tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] ssl client certificate authentication
Date Thu, 11 Jul 2013 18:04:53 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 7/10/13 7:39 AM, Mark Thomas wrote:
> On 10/07/2013 12:25, Jan Vávra wrote:
>> Hi all. I've studied the documentation at 
>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>> and I have several questions on it.
>> 
>> 1. While the APR/Native has config option SSLCACertificateFile
>> that defines the set of allowed client cert authorities the JSSE
>> SSL has no analogous option. Is the set of allowed client cert
>> authorities defined implicitly by the java cacerts file located
>> in $JAVA_HOME/lib/security/cacerts ?
> 
> Yes.
> 
>> 2. It seems me that checking of revocation of client certificate
>> is done via "static" crl files located in APR's
>> SSLCARevocationPath or JSSE's crlFile. If I write a cron task
>> that periodically downloads crl list(s), will the Tomcat react on
>> this change of CRL file(s)? I've found in org.apache.httpd.dev
>> mail list a 5 years old mail saying that the Apache Server is not
>> doing it. http://markmail.org/message/nrhnyd6dppl25uxj
> 
> My reading of the source code is that the CRLs are read once when
> the server socket is created. Updates will be ignored.

We should be thinking about a sane way to allow updates for all our
connector types. I believe that CRLs are only loaded once no matter
what kind of connector is being used.

For all SSL connectors, does the connector have to be completely
torn-down and re-created in order to change the CRL? Or could the
Connector object stay up and "reload" itself?

I think in either case, a small service interruption would be required
between the teardown of the socket and the subsequent bind, since I'm
fairly sure you can't reconfigure the SSLServerSocket on the fly.

I don't see any existing "re-init" method in any of the Connector
classes... could such a thing be added, and maybe exposed via JMX?

>> 3. And in general what is better to use APR or JSSE ? My opinion
>> is: if the Tomcat serves not a web portal the JSSE is good enough
>> although I can use only one crl file for client cert checking. In
>> case of APR I must compile native libs on Linux so it is more
>> complicated but more powerful ...
> 
> 'better' is subjective. The right answer depends on your
> requirements.

APR SSL is measurably faster than JSSE SSL (or was, at least the last
time I compared the two). Compiling tcnative on Linux is trivial: two
commands to build, one command to copy libraries into place (as long
as you have the required packages/libraries installed, like
'httpd-devel' on many distros).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBCAAGBQJR3vPFAAoJEBzwKT+lPKRYHRYP9izmPVKHud3pem3tbrTZnUJJ
AVr5Hwq4Uqf8G22KcO8K4k9Jo3TUG9eK/4qv7HWXlN+B90E3CUwVd9VL9PVV2Buo
cVNffytRaP/ApGQ4yKWp+wibd/HNMRHPSMj/FEv7yk+mbrwvSfbWkUaWzlK4YhK+
072PYwAEZdAvJ3WfgzwAU6Fr0avT3mTBfUwY6Glal/yedAtfdZmdD0hxtLvc3PYi
3QoePADmn/7Mh9k82H5TgYG/Prnxf24TmFDkboUE+dgydtMPSxf0OSV+pT4+cxwc
4OwcLHoA8hV2wsY7W+QXfQ3EbaYDksqrFxcDCkY76JcBE5HC/IdVpJq0cRiQMT8n
7X3QK0hhfNBcStBe/vZRx5/qFsFtwswCH/ZUvJ2Z36IMoTziuFYHCR6CQ0hqNURa
xRIG8yEo/2kVKxCh2NAXiovxCq39hY6qUE8jnGBL6FvlV0L+y7By+Mho0v52B8Os
CXfGPzGWumsHu1LCqtYD/IaAElT1MNVWJ+vTwvHaJETNXuKkwWAqHUmLcb8m5DMh
ag7obmBzJKkIIkLfArhjuSPMoiu7STHLF6Wrm8DknX9tbzNZ/OB0++fT/ykpxD7r
bWVx6ec9UrWVr9+/iwJSv4mrZUMY7iN6WDm+q6l+5A0/IN6cAxUqF+I7XjtvQpDI
hb3UUC1a40Ilorqht7Q=
=Gan+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message