RFC 4513.
@@ -22, +28 @@
The code probably needs auditing. More testing. And definitely more tightening: e.g.: When starting the negotiation the client (Tomcat + `LdapTlsContextFactory`) sends an `SSLv2Hello`, which is anything but desirable. This could be due to Sun’s poor defaults in their SSL implementation, an oversight in the code, or because I’ve missed out a JVM startup options.
----
- [[CategoryFAQ|CategoryFAQ]]
+ [[CategoryFAQ]]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Tomcat Wiki] Update of "JNDI_startTLs_HowTo" by KonstantinKolinko
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 14. April 2015 02:27:30 MESZ, schrieb Apache Wiki <wi...@apache.org>:
>Dear Wiki user,
>
>You have subscribed to a wiki page or wiki category on "Tomcat Wiki"
>for change notification.
>
>The "JNDI_startTLs_HowTo" page has been changed by KonstantinKolinko:
>https://wiki.apache.org/tomcat/JNDI_startTLs_HowTo?action=diff&rev1=4&rev2=5
>
>Comment:
>Add link to BZ 49785. Note that this feature is available from Tomcat
>proper.
>
>+ '''Note:''' Nowadays StartTLS support is implemented in JDNIRealm
>of Tomcat — starting with Tomcat 7.0.60, 8.0.21
>([[https://bz.apache.org/bugzilla/show_bug.cgi?id=49785|BZ 49785]]).
>+
>+ This old page describes an alternative solution and is kept as a
>historic reference. Note that BZ 49785 has a
>[[https://bz.apache.org/bugzilla/show_bug.cgi?id=49785#c1|link]] to
>this page.
Thanks for updating the page.
Felix
>+
>+ == JNDI StartTLS HowTo ==
>+
>In reference to:
>http://www.mail-archive.com/users@tomcat.apache.org/msg80660.html this
>Howto describes the configuration of a JNDI Realm connecting to an LDAP
>directory using StartTLS for connection establishment.
>
>StartTLS is the method of negotiating a TLS connection. For LDAP it was
>first time in RFC 2830, then refined in RFC 4513.
>@@ -22, +28 @@
>
>The code probably needs auditing. More testing. And definitely more
>tightening: e.g.: When starting the negotiation the client (Tomcat +
>`LdapTlsContextFactory`) sends an `SSLv2Hello`, which is anything but
>desirable. This could be due to Sun’s poor defaults in their SSL
>implementation, an oversight in the code, or because I’ve missed out a
>JVM startup options.
>
> ----
>- [[CategoryFAQ|CategoryFAQ]]
>+ [[CategoryFAQ]]
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org