SSL Client Cert Verification
All, I'm looking to issue guidance on Tomcat and verification of client certificates. I'm curious if Tomcat is performing the following validation actions when a client cert is received. I took a look through the code and didn't find my answer. Here's what I hope is happening for client certificate verification: 1. Verify validity of client cert and each cert in client cert chain (this appears to be happening in RealmBase.java, authenticate) 2. Verify certs in cert chain are actually authorized to issue certificates (ie Subject type = CA). I didn't see this in the code 3. Verify that none of the certs are on a certificate revocation list. Perhaps this is a configuration item. I'm wondering if someone could point me in the right direction. Specifically, is step 2 taking place somewhere in code that I don't see? Also, if step 3 is a configuration issue, I will post that question on the appropriate list. Thanks, Michael Coates Senior Application Security Engineer michael.coa...@aspectsecurity.com (301) 604-4882 (work) (630) 207-2567 (cell) Aspect Security http://www.aspectsecurity.com
Re: JSP:includes parameter passing vulnerability
Thanks for your replay. Will do. Moving conversation to user list. Michael Coates OWASP On 9/15/10 11:59 AM, Tim Funk wrote: > There is no issue. If there is a typo in the developer code, there is > a typo in the code. And sometimes typos cause security issues. As a > general rule, any code which is user provided should validated and > output escaped. > > This is a topic which should be discussed on the user list. > > -Tim > > On 9/15/2010 2:36 PM, Michael Coates wrote: >> >> Tomcat list, >> >> >> It seems to me that the method used to request parameters from an >> included jsp file should not "fail over" to the URL if the jsp:include >> does not provide the parameter. > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
