tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <va...@602.cz>
Subject Re: ssl client certificate authentication
Date Wed, 10 Jul 2013 11:45:35 GMT

>> 2. It seems me that checking of revocation of client certificate is done
>> via "static" crl files located in APR's SSLCARevocationPath or JSSE's
>> crlFile. If I write a cron task that periodically downloads crl list(s),
>> will the Tomcat react on this change of CRL file(s)? I've found in
>> org.apache.httpd.dev mail list a 5 years old mail saying that the Apache
>> Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj
> My reading of the source code is that the CRLs are read once when the
> server socket is created. Updates will be ignored.
You read also the JSSE source code and it behaves equally to the APR 
(mod_ssl)?

>
>> 3. And in general what is better to use APR or JSSE ? My opinion is: if
>> the Tomcat serves not a web portal the JSSE is good enough although I
>> can use only one crl file for client cert checking. In case of APR I
>> must compile native libs on Linux so it is more complicated but more
>> powerful ...
> 'better' is subjective. The right answer depends on your requirements.
>
Is there an article that gives more info on it? I'd like to have some 
pros and cons. For now I'm a bit lazy to compile APR.

Jan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message