You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Stefán Freyr Stefánsson <st...@decode.is> on 2000/09/29 18:00:01 UTC

Lost patch to Tomcat 3.2? Two way SSL authentication.

Hi!

I was wondering if anyone had looked into the updated version of
SSLSocketFactory I sent to this list a while ago.  I was looking at Tomcat
3.2 b5 and the patch is not included in that.  Is that because nobody has
had the time to check it out or is it because you didn't want it implemented
like this?

I'm mostly just curious, but this is also an issue for us.  We're planning
to use Tomcat as an internal webserver in a system we are developing.  We
need two way authentication and Tomcat 3.2 didn't have support for that so
we did our best in implementing it.  The thing is that if we're going to use
Tomcat as the webserver in our system we need to be sure that the releases
that come from you guys support what we need... if we do a patch and send it
to you guys and then don't hear anything from anybody about it, we can't be
sure if we're doing it wrong or it just got lost... and this of course leads
to insecurity about whether or not future releases of Tomcat are going to
actually have the patches we contribute (which btw are usually patches that
are crucial to our application).  So in other words, if the patches we
supply are not used and/or we get no feedback if they are going to be used
we are constantly risking a sort of a "branch" thing... where we would
branch out "our" version of Tomcat.  This is of course not what we want!

Anyways... I just wanted to know what happened to it.  One other thing we're
working on now (which would be another crucial patch to Tomcat for us) is to
be able to get the client certificate through a call to the getAttribute()
method in the ServletRequest interface.  This is something Tomcat 3.2 does
not do (naturally, since it didn't support client authentication before we
made our patch).  If anybody (who has taken a look at the updated
SSLSocketFactory class we did) has a pointer on how it would be best to go
about doing that, please speak up ;o).  We are wondering where it would be
best to set this attribute... should the SSLSocketFactory do it once it
receives the client certificate???  What method in what class lets us set
this attribute (in other words, what attribute thing is this?  Where is it
stored?).

Any help is greatly appreciated as always,

Kind regards,
	Stefan Freyr