Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C41CFDF8C for ; Wed, 28 Nov 2012 18:39:42 +0000 (UTC) Received: (qmail 65805 invoked by uid 500); 28 Nov 2012 18:39:39 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 65735 invoked by uid 500); 28 Nov 2012 18:39:39 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 65716 invoked by uid 99); 28 Nov 2012 18:39:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Nov 2012 18:39:39 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Nov 2012 18:39:30 +0000 Received: from [192.168.245.129] (p549E1162.dip0.t-ipconnect.de [84.158.17.98]) (Authenticated sender: andre.warnier@ice-sa.com) by tor.combios.es (Postfix) with ESMTPA id 6CFA43C03CE for ; Wed, 28 Nov 2012 19:39:53 +0100 (CET) Message-ID: <50B65A4A.6070200@ice-sa.com> Date: Wed, 28 Nov 2012 19:39:06 +0100 From: =?windows-1252?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: tomcat6 with crl doesn't load References: <7685B012-8203-4DC9-BBF1-DF908A2AA19A@vmware.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Daniel Mikusa wrote: > On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote: > >> On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer wrote: >>> On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa wrote: >>>> On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: >>>> >>>>> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa wrote: >>>>>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: >>>>>> >>>>>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa wrote: >>>>>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>>>>>>> >>>>>>> Does that give you a clear(er) picture? :) >>>>>> Definitely. A couple suggestions� >>>>>> >>>>>> 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and you can see how this is being configured and utilized. >>>>>> >>>>>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>>>>> >>>>>> 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. >>>>>> >>>>>> Dan >>>>>> >>>>> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me >>>>> for the Client Certificate. >>>>> >>>>> The log file has: >>>>> >>>>> Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin >>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting >>>>> property 'clientAuth' to 'true' did not find a matching property. >>>> clientAuth only works for the BIO / NIO connectors. I think you want "SSLVerifyClient" with the APR connector. >>>> >>>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native >>>> >>>> Dan >>>> >>> OK... thanks. That was purely me and literacy this morning. I looked >>> RIGHT at that line and decided, nope...must not apply to me. I >>> changed everything ELSE. >> I've got the tomcat-native & APR configured, but when I add the SSL >> Certificate Revocation options, it prompts me for my cert and then >> gives a page cannot be displayed. > > You might want to try and capture some traces with Wireshark. This could give you some more insight into what is happening as the request is made. > You may also try with Firefox as a browser, with the HttpFox plugin. I just ran a quick test with a HTTPS website, and it seems to show a good portion of the SSL exchanges. It will not be as telling, but is a lot easier to use than Wireshark. One problem with IE is the "friendly error messages" option, which hides the real server responses and displays some built-in page instead, which tells you nothing really about the problem. >> > protocol="org.apache.coyote.http11.Http11AprProtocol" >> SSLEnabled="true" >> scheme="https" >> maxHttpHeaderSize="8192" >> maxThreads="150" >> minSpareThreads="25" >> maxSpareThreads="75" >> enableLookups="false" >> acceptCount="100" >> disableUploadTimeout="true" >> compression="on" >> compressableMimeType="text/html,text/xml,text/plain,text/css,text/ >> javascript,application/xml,application/x-javascript,application/javascript" >> connectionTimeout="20000" >> secure="true" >> SSLCertificateFile="/etc/ssl/certs/mycert01.crt" >> SSLCertificateKeyFile="/etc/ssl/certs/mykey01.pem" >> SSLPassword="dmapsdev" >> SSLCACertificateFile="/etc/ssl/certs/root-certs.pem" >> SSLVerifyClient="require" >> SSLCARevocationFile="/etc/ssl/certs/CRL-bundle.crl" >> sslProtocol="TLS" /> >> >> Without the SSLCARevocationFile, it prompts for my certificate, gets >> the PIN and goes to the app. >> >> How can I test/trace the Revocation File issues. The CRL-bundle.crl >> file has 39 different X509 formatted CRLs, totaling 271 MB of data. > > Couple thoughts� > > 1.) Check that your certificates and CRL file are all valid and functioning properly. I'm not an expert with openssl, but I think "openssl verify" can be used to test this from the command line. > 2.) Perhaps start with a smaller CRL file or create a set of testing certs that you can use to verify behavior. > > Dan > > >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org