Shibboleth Developers

[Chad La Joie <>]

Howard Gilbert wrote:
> I want to take back some of the things I said. Upon digging into Tomcat
> source, I find that Tomcat builds its own custom version of this entire
> structure. In particular, it creates an SSLContext with a TrustManager array
> and KeyManager array. I will look at this code more carefully and come back
> with anything I find about how/whether it might be nudged to accept Client
> Certificates more flexibly. However, if Tomcat is playing deeply within
> JSSE, then it is not reasonable for anyone else to try to also play in the
> same space. So I will look for some not very well documented options, if
> any.

The call to SSLContext that you see is supported by the standard.
Tomcat has some wrapper classes around JSSE, but at its lowest it's just
using standard JSSE calls.  You can review the code if you want, but as
I said, Tomcat isn't using any special options, and I do already know
how to get the behavior we want and still work within the JSSE spec.
The part I'm wrestling with now is a matter of scope, the change I'd
make to be in line with the JSSE spec would result in a global change
(global to the VM) for how SSL connections are handled and that's not
acceptable to me.

I also know how to limit the scope, but as soon as I do the solution
becomes Tomcat specific as it requires the extension of a Tomcat
connector.  So I'm just doing research now on how to balance these two
issues.

>>Not sure I follow this one.  Are you suggesting the IdP not validate the
>>certs against the metadata?
> 
> 
> No, I am suggesting that they be validated by the Servlet from the Request
> rather than being validated deep in the JSSE stack. I can do that from the
> Client end, but do not believe it is reasonable to do from the Server end.

Oh, okay.  Yeah on the server side we can't do this.

-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124