tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavlos Drandakis <pdra...@noc.edunet.gr>
Subject client authentication issues
Date Tue, 03 Jun 2008 15:06:49 GMT
Hi all,

I have configured a stand alone tomcat server with apr support that hosts a web
application. I wanted to enable client authentication so I put in server.xml the
following:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
executor="ThreadPool-port-8443" port="8443" address="my_server"
SSLEnabled="true" scheme="https" secure="true" SSLVerifyClient="require"
SSLVerifyDepth="4" SSLCertificateChainFile="/path/to/certs/bundle_cert.pem"
SSLCACertificateFile="/path/to/certs/root_bundle_cert.pem"
SSLCertificateFile="/path/to/certs/my_server.crt"
SSLCertificateKeyFile="/path/to/certs/my_server.key"
SSLCARevocationFile="/path/to/certs/crl/tomcat.pem" />

Everything seems ok, but there are some issues ...
1) When CRL expires, Tomcat rejects every client certificate as expired, even
for certificates that were revoked before the expiration of the CRL and CRL was
aware of (IMHO they should be treated as revoked ones).

2) If a certificate is revoked, user can still authenticate even though CRL is
automatically updated. It seems to me that tomcat reads CRL once (when starting)
and never again. Is that true? If I restart tomcat everything works well. Is
there any other way to reload the CRL?

3) I cannot find information about OCSP directives like SSLOCSPEnable
(http://httpd.apache.org/docs/trunk/mod/mod_ssl.html). Is OCSP supported for my
configuration? If not, is there any plan for supporting it?

Thanks, in advance,
Pavlos

Server Configuration:
Tomcat: 6.0.16
APR: 1.2.12
Tomcat Native: 1.1.13
OpenSSL: 0.9.8g
Java: 1.6.0_06


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message