tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kennedy Roberts" <krobe...@syrres.com>
Subject Re: Certificate Revocation Lists in Tomcat 5.5
Date Wed, 30 Nov 2005 19:49:43 GMT
Martin,

Thanks again for you input.  The reason I ask about "quirks" is because I 
have seen examples using crlFiles (not the 's') rather than crlFile.  The 
value for this parameter then used a wildcard to point to all of the files 
in a certain directory.  Have you seen it used like this?

And just to clarify: once I do have a CRL, if I point to it in this manner, 
and also have client authentication enabled, I should be barred from 
accessing the site with a revoked certificate, correct?

Thanks,

Kennedy


----- Original Message ----- 
From: "Martin Dubuc" <martind1111@yahoo.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, November 30, 2005 2:45 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5


> 1) crlFile is a standard parameter for Connector since
> Tomcat 5.5.10 if my recollection is right.
>
> 2) There are no quirks in using it.
>
> Martin
>
> --- Kennedy Roberts <kroberts@syrres.com> wrote:
>
>> After doing some research, I have found a few
>> examples of
>> {tomcat.home}/conf/server.xml files online that use
>> the "crlFiles" param as
>> part of a connector.  Is this a standard parameter
>> that can be used in the
>> server.xml file?  I ask because the sites where I
>> have found these examples
>> are not clear in whether this is some "added"
>> functionality.  The reason I
>> don't try it out myself is because at this point I
>> don't have a CRL which
>> contains any of the certificates we use in our
>> development environment.
>>
>> To summarize:
>>
>> 1)  Is the crlFiles param a standard <connector>
>> element?
>>
>> 2) Has (does) anyone use this param, and are there
>> any quirks to using it.
>>
>> Thanks,
>>
>> Kennedy
>>
>>
>> ----- Original Message ----- 
>> From: "Martin Dubuc" <martind1111@yahoo.com>
>> To: "Tomcat Users List" <users@tomcat.apache.org>
>> Sent: Tuesday, November 29, 2005 3:11 PM
>> Subject: RE: Certificate Revocation Lists in Tomcat
>> 5.5
>>
>>
>> > CRL support is present in Tomcat 5.5.12.
>> >
>> > I am not an expert on Tomcat CRL support but what
>> I
>> > know is the following:
>> >
>> > - You will need to recompile some of the
>> > tomcat-util.jar classes with JDK 1.5 because
>> Tomcat
>> > 5.5.12 was compiled with JDK 1.4. The classes to
>> be
>> > recompiled are:
>> > org.apache.tomcat.util.net.jsse.JSSE15Factory and
>> >
>> org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
>> > classes.
>> > - The crlFile property needs to be added inside
>> your
>> > SSL Connector in the server.xml file. The value is
>> the
>> > location of the CRL file on your system.
>> >
>> > Regards,
>> >
>> > Martin
>> >
>> > --- "Duan, Nick" <NDuan@mcdonaldbradley.com>
>> wrote:
>> >
>> >> Tomcat currently doesn't support cert validation
>> >> against CRL.  You may
>> >> want to use Apache's mod_ssl to do the CRL
>> checking.
>> >>  You will have to
>> >> use mod_jk to connect Apache web server with
>> tomcat.
>> >>
>> >> SSL is very computational intensive.  Use
>> Apache's
>> >> httpd to do the SSL
>> >> work is more efficient than to use Java-based
>> >> tomcat.
>> >>
>> >> ND
>> >>
>> >> -----Original Message-----
>> >> From: Kennedy Roberts
>> [mailto:kroberts@syrres.com]
>> >> Sent: Tuesday, November 29, 2005 10:55 AM
>> >> To: users@tomcat.apache.org
>> >> Subject: Certificate Revocation Lists in Tomcat
>> 5.5
>> >>
>> >> Hi all,
>> >>
>> >>     We've recently migrated our (SSL enabled) web
>> >> application from
>> >> SunOne to
>> >> Tomcat 5.5, and I can't find any information on
>> >> handling Certificate
>> >> Revocation Lists in Tomcat.  In SunOne, there was
>> a
>> >> function in the
>> >> administration console that let you import a CRL.
>> >> Is there any
>> >> equivalent
>> >> in Tomcat, or perhaps some other command line
>> >> equivalent?
>> >>
>> >> Thanks for your help.
>> >>
>> >> -Kennedy
>> >>
>> >>
>> >>
>> >
>>
> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail:
>> >> users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail:
>> >> users-help@tomcat.apache.org
>> >>
>> >>
>> >>
>> >
>>
> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail:
>> >> users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail:
>> >> users-help@tomcat.apache.org
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >
>> > __________________________________
>> > Yahoo! Mail - PC Magazine Editors' Choice 2005
>> > http://mail.yahoo.com
>> >
>> >
>>
> ---------------------------------------------------------------------
>> > To unsubscribe, e-mail:
>> users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail:
>> users-help@tomcat.apache.org
>> >
>>
>>
>>
> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:
>> users-help@tomcat.apache.org
>>
>>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message