tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stephan beal <step...@einsurance.de>
Subject Re: ssl keystore
Date Wed, 18 Jun 2003 08:27:38 GMT
On Tuesday 17 June 2003 18:55, Marc Dugger wrote:
> I am attempting to change the certificate against which a webapp
> authenticates itself.  I've gone as far as deleting the old key/cert
> from the keystore and imported a new one.  However, the webapp
> continues to use the old cert.  I've verified that the 'keystorefile'
> param on the SSL factory is defined correctly and restarted the
> server repeatedly. What else could I be missing?

Hi, Marc!

i once had a similar problem with a cert under Apache, and it turned out 
that i literally had to reboot the machine to get the new cert to be 
visible. Apparently libssl simply wouldn't let go of it. i theorize 
that the problem was that libssl had the cert open, and therefor 
deleting/replacing the file didn't really delete the open filehandle 
(thus libssl was seeing the old cert). That's just theory, though - i 
never did find out for 100% certain.

You can see a similar behaviour in your system logger if you 'rm 
/var/log/messages', for example - the syslogger is still writing to the 
old filehandle, and restarting the syslogger will solve the problem. 
Since once cannot restart libssl, this theory makes sense, assuming 
that libssl actually keeps an open filehandle on the cert.

-- 
----- stephan
The Guy With No Job Title
stephan@einsurance.de - http://www.einsurance.de
Student: "Master, you must teach me the way of liberation!"
Master:  "Tell me who it is that binds you."
Student: "No one binds me!"
Master:  "Then why do you seek liberation?"


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message