Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Message-ID: <4007BCB6.3040100@aubay.lu>
Date: Fri, 16 Jan 2004 11:28:06 +0100
From: Alain Baucant <a.baucant@aubay.lu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.5) Gecko/20031007
MIME-Version: 1.0
To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
Subject: Re: SSL connector to check Certificate Revocation List
References: <40079D11.9060004@aubay.lu>
 <008201c3dc10$39d2a740$b0b72b04@dslverizon.net>
In-Reply-To: <008201c3dc10$39d2a740$b0b72b04@dslverizon.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Bill Barker wrote:

> ----- Original Message ----- 
> From: "Alain Baucant" <a.baucant@aubay.lu>
> To: <tomcat-dev@jakarta.apache.org>
> Sent: Friday, January 16, 2004 12:13 AM
> Subject: SSL connector to check Certificate Revocation List
> 
> 
> 
>>Is it possible to define a CRL to be checked by tomcat when using SSL ?
>>
> 
> 
> Sounds like a good thing to add :).
> 
> 
>>If yes, with which tomcat version ?
>>
>>If no, is it planned ?
> 
> 
> Well, this is an O/S project :).  If you're willing to provide a patch,
> probably soon.  If you are waiting for me to provide a patch, probably
> whenever-I-have-time :).

I see two problems :

- if the CRL check (for ssl client auth) is done at the connector level 
(I'm not sure it will be the right patch) and not at the application 
level, I won't be able to catch a crl check failure and redirect to a 
specific page.
It's a problem I already encountered : if the https connexion can't be 
established (because no client cert or ...), tomcat seems not to see the 
connexion. So it doesn't redirect to an error page. And the application 
is not aware a connexion has fail.
But I'd like to redirect as many as https connection failure to a 
specific page.

What do you think about it ?

- to do it properly, I'll need some help: where to patch the code, ... 
and I'm still not sure to do it right enough. But I could try, (and try 
to find enough time, of course) I'll tell  you.


Alain.

> 
> 
>>I apologize disturbing developpers with this question but I didn't
>>recevie any answer on tomcat-user.
>>
>>Thanks for your help,
>>Alain.
>>
>>
>>PS: Where can I find a full description of configuration attributes of
>>the coyote connector ?
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.
> 
> In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org