64353 – Add support for accessing server certificate from TLS context

Bug 64353 - Add support for accessing server certificate from TLS context

Summary: Add support for accessing server certificate from TLS context

Status:	NEW

Alias:	None

Product:	Tomcat 10
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	10.0.0-M4
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	------
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-15 12:51 UTC by Michael Osipov
Modified:	2023-09-01 17:39 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Osipov 2020-04-15 12:51:28 UTC

Based on this discussion: https://www.mail-archive.com/users@tomcat.apache.org/msg134872.html

There should be an option to access the used server certificate from the current request being served by one TLS context. As easy as: request.getAttribute("magic_name")
Return would be, similar to client certs, X509Certificate or X509Certificate[].

This requires these changes (non-exhaustive):
* SSLSupport implementations
* Define a new property in SSLSupport and org.apache.catalina.Globals for the server cert
* org.apache.catalina.util.TLSUtil.isTLSRequestAttribute(String) and its callers
* org.apache.coyote.AbstractProcessor.populateSslRequestAttributes() to add new attribute to the request
* SSLValve to read server cert from reverse proxy, CGI var SSL_SERVER_CERT
* AJP and friends to deliver this piece of information

Comment 1 Bhavesh 2023-09-01 17:39:50 UTC

Based on the Discussion (https://www.mail-archive.com/users@tomcat.apache.org/msg142103.html)  with Mark, Please add the ability to get the SNI name used by TLS. For each request, this will give the ability to know the application that was SNI hostname used to connect to the server.