tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: ssl client certificate authentication
Date Wed, 10 Jul 2013 11:39:01 GMT
On 10/07/2013 12:25, Jan Vávra wrote:
> Hi all.
> I've studied the documentation at
> and
> I have several questions on it.
> 1. While the APR/Native has config option SSLCACertificateFile that
> defines the set of allowed client cert authorities the JSSE SSL has no
> analogous option. Is the set of allowed client cert authorities defined
> implicitly by the java cacerts file located in
> $JAVA_HOME/lib/security/cacerts ?


> 2. It seems me that checking of revocation of client certificate is done
> via "static" crl files located in APR's SSLCARevocationPath or JSSE's
> crlFile. If I write a cron task that periodically downloads crl list(s),
> will the Tomcat react on this change of CRL file(s)? I've found in
> mail list a 5 years old mail saying that the Apache
> Server is not doing it.

My reading of the source code is that the CRLs are read once when the
server socket is created. Updates will be ignored.

> 3. And in general what is better to use APR or JSSE ? My opinion is: if
> the Tomcat serves not a web portal the JSSE is good enough although I
> can use only one crl file for client cert checking. In case of APR I
> must compile native libs on Linux so it is more complicated but more
> powerful ...

'better' is subjective. The right answer depends on your requirements.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message