You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2020/04/15 12:51:28 UTC

[Bug 64353] New: Add support for accessing server certificate from TLS context

https://bz.apache.org/bugzilla/show_bug.cgi?id=64353

            Bug ID: 64353
           Summary: Add support for accessing server certificate from TLS
                    context
           Product: Tomcat 10
           Version: 10.0.0-M4
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: michaelo@apache.org
  Target Milestone: ------

Based on this discussion:
https://www.mail-archive.com/users@tomcat.apache.org/msg134872.html

There should be an option to access the used server certificate from the
current request being served by one TLS context. As easy as:
request.getAttribute("magic_name")
Return would be, similar to client certs, X509Certificate or X509Certificate[].

This requires these changes (non-exhaustive):
* SSLSupport implementations
* Define a new property in SSLSupport and org.apache.catalina.Globals for the
server cert
* org.apache.catalina.util.TLSUtil.isTLSRequestAttribute(String) and its
callers
* org.apache.coyote.AbstractProcessor.populateSslRequestAttributes() to add new
attribute to the request
* SSLValve to read server cert from reverse proxy, CGI var SSL_SERVER_CERT
* AJP and friends to deliver this piece of information

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 64353] Add support for accessing server certificate from TLS context

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=64353

--- Comment #1 from Bhavesh <mi...@gmail.com> ---
Based on the Discussion
(https://www.mail-archive.com/users@tomcat.apache.org/msg142103.html)  with
Mark, Please add the ability to get the SNI name used by TLS. For each request,
this will give the ability to know the application that was SNI hostname used
to connect to the server.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org