tomcat native/APR connector for SOAP requests / resolvertest
Chad La Joie
lajoie at itumi.biz
Mon Feb 27 19:09:49 GMT 2012
On Mon, Feb 27, 2012 at 13:48, Peter Schober <peter.schober at univie.ac.at> wrote:
> I've set up a new IdP for someone and noticed that the Tomcat Native
> http://tomcat.apache.org/tomcat-6.0-doc/apr.html accepts an
> SSLVerifyClient parameter with "optionalNoCA" as an argument.
> Can anyone comment on whether this may or may not be usable instead
> of the DelegateToApplication extension (or fronting Tomcat with
> httpd)?
> I don't know if that passes though all necessary data (the public key
> itself, mainly) since I didn't see a corresponding "ExportCertData"
> SSLOption, which mod_ssl provides.
To the best of my knowledge it is usable. We haven't ever recommended
it before because it only works on systems for which the library is
compiled, requires special configuration, and I don't think can be
paired with client-cert auth. To keep from fragmenting the docs we
just went with a solution that works everywhere. In addition, in this
case, the native connector is actually *slower* than the Java version
because all that OptionalNoCA does it turn off the failure mode when
the check fails, it does not turn off the actual check (or at least
didn't the last time we looked).
I have no comment about resolvertest itself as I don't use it.
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
More information about the users
mailing list