tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] ssl client certificate authentication
Date Thu, 11 Jul 2013 18:04:53 GMT
Hash: SHA256


On 7/10/13 7:39 AM, Mark Thomas wrote:
> On 10/07/2013 12:25, Jan Vávra wrote:
>> Hi all. I've studied the documentation at 
>> and I have several questions on it.
>> 1. While the APR/Native has config option SSLCACertificateFile
>> that defines the set of allowed client cert authorities the JSSE
>> SSL has no analogous option. Is the set of allowed client cert
>> authorities defined implicitly by the java cacerts file located
>> in $JAVA_HOME/lib/security/cacerts ?
> Yes.
>> 2. It seems me that checking of revocation of client certificate
>> is done via "static" crl files located in APR's
>> SSLCARevocationPath or JSSE's crlFile. If I write a cron task
>> that periodically downloads crl list(s), will the Tomcat react on
>> this change of CRL file(s)? I've found in
>> mail list a 5 years old mail saying that the Apache Server is not
>> doing it.
> My reading of the source code is that the CRLs are read once when
> the server socket is created. Updates will be ignored.

We should be thinking about a sane way to allow updates for all our
connector types. I believe that CRLs are only loaded once no matter
what kind of connector is being used.

For all SSL connectors, does the connector have to be completely
torn-down and re-created in order to change the CRL? Or could the
Connector object stay up and "reload" itself?

I think in either case, a small service interruption would be required
between the teardown of the socket and the subsequent bind, since I'm
fairly sure you can't reconfigure the SSLServerSocket on the fly.

I don't see any existing "re-init" method in any of the Connector
classes... could such a thing be added, and maybe exposed via JMX?

>> 3. And in general what is better to use APR or JSSE ? My opinion
>> is: if the Tomcat serves not a web portal the JSSE is good enough
>> although I can use only one crl file for client cert checking. In
>> case of APR I must compile native libs on Linux so it is more
>> complicated but more powerful ...
> 'better' is subjective. The right answer depends on your
> requirements.

APR SSL is measurably faster than JSSE SSL (or was, at least the last
time I compared the two). Compiling tcnative on Linux is trivial: two
commands to build, one command to copy libraries into place (as long
as you have the required packages/libraries installed, like
'httpd-devel' on many distros).

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message