tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kennedy Roberts" <krobe...@syrres.com>
Subject Re: Certificate Revocation Lists in Tomcat 5.5
Date Fri, 02 Dec 2005 15:19:31 GMT
I've gotten it to work!! (Well, mostly :)  )

The last problem that I was having (below) is that the parameter in the 
server.xml file should have been crlFile rather than crlFiles (with an 's'). 
Now, when I point to a CRL file in the server.xml file and then try to 
access the site with a revoked cert, I am refused.  So, Tomcat 5.5.12 does 
support CRLs, but it takes some extra work.

Now, one last question that maybe someone can answer...

As you may have guessed by the error I made above (adding the 's' to 
crlFile), I want to be able to point to multiple CRL files.  Ideally, point 
to a directory which contains multiple CRL files.  I don't see any way to do 
this.  Does anyone know of a way?  If I can get this last part, I will be 
golden.

Thanks again everyone for your help.

-Kennedy


----- Original Message ----- 
From: "Kennedy Roberts" <kroberts@syrres.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, December 01, 2005 2:18 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5


> Ok, hopefully I am getting close:
>
> I have recompiled the tomcat-util.jar using the 1.5 JDK.  I have looked at 
> the contents of the jar and it does now include the JSSE15Factory and 
> JSSE15SocketFactory classes.  The version of the tomcat-util.jar that came 
> with Tomcat 5.5.12 did not even have these files in it.  So, I take that 
> to mean that the recompilation was a success.
>
> I place this jar in the {tomcat.home}/server/lib directory and restarted 
> Tomcat AND my webapp.  I've also added the following to my 
> {tomcat.home}/conf/server.xml file:
>
> crlFiles="C:\crl.txt"
>
> This crl.txt is a CRL which I have confirmed (using openSSL) contains one 
> of my user certificates.
>
> ...and it's still not working.  I put a System.out.println() statement in 
> the JSSE15SocketFactory to see if it is getting called, but I'm not seeing 
> this statement in the log, as if this class isn't getting called.
>
> Any ideas?  I think I'm close to getting this working, and looking through 
> the archives, a definitive solution to this problem would help a bunch of 
> people out!
>
> Thanks,
>
> Kennedy
>
>
> ----- Original Message ----- 
> From: "Martin Dubuc" <martind1111@yahoo.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Tuesday, November 29, 2005 3:11 PM
> Subject: RE: Certificate Revocation Lists in Tomcat 5.5
>
>
>> CRL support is present in Tomcat 5.5.12.
>>
>> I am not an expert on Tomcat CRL support but what I
>> know is the following:
>>
>> - You will need to recompile some of the
>> tomcat-util.jar classes with JDK 1.5 because Tomcat
>> 5.5.12 was compiled with JDK 1.4. The classes to be
>> recompiled are:
>> org.apache.tomcat.util.net.jsse.JSSE15Factory and
>> org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
>> classes.
>> - The crlFile property needs to be added inside your
>> SSL Connector in the server.xml file. The value is the
>> location of the CRL file on your system.
>>
>> Regards,
>>
>> Martin
>>
>> --- "Duan, Nick" <NDuan@mcdonaldbradley.com> wrote:
>>
>>> Tomcat currently doesn't support cert validation
>>> against CRL.  You may
>>> want to use Apache's mod_ssl to do the CRL checking.
>>>  You will have to
>>> use mod_jk to connect Apache web server with tomcat.
>>>
>>> SSL is very computational intensive.  Use Apache's
>>> httpd to do the SSL
>>> work is more efficient than to use Java-based
>>> tomcat.
>>>
>>> ND
>>>
>>> -----Original Message-----
>>> From: Kennedy Roberts [mailto:kroberts@syrres.com]
>>> Sent: Tuesday, November 29, 2005 10:55 AM
>>> To: users@tomcat.apache.org
>>> Subject: Certificate Revocation Lists in Tomcat 5.5
>>>
>>> Hi all,
>>>
>>>     We've recently migrated our (SSL enabled) web
>>> application from
>>> SunOne to
>>> Tomcat 5.5, and I can't find any information on
>>> handling Certificate
>>> Revocation Lists in Tomcat.  In SunOne, there was a
>>> function in the
>>> administration console that let you import a CRL.
>>> Is there any
>>> equivalent
>>> in Tomcat, or perhaps some other command line
>>> equivalent?
>>>
>>> Thanks for your help.
>>>
>>> -Kennedy
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:
>>> users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>>
>>
>> __________________________________
>> Yahoo! Mail - PC Magazine Editors' Choice 2005
>> http://mail.yahoo.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message