Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E629110ADA for ; Wed, 10 Jul 2013 11:39:09 +0000 (UTC) Received: (qmail 38016 invoked by uid 500); 10 Jul 2013 11:39:06 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 37892 invoked by uid 500); 10 Jul 2013 11:39:06 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 37883 invoked by uid 99); 10 Jul 2013 11:39:05 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jul 2013 11:39:05 +0000 Received: from localhost (HELO [192.168.1.45]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jul 2013 11:39:05 +0000 Message-ID: <51DD47D5.6070904@apache.org> Date: Wed, 10 Jul 2013 12:39:01 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: ssl client certificate authentication References: <51DD44A3.6050006@602.cz> In-Reply-To: <51DD44A3.6050006@602.cz> Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit On 10/07/2013 12:25, Jan V�vra wrote: > Hi all. > I've studied the documentation at > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and > I have several questions on it. > > 1. While the APR/Native has config option SSLCACertificateFile that > defines the set of allowed client cert authorities the JSSE SSL has no > analogous option. Is the set of allowed client cert authorities defined > implicitly by the java cacerts file located in > $JAVA_HOME/lib/security/cacerts ? Yes. > 2. It seems me that checking of revocation of client certificate is done > via "static" crl files located in APR's SSLCARevocationPath or JSSE's > crlFile. If I write a cron task that periodically downloads crl list(s), > will the Tomcat react on this change of CRL file(s)? I've found in > org.apache.httpd.dev mail list a 5 years old mail saying that the Apache > Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj My reading of the source code is that the CRLs are read once when the server socket is created. Updates will be ignored. > 3. And in general what is better to use APR or JSSE ? My opinion is: if > the Tomcat serves not a web portal the JSSE is good enough although I > can use only one crl file for client cert checking. In case of APR I > must compile native libs on Linux so it is more complicated but more > powerful ... 'better' is subjective. The right answer depends on your requirements. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org