tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] ssl client certificate authentication
Date Thu, 11 Jul 2013 18:09:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 7/11/13 2:04 PM, Christopher Schultz wrote:
> Mark,
> 
> On 7/10/13 7:39 AM, Mark Thomas wrote:
>> On 10/07/2013 12:25, Jan Vávra wrote:
>>> Hi all. I've studied the documentation at 
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>>
>>> 
and I have several questions on it.
>>> 
>>> 1. While the APR/Native has config option SSLCACertificateFile 
>>> that defines the set of allowed client cert authorities the
>>> JSSE SSL has no analogous option. Is the set of allowed client
>>> cert authorities defined implicitly by the java cacerts file
>>> located in $JAVA_HOME/lib/security/cacerts ?
> 
>> Yes.
> 
>>> 2. It seems me that checking of revocation of client
>>> certificate is done via "static" crl files located in APR's 
>>> SSLCARevocationPath or JSSE's crlFile. If I write a cron task 
>>> that periodically downloads crl list(s), will the Tomcat react
>>> on this change of CRL file(s)? I've found in
>>> org.apache.httpd.dev mail list a 5 years old mail saying that
>>> the Apache Server is not doing it.
>>> http://markmail.org/message/nrhnyd6dppl25uxj
> 
>> My reading of the source code is that the CRLs are read once
>> when the server socket is created. Updates will be ignored.
> 
> We should be thinking about a sane way to allow updates for all
> our connector types. I believe that CRLs are only loaded once no
> matter what kind of connector is being used.
> 
> For all SSL connectors, does the connector have to be completely 
> torn-down and re-created in order to change the CRL? Or could the 
> Connector object stay up and "reload" itself?
> 
> I think in either case, a small service interruption would be
> required between the teardown of the socket and the subsequent
> bind, since I'm fairly sure you can't reconfigure the
> SSLServerSocket on the fly.

I take that back: I'll bet you can just change the behavior of the
TrustManager mid-flight. So the only question is whether APR supports
such a thing or not.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR3vTPAAoJEBzwKT+lPKRYHmYQAJA/90FmqkmXZHHPSrXKZno9
fj9kNXW3wqe3gmfjBpuzAPLbdC523JuB0g5P+Mt/UWwRcJYsXbCLVgzr//e2ewkw
rl+7RnOVAhBE9qsDxkR7ET+5PZFkICPulnw2vltssKFz+N7ITasg3sgyq3XbMPmj
eRJdxdLIPwGicTWoBEYypEcfXnK5HXNMxCGY/41+rw10R/czOhkW1lReEZQiQQkq
8wnthUu3883AVQNREMTjJOvEz7seQYzFE3R8hoLzhSLumWkcZXxHI526tJK3y/Qn
Jl7KSokByo0QCWdcYFoZBy5apXgYeZ5nqhs0YD3LY2t7cmT0wHi3gqZdQCImVsIl
gQqv4MpSGNbR2FV+s0SR5DxJyJ8Q/NypgZpaNQV5SEZuRU8z451nNdq3KSfAQaxH
rCy7c8tlWJactuFbgDscmCUZrtWxTKYqUODTUT1PreB8Si3/BmTglxZ84lmixUsx
MlVBBX8xwuewPxuCiQSsuHXiLoFZqhGEMxO8mpz3XY1/zkGXoXo6jvE+cf+bs1pS
Kw7lm4EssANOvjoaE1DpFdbw37Xr0eNyYhAMzy4f/hnzyxn1M8zOm2oLE+6osfva
KV9Ezb+u3e/kuroH9Lehj1q0KDaAUf/92Xw7hfeqECNasqvAFBTtG0hLtD5VJhB7
WPkocTPxXkTrEWyQ71W+
=4Uf+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message