https://issues.apache.org/bugzilla/show_bug.cgi?id=48208
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |WONTFIX
--- Comment #3 from Mark Thomas <ma...@apache.org> 2011-01-29 07:19:18 EST ---
Then we disagree.
Regardless of the complexity of the rules you may wish to apply, for there to
be any security at all the client certificates have to be issued by a trusted
certificate authority. The AcceptAllTrustManager is sufficiently insecure and
its use sufficiently dangerous that I do not believe it should be part of the
standard Tomcat distribution.
There should be sufficient scope within the current configuration options to
install a custom trust manager although I haven't investigated this. If that
process is excessively painful then I think an acceptable approach would be to
add support for a trustManagerClassName attribute that would override the call
to TrustManagerFactory.getTrustManagers() in a similar way to the above patch.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
