jakarta-watchdog-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Lubke <rlu...@notshabby.net>
Subject Re: Testing SRV 4.7 (SSL Attributes)
Date Wed, 25 Sep 2002 00:25:14 GMT
Jason,

The official TCK (and Watchdog) do not perform any SSL testing as this 
is not a requirement of Servlet containers unless they are a part of a 
J2EE environment.  Please reference the following sections in the 
2.3/2.4 specifications:

Servlet 2.3/2.4            
----------------        
SRV.1.2                    
SRV.12.5.4                

Watchdog could potentially add these sort of tests as it's not an 
official TCK, however, I think that would defeat the original idea 
behind Watchdog.  Of course that doesn't mean a particular projects 
goals cannot change.

-rl

Jason Hunter wrote:

>Hi all,
>
>It's come to my attention that most servlet container vendors totally
>ignore the requirements laid out Servlet API 2.3 SRV 4.7.  These
>requirements are to expose various attributes of an SSL connection via
>the javax.servlet.request.cipher_suite, javax.servlet.request.key_size,
>and javax.servlet.request.X509Certificate request attributes.
>
>My theory is that server vendors don't support this requirement because
>Watchdog (and presumably the official TCK) don't actually check it, thus
>giving server vendors a false sense of compatibility.  Whether my
>theory's true or not, I'm confident that if Watchdog (and thus the
>official TCK) started checking this requirement then soon enough all
>servlet container vendors would support it.  I think that's pretty
>important because banks and such need access to these attributes to
>ensure a secure connection.
>
>To that end, I'd like to get a sense of the thoughts here for if
>Watchdog can add these sorts of tests.  I don't actually see any
>SSL-based tests happening right now, but perhaps I'm not looking in the
>right place.  Was that intentional, because of the difficulty setting up
>an SSL server?  Is there another reason not to test for the SSL-related
>requirements?  How much work would it be to add SSL-related testing? 
>I'm happy to help to the extent I have time, but would appreciate
>hearing the conventional wisdom surrounding these issues.
>
>-jh-
>
>--
>To unsubscribe, e-mail:   <mailto:watchdog-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:watchdog-dev-help@jakarta.apache.org>
>
>
>
>.
>
>  
>



--
To unsubscribe, e-mail:   <mailto:watchdog-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:watchdog-dev-help@jakarta.apache.org>


Mime
View raw message