SSL-HTTPS Java Web Server - Help Needed

Richard D. Brown (rdbrown@GlobeSet.com)
Fri, 12 Jun 1998 15:35:26 -0500

From: "Richard D. Brown" <rdbrown@GlobeSet.com>
To: "'java-security@java.sun.com'" <java-security@web3.javasoft.com>
Subject: SSL-HTTPS Java Web Server - Help Needed
Date: Fri, 12 Jun 1998 15:35:26 -0500

Hello,

I should have missed something ...

Before getting to the problems raised by the solution envisioned for
solving an earlier problem, let talk about the original objective.

We are willing to build a monitor that is able to establish (client) or
accept (server) HTTPS connections (HTTP1.1, SSLv3). The SSLv3 handshake
(with client authentication) shall be enhanced in that the certificates
chain of the peer shall be further verified and authorized by accessing a
LDAP directory service (v3 compliant).

At a first look, it seems that a Java Web Server (+extensions) has all the
components that we are looking for: HTTP 1.1 protocol handler, SSLv3
sockets (client and server), LDAPv3 client (JNDI).

At a second look, everything is getting a little bit more confusing. It
seems that being able to supervise the handshake (client or server side)
requires programming at the SSL socket level by setting up a handshake
completion event listener and/or retrieving certificate information from
the SSL session that is accessible from the SSL socket.

Programming at the SSL socket level raises at least two questions:

1 - a SSL socket does not implement any particular protocol (http, ftp,
...). It offers only an SSL-TCP stream. So, how do I benefit from the HTTP
1.1 protocol handler built in the server?

2 - the SSL server socket is actually instantiated and managed by the web
server. So, how do I get access to this socket for enabling a handshake
completion event listener?

At a third look, it appears that if the JVM is SSL enabled then an HTTPS
protocol handler shall be recognized and, therefore, regular programming
through Url and UrlConnection shall work just fine (for the Client). This
however raises a new problem. How do I retrieve further information about
the peer from a UrlConnection?

A similar problem needs to be addressed on the server side; How could a
servlet access certificate information whenever connection happens through
SSL with client authentication?

I've been looking around for quite a while and I can't figure my way out.
Has anybody experience in this matter? Help surely appreciated.

Thanks,

Richard D. Brown GlobeSet, Inc.
Senior System Architect 1250 S. Capital of Texas Hwy.
Phone: (512)427-5173 Building 1, Suite 300
Fax: (512)427-5101 Austin, Texas 78746
mailto:rdbrown@globeset.com http://www.GlobeSet.com