tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Tomcat and CRL(s) Certification Revocation Lists
Date Sat, 06 May 2006 19:07:19 GMT

>"Jack" <jack.godau@gmail.com> wrote in message 
>news:bdea7920605050731w493e4d68r464887bf7fdf4d1a@mail.gmail.com...
>Hi,
>
>I have already gotten Tomcat to work with a (single) CRL, and as it
>was a bit of a struggle have placed some info for those trying to do
>this at [1]. The document is far from perfect, and any comments are
>welcome.
>
>Now to the questions:
>1. Is it possible to swap out the CRL (ie overwrite it with a newer
>one) and have the changes picked up without a restart?
>

Not currently.  The CRL list is read at startup, and handed off to the 
TrustStore.

>1.a. if a restart is needed is it enough to restart Tomcat or jboss be
>restarted?
>

Actually, just the Connector needs to be restarted (so Tomcat in your case).

>
>
>2. Is it possible to use multiple CRLs (by pointing at a directory for 
>example)?
>

Not currently.  Tomcat just takes a single file at the moment.

>2.a. if so would changes to this directory be dynamically read?
>

To avoid bouncing the Connector, it would require a specialized CertStore 
implementation.  Neither "Collection" or "LDAP" (which Tomcat doesn't 
currently support either :) really do what you want.

>2.b. if not where is a good place (for me) to start looking at how to
>implement this?
>

All of the CRL code is in o.a.t.u.net.jsse.JSSE15SocketFactory (found under 
connectors/util in the source distro).  Knock yourself out ;-).

>
>I would like to somehow have dynamic CRL loading (so something that
>can do this without restarting either jboss or tomcat). I am not picky
>as to it being a single CRL or a directory of same.
>
>--
>Cheers
>Jack...
>
>The claim "natural" is not synonymous with safe.
>
>
>[1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message