You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/11/20 10:57:24 UTC
[Bug 55801] New: Add ability to provide custom SSLContext for
websocket client
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
Bug ID: 55801
Summary: Add ability to provide custom SSLContext for websocket
client
Product: Tomcat 7
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: maciej.lypik@gmail.com
Created attachment 31059
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31059&action=edit
Proposed patch
Currently the only available customisation is setting trust store via
SSL_TRUSTSTORE_PROPERTY. This is not enough in situations where custom trust
manager has to be used. The most trivial example I can think of is accepting
all certificates.
My proposition is to use new property to pass SSLContext using user properties
of ClientEndpointConfig.
Attached is a proposed patch to add this capability.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #10 from Mark Thomas <ma...@apache.org> ---
Thanks for the patch. This has been applied to 8.0.x and 7.0.x for 8.0.0-RC6
and 7.0.48 respectively.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> ---
It is OK for me, but here are two minor glitches
1. Wasted work.
> SSLContext sslContext = SSLContext.getInstance("TLS");
Such getInstance() calls are usually slow. It'd be better to skip it if you are
ignoring its result.
2. You have Javadoc (good), but these properties are also mentioned at the
bottom of
\webapps\docs\web-socket-howto.xml
It would be good to mention somewhere that the value of a
SSL_TRUSTSTORE_PROPERTY is ignored when using SSL_CONTEXT_PROPERTY.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> ---
I haven't looked at the Websocket client code, but if it's using
HttpsURLConnection (which is a big IF) to negotiate the initial connection,
it's trivial to re-configure it using the standard API.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #1 from Marek Jagielski <ma...@gmail.com> ---
Hello,
What is the chance to have this patch integrated into trunk? I want to avoid
keeping my fork of tomcat that is only for client code.
This patch would be useful also for those who cope with self-signed
certificates for test purposes.
Thanks,
Marek
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #8 from Maciej Lypik <ma...@gmail.com> ---
Sorry for commenting so late. I've fixed the logic and added description to
websocket-howto so it should be OK now.
I was also looking for a better solution to this problem. I checked Tyrus and
it also uses custom properties to configure SSLEngine. So I guess there is no
perfect answer until client-side SSL configuration is defined in WebSocket
spec.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #3 from Maciej Lypik <ma...@gmail.com> ---
(In reply to Christopher Schultz from comment #2)
> (In reply to Marek Jagielski from comment #1)
> > This patch would be useful also for those who cope with self-signed
> > certificates for test purposes.
>
> I'm just curious how this would help with self-signed certificates. What can
> you not accomplish with existing APIs/configuration?
If certificate is known beforehand there is no problem - it can be simply added
to the trust store.
My problem is that clients do not know anything about the server they are
connecting to. I work in cloud environment and servers are instantiated and
terminated as they are needed. Every time new server instance is created it
gets new self-signed certificate. The only thing client knows about server is
its IP address. Ability to temporarily ignore certificates would solve this
problem for me.
Additionally, even if trust store solves problem for most cases, some people
prefer to ignore certificates. I think it's fairly common practice in HTTPS
clients. I remember doing so myself in Jersey Client API.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Marek Jagielski from comment #1)
> This patch would be useful also for those who cope with self-signed
> certificates for test purposes.
I'm just curious how this would help with self-signed certificates. What can
you not accomplish with existing APIs/configuration?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #9 from Marek Jagielski <ma...@gmail.com> ---
Hi,
Can you give any feedback on this issue? I need to take a decision to move my
project forward. I want to know if I will stay with tomcat implementation of
websocket client or look for something else. I have already removed jwebsocket
proprietary implementation to replace it with jsr356 one.
I would like to use Tomcat implementation as I have a huge confidence to your
project. However discussed ability will be crucial for me in the future.
Thanks
Marek
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
Maciej Lypik <ma...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #31059|0 |1
is obsolete| |
--- Comment #7 from Maciej Lypik <ma...@gmail.com> ---
Created attachment 31080
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31080&action=edit
Corrected patch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
--- Comment #4 from Maciej Lypik <ma...@gmail.com> ---
I'm wondering if I could get any feedback on this patch. I'd like for it to be
integrated, as it is the only feasible solution to my problem.
I hate to push this myself, but with time it's becoming a blocking issue for
me.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55801] Add ability to provide custom SSLContext for websocket
client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55801
Marek Jagielski <ma...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marek.jagielski@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org