tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: ssl client certificate authentication
Date Wed, 10 Jul 2013 11:39:01 GMT
On 10/07/2013 12:25, Jan Vávra wrote:
> Hi all.
> I've studied the documentation at
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and
> I have several questions on it.
> 
> 1. While the APR/Native has config option SSLCACertificateFile that
> defines the set of allowed client cert authorities the JSSE SSL has no
> analogous option. Is the set of allowed client cert authorities defined
> implicitly by the java cacerts file located in
> $JAVA_HOME/lib/security/cacerts ?

Yes.

> 2. It seems me that checking of revocation of client certificate is done
> via "static" crl files located in APR's SSLCARevocationPath or JSSE's
> crlFile. If I write a cron task that periodically downloads crl list(s),
> will the Tomcat react on this change of CRL file(s)? I've found in
> org.apache.httpd.dev mail list a 5 years old mail saying that the Apache
> Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj

My reading of the source code is that the CRLs are read once when the
server socket is created. Updates will be ignored.

> 3. And in general what is better to use APR or JSSE ? My opinion is: if
> the Tomcat serves not a web portal the JSSE is good enough although I
> can use only one crl file for client cert checking. In case of APR I
> must compile native libs on Linux so it is more complicated but more
> powerful ...

'better' is subjective. The right answer depends on your requirements.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message