Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 52414 invoked from network); 28 May 2007 02:33:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 May 2007 02:33:34 -0000 Received: (qmail 9564 invoked by uid 500); 28 May 2007 02:33:26 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 9536 invoked by uid 500); 28 May 2007 02:33:26 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 9525 invoked by uid 99); 28 May 2007 02:33:26 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 27 May 2007 19:33:26 -0700 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=HTML_00_10,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of inane.jw@gmail.com designates 64.233.166.181 as permitted sender) Received: from [64.233.166.181] (HELO py-out-1112.google.com) (64.233.166.181) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 27 May 2007 19:33:20 -0700 Received: by py-out-1112.google.com with SMTP id u77so2929490pyb for ; Sun, 27 May 2007 19:32:59 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=j0TmMAIM6pGDcWzWQf2Tv2Q24bQ4ZdekCi7ziJ6tfv8P8NYah57c3Gr86EfuxSV5gdImD/Sr15PXb5XL69zZxc+Fymm1B610jev69WnKRKTgsQxZBeNvHKFHvoCGvYidVws1Uwo42xPpu2hwD0a74kEZFfV7EX4nGL/3QUirH/U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=EuM9a42LWbiz9O4ml0ygxTvjDyxkrgJS09OcwUaBgRqQySE9g+csdLL3mhRNSwmAVM90Dpq2wTZx1f5IiTVkQjOKVdfg0iizakg7yPhBxgMB3i51nvazvoYoWA8acjtLcDWU8ImCOigkkURopbbJq8+DfJCgulWC/TUMQJZvImI= Received: by 10.65.151.6 with SMTP id d6mr9571822qbo.1180319578691; Sun, 27 May 2007 19:32:58 -0700 (PDT) Received: by 10.65.151.7 with HTTP; Sun, 27 May 2007 19:32:58 -0700 (PDT) Message-ID: <747fd2790705271932jdc8d8f5v8f20437a09abc13d@mail.gmail.com> Date: Mon, 28 May 2007 14:32:58 +1200 From: "John Weaver" To: users@tomcat.apache.org Subject: Certification Revocation lists and tomcat. MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_83361_17966000.1180319578645" X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_83361_17966000.1180319578645 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi there, I have tomcat 5.5 running under windows 2003. I'm using the APR. I set up a vm to test my set up - and got it working successfully. the setup / plan. tomcat 5.5 forcing SSL/TLS when pointed at a particular url pattern (working fine) requiring a valid certificate from the client before establishing the secure session (working fine) when a client certificate is revoked it needs to recognise this within a reasonable period of time, (worked fine originally but no longer.) am using the windows 2003 CA to issue the client certificates, I also issued the server certificate using the same CA. the vm I set up originally worked great, I could revoke a certificate then connect back with using the browser using that certificate, and it would detect that the certificate was now revoked and block access within what was effectively real time. now however it won't pick up the certificates that have been revoked until the engine is restarted. does anyone know what setting I've missed or configuration option is wrong here? why would it only be picking up the changes to the CRL when the engine gets started (or stopped then started again) failing that, is there a configuration option within tomcat / openssl where I can tell it how regularly to refresh CRL subscriptions? (i have looked and googled and cannot find it) any help at all greatly appreciated. cheers John. ------=_Part_83361_17966000.1180319578645--