Shibboleth Developers

[Chad La Joie <>]

Howard Gilbert wrote:
> You should be able to do this for Tomcat by overriding the default
> SSLContext object (a static property of the SSLContext class). It is JSSE
> built into the Java Runtime that you need to override. Create an SSLContext
> with an additional TrustManager in the array of TrustManagers that accepts
> all client Certificates.

The JSSE defined way of doing this is to set the Java system property
ssl.ServerSocketFactory.provider to a ServerSocketFactory that you
write, which returns a Socket that you write that does the validation
(or in this case, doesn't do it).  Setting the SSLContext is not kosher
with the standard and could lead to all sorts of nasty errors down the
road if they change something.

The problem isn't that I don't know how to do it, the problem is trying
to get do it in a way that 1) doesn't break other apps in the container,
2) is cool with the standard, and 3) is container agnostic.  At the
moment I'm not seeing a good way, but that's why I keep exploring
options.  ;)

> The SP does this in order to validate the AA Server Certificate in the
> Metadata even though it is not in the CACerts. However, the SP can set this
> up on a session by session basis, while playing the Server side of the same
> trick requires changing behavior statically for the entire JVM. As long as
> you don't run a second application in the same Tomcat that (and now it gets
> really strange) opens its own SSLServerSocket separate from anything Tomcat
> is doing, then this change to the JVM behavior will simply appear as Tomcat
> doing what you want.

The SP can do this because it's doing an out-of-band call to the IdP.
Out-of-band meaning you manage the whole call lifecycle and it's not
part of the HttpServletRequest/Response pair.  The IdP can not do this
because Tomcat is handling the connections.

> As has been noted, since the Client Cert is presented in the API, it can be
> validated against the Metadata there. So the TrustManager in the IdP doesn't
> need to do Trust itself (unlike the SP code), it can simply return and
> approve all Client Certificates.

Not sure I follow this one.  Are you suggesting the IdP not validate the
certs against the metadata?

-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124