Shibboleth Developers

["Scott Cantor" <>]

> I want to take back some of the things I said. Upon digging into Tomcat
> source, I find that Tomcat builds its own custom version of this entire
> structure. In particular, it creates an SSLContext with a TrustManager array
> and KeyManager array. I will look at this code more carefully and come back
> with anything I find about how/whether it might be nudged to accept Client
> Certificates more flexibly. However, if Tomcat is playing deeply within
> JSSE, then it is not reasonable for anyone else to try to also play in the
> same space. So I will look for some not very well documented options, if
> any.

One might argue that patching Tomcat to support this use case is not much 
different than extending it with APIs that are not really
for public use anyway. Both are probably version specific. A simple patch to 
get it to look for an option and use a null
TrustManager ought to do it.

Maybe we can even convince them to accept a patch so that it will offer a 
"no_ca" option.

-- Scott