You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Md. Jahid Shohel" <js...@gmail.com> on 2007/12/07 15:46:49 UTC
Tomcat SSL handshaking
Hi,
I am really sorry to mailing here for such a question. I am mailing
here because I didn't get any help from other places. My question is
---
How I can take the control of SSL handshaking from tomcat, so that I
can do the handshaking process by myself.
Regards.
Jahid
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat SSL handshaking
Posted by Bill Barker <wb...@wilshire.com>.
"Md. Jahid Shohel" <js...@gmail.com> wrote in message
news:a32d28300712080230m90392d6ia8819124956b98b5@mail.gmail.com...
> Hi,
> (Sorry for resending the same message. There were some typo. I am
> really sorry for resending)
>
>
> First of all Filip and Bill, thanks a lot for such a good suggestion.
> Though I still didnt implement, but I will give a try according you
> said.
>
> One more question, can you tell me when the first user request an SSL
> request (i mean by https://www.mysite.com) then from which part of code
> sends server's certificate to client?
>
Well, the first place to look is org.apache.tomcat.net.SSL* (at least for
the BIO Connector). However, Tomcat doesn't understand SSL/TLS. It relies
on finding an SSLImplementation that does understand it, and delegates to
it. The two that ship with Tomcat are in org.apache.tomcat.net.jsse and
org.apache.tomcat.net.puretls.
If all you care about is certs, then it will probably be easier to configure
your own X509KeyManager and X508TrustManager as in the JSSE docs.
> Also, how can i protect, so that tomcat doesn't go to any Certificate
> Authority (CA) to clarify client's certificate?
>
This is actually configurable with PureTLS. But for JSSE, see my comment
above.
> Getting control on whole handshaking is the perfect solution for me.
> And also seeing how tomcat do that handshaking (i mean from a to z of
> tomcat's handshaking, from client's sending "hello" to finally session
> key generation) will be a good help to know how to hook my own
> handshaking. Also, if you tell me where to see for the implementation,
> then I can get some idea while I am implementing my part of code.
>
>
>
> If you have any suggestion, please let me know.
>
>
> Regards,
>
> Jahid
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat SSL handshaking
Posted by "Md. Jahid Shohel" <js...@gmail.com>.
Hi,
(Sorry for resending the same message. There were some typo. I am
really sorry for resending)
First of all Filip and Bill, thanks a lot for such a good suggestion.
Though I still didnt implement, but I will give a try according you
said.
One more question, can you tell me when the first user request an SSL
request (i mean by https://www.mysite.com) then from which part of code
sends server's certificate to client?
Also, how can i protect, so that tomcat doesn't go to any Certificate
Authority (CA) to clarify client's certificate?
Getting control on whole handshaking is the perfect solution for me.
And also seeing how tomcat do that handshaking (i mean from a to z of
tomcat's handshaking, from client's sending "hello" to finally session
key generation) will be a good help to know how to hook my own
handshaking. Also, if you tell me where to see for the implementation,
then I can get some idea while I am implementing my part of code.
If you have any suggestion, please let me know.
Regards,
Jahid
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat SSL handshaking
Posted by "Md. Jahid Shohel" <js...@gmail.com>.
Hi,
First of all Filip and Bill, thanks a lot for such a good suggestion.
Though I still didnt implement, but I will give a try according you
said.
One more question, can you tell me when the first user request an SSL
request (i mean by http://www.mysite.com) then from which part of code
sends server's certificate to client?
Also, how can i protect, so that tomcat doesn't go to any Certificate
Authority (CA) to clarify client's certificate?
Getting control on whole handshaking is the perfect solution for me.
And also seeing how tomcat do that handshaking (i mean from a to z of
tomcat's handshaking, from client's sending "hello" to finally session
key generation) will be a good help to know how to hook my own
handshaking.
If you have any suggestion, please let me know.
Regards,
Jahid
On Dec 7, 2007 8:39 PM, Bill Barker <wb...@wilshire.com> wrote:
>
>
> > -----Original Message-----
> > From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
> > Sent: Friday, December 07, 2007 10:46 AM
> > To: Tomcat Developers List
> > Subject: Re: Tomcat SSL handshaking
> >
> > really only one way of doing it.
> > In the BIO connector
> > protocol="org.apache.coytote.http11.Http11Protocol", the handshake
> > happens inside the blocking streams (at the JSSE layer), so I don't
> > think you can control it here.
>
> Actually, you can specify your own SSLImplementation class here, and do
> anything you like with the SSL protocol. JSSE is just what you get when it
> can't find anything else.
>
>
> > In the APR connector
> > protocol="org.apache.coytote.http11.Http11AprProtocol", the handshake
> > happens inside the openssl layer, so you can't do it there
> >
> > In the NIO connector
> > protocol="org.apache.coytote.http11.Http11NioProtocol", the handshake
> > happens inside the SSLEngine, but you could swap that out,
> > since this is
> > the only connector that actually gets hold of the bytes that get sent
> > over the network. The code for this would be
> > org/apache/tomcat/util/net/SecureNioChannel.java, look at the
> > handshake
> > method
> >
> > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apa
> > che/tomcat/util/net/SecureNioChannel.java?view=markup
> >
> > Filip
> >
> > Md. Jahid Shohel wrote:
> > > Hi,
> > >
> > > I am really sorry to mailing here for such a question. I am mailing
> > > here because I didn't get any help from other places. My question is
> > > ---
> > >
> > >
> > > How I can take the control of SSL handshaking from tomcat, so that I
> > > can do the handshaking process by myself.
> > >
> > > Regards.
> > >
> > >
> > > Jahid
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
>
>
> This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat SSL handshaking
Posted by "Md. Jahid Shohel" <js...@gmail.com>.
Hi,
Is it true that, if Purtls is there then tomcat will not use JSSE
while doing SSL handshaking? I mean, to select the SSL implementation
Tomcat gives priority to Puretls then JSSE?
Regards,
Jahid
On Dec 7, 2007 8:39 PM, Bill Barker <wb...@wilshire.com> wrote:
>
>
> > -----Original Message-----
> > From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
> > Sent: Friday, December 07, 2007 10:46 AM
> > To: Tomcat Developers List
> > Subject: Re: Tomcat SSL handshaking
> >
> > really only one way of doing it.
> > In the BIO connector
> > protocol="org.apache.coytote.http11.Http11Protocol", the handshake
> > happens inside the blocking streams (at the JSSE layer), so I don't
> > think you can control it here.
>
> Actually, you can specify your own SSLImplementation class here, and do
> anything you like with the SSL protocol. JSSE is just what you get when it
> can't find anything else.
>
>
> > In the APR connector
> > protocol="org.apache.coytote.http11.Http11AprProtocol", the handshake
> > happens inside the openssl layer, so you can't do it there
> >
> > In the NIO connector
> > protocol="org.apache.coytote.http11.Http11NioProtocol", the handshake
> > happens inside the SSLEngine, but you could swap that out,
> > since this is
> > the only connector that actually gets hold of the bytes that get sent
> > over the network. The code for this would be
> > org/apache/tomcat/util/net/SecureNioChannel.java, look at the
> > handshake
> > method
> >
> > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apa
> > che/tomcat/util/net/SecureNioChannel.java?view=markup
> >
> > Filip
> >
> > Md. Jahid Shohel wrote:
> > > Hi,
> > >
> > > I am really sorry to mailing here for such a question. I am mailing
> > > here because I didn't get any help from other places. My question is
> > > ---
> > >
> > >
> > > How I can take the control of SSL handshaking from tomcat, so that I
> > > can do the handshaking process by myself.
> > >
> > > Regards.
> > >
> > >
> > > Jahid
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
>
>
> This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Tomcat SSL handshaking
Posted by Bill Barker <wb...@wilshire.com>.
> -----Original Message-----
> From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com]
> Sent: Friday, December 07, 2007 10:46 AM
> To: Tomcat Developers List
> Subject: Re: Tomcat SSL handshaking
>
> really only one way of doing it.
> In the BIO connector
> protocol="org.apache.coytote.http11.Http11Protocol", the handshake
> happens inside the blocking streams (at the JSSE layer), so I don't
> think you can control it here.
Actually, you can specify your own SSLImplementation class here, and do
anything you like with the SSL protocol. JSSE is just what you get when it
can't find anything else.
> In the APR connector
> protocol="org.apache.coytote.http11.Http11AprProtocol", the handshake
> happens inside the openssl layer, so you can't do it there
>
> In the NIO connector
> protocol="org.apache.coytote.http11.Http11NioProtocol", the handshake
> happens inside the SSLEngine, but you could swap that out,
> since this is
> the only connector that actually gets hold of the bytes that get sent
> over the network. The code for this would be
> org/apache/tomcat/util/net/SecureNioChannel.java, look at the
> handshake
> method
>
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apa
> che/tomcat/util/net/SecureNioChannel.java?view=markup
>
> Filip
>
> Md. Jahid Shohel wrote:
> > Hi,
> >
> > I am really sorry to mailing here for such a question. I am mailing
> > here because I didn't get any help from other places. My question is
> > ---
> >
> >
> > How I can take the control of SSL handshaking from tomcat, so that I
> > can do the handshaking process by myself.
> >
> > Regards.
> >
> >
> > Jahid
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat SSL handshaking
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
really only one way of doing it.
In the BIO connector
protocol="org.apache.coytote.http11.Http11Protocol", the handshake
happens inside the blocking streams (at the JSSE layer), so I don't
think you can control it here.
In the APR connector
protocol="org.apache.coytote.http11.Http11AprProtocol", the handshake
happens inside the openssl layer, so you can't do it there
In the NIO connector
protocol="org.apache.coytote.http11.Http11NioProtocol", the handshake
happens inside the SSLEngine, but you could swap that out, since this is
the only connector that actually gets hold of the bytes that get sent
over the network. The code for this would be
org/apache/tomcat/util/net/SecureNioChannel.java, look at the handshake
method
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java?view=markup
Filip
Md. Jahid Shohel wrote:
> Hi,
>
> I am really sorry to mailing here for such a question. I am mailing
> here because I didn't get any help from other places. My question is
> ---
>
>
> How I can take the control of SSL handshaking from tomcat, so that I
> can do the handshaking process by myself.
>
> Regards.
>
>
> Jahid
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org