tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <>
Subject Re: ssl client certificate authentication
Date Wed, 10 Jul 2013 11:45:35 GMT

>> 2. It seems me that checking of revocation of client certificate is done
>> via "static" crl files located in APR's SSLCARevocationPath or JSSE's
>> crlFile. If I write a cron task that periodically downloads crl list(s),
>> will the Tomcat react on this change of CRL file(s)? I've found in
>> mail list a 5 years old mail saying that the Apache
>> Server is not doing it.
> My reading of the source code is that the CRLs are read once when the
> server socket is created. Updates will be ignored.
You read also the JSSE source code and it behaves equally to the APR 

>> 3. And in general what is better to use APR or JSSE ? My opinion is: if
>> the Tomcat serves not a web portal the JSSE is good enough although I
>> can use only one crl file for client cert checking. In case of APR I
>> must compile native libs on Linux so it is more complicated but more
>> powerful ...
> 'better' is subjective. The right answer depends on your requirements.
Is there an article that gives more info on it? I'd like to have some 
pros and cons. For now I'm a bit lazy to compile APR.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message