X509 Authn in IDPv3

Cantor, Scott cantor.2 at osu.edu
Wed Apr 6 11:12:30 EDT 2016

On 4/6/16, 11:06 AM, "users on behalf of Mike Wiseman" <users-bounces at shibboleth.net on behalf of mike.wiseman at utoronto.ca> wrote:

>Yes, I'm leaning towards using 'Tomcat-only' for idp operation mainly for this purpose - handling TLS client authentication which is our principal MFA method. I could use Jetty but am not comfortable/experienced with using it for client auth handling. I also tried httpd/mod_ssl over HTTPS (instead of AJP) to Jetty - had trouble with that.

You can't do it with HTTP proxying, that would literally mean TLS was broken if you could.

I have examples lying around of using client TLS on the front-channel with Jetty, but it was brutally confusing. I have no idea whether Tomcat is easier to do it with, I suspect it's just as bad but you happen to know what it looks like.

The biggest problem they all have is that the implementations and configurations are designed by people that understand certificates and PKI about as well as I understand particle physics, so it's just....bad. The trust assumptions they make are just embarassingly broken.

But none of this has anything to do with the OP's problem, that's a "that Tomcat is flat broken" issue.

-- Scott


More information about the users mailing list