Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "JNDI_startTLs_HowTo" page has been changed by FelixSchumacher. The comment on this change is: Corrected Name and added a note about certificate/hostname check.. http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo?action=diff&rev1=2&rev2=3 -------------------------------------------------- contextFactory="tc.startTLS.LdapTlsContextFactory /> }}} - Using the code provided by Felix Schumann in this post: http://www.mail-archive.com/us...@tomcat.apache.org/msg80693.html - You can download it here: [[attachment:LdapTlsContextFactory.java]]. + Using the code provided by Felix Schumacher in this post: http://www.mail-archive.com/us...@tomcat.apache.org/msg80693.html - You can download it here: [[attachment:LdapTlsContextFactory.java]]. - We have to compile it into a JAR and put in a place where Tomcat can find it: `lib`. Then we simply reference its full name in `contextFactory`. `LdapTlsContextFactory` will now do the negotiation initialization. Afterwards the created object will be used for every authentication attempt. + We have to compile it into a JAR and put in a place where Tomcat can find it: `lib`. Then we simply reference its full name in `contextFactory`. `LdapTlsContextFactory` will now do the negotiation initialization. Afterwards the created object will be used for every authentication attempt. Beware that the code will not check the hostname of the server with respect to its certificate. If you don't want this behaviour remove the call to `tls.setHostNameVerifier(...)`. == Further Steps == The code probably needs auditing. More testing. And definitely more tightening: e.g.: When starting the negotiation the client (Tomcat + `LdapTlsContextFactory`) sends an `SSLv2Hello`, which is anything but desirable. This could be due to Sun’s poor defaults in their SSL implementation, an oversight in the code, or because I’ve missed out a JVM startup options. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
