tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: tcnative experts: please have a look at BZ 53940
Date Mon, 19 Mar 2018 14:13:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 3/19/18 9:54 AM, Mark Thomas wrote:
> On 19/03/18 13:52, Christopher Schultz wrote:
>> All,
>> 
>> I'm guessing this is mostly directed towards Rainer: can someone
>> look at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940?
>> It's got a proposed patch and IMO makes sense to implement.
>> 
>> I'm not familiar enough with OpenSSL and the way that the SSL
>> engine works to know if this is a valid technique.
>> 
>> Most people don't use CRLs so it won't affect their performance
>> or anything like that. But those who do rely on a CRL can't
>> afford to bounce their Tomcat instance or connector just to
>> pick-up an updated CRL .
> 
> Can't we just close that as WONTFIX on the grounds that you just
> trigger the reload of the TLS config in Tomcat?

It seems reasonable, but I believe this patch looks at the CRL's
reload "schedule" (I didn't know CRLs had such as thing) and respects
it. So Tomcat could auto-reload appropriately without having to set up
e.g. cron to reload on a schedule.

Also, I didn't realize that the reload was working for native-based
connectors. Now that I think about it, I think you said at one point
that we are simply relying on a finalizer to clean-up after abandoned
native SSL engine resources rather than going through the trouble to
maintain our own reference-counting infrastructure. So I guess that's
a moot point.

I'm okay closing this as WONTFIX with a note saying "issue a reload
command yourself". The original poster can come back to request this
feature specifically if manual-reloading is not acceptable.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqvxXwdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8TQ/5AYDx/6FcpjBW5SOm
epfRIFQ+4QgLynAQMeBja2mYmtBd8mGYFRtw8NS9DHq+LcH4xIYhBl/CRiRdxpqz
MLUuUoTgvyDy8Sws/PY4HQEDX2/Yv64TYovSSpTuJJdkIDqDS4Wq5zL9hd9+DmDn
7IkbMoCv6rwI9SdP+dHhSm32lVYEzxN61WXQ/f9yadrEehwBDt6B0bGqbaDHfVr2
OMoUIu10p8Qxxmf98nFwBhGFhLxGXvdBZhLLUF2XqiHKzzjkubDxpTGXjg2mcUXu
H8LJYIWlW32kfA1oLWA6jeVPXtasuYEXXdvI+UIXxzIaUbrtEagmslX9H5ov7vha
gCug00Sdj+YqeUpP54vvF1/Mv0Dv2pNNH5/lDJkBADDsToUepUDn5G9YMuVv5vlN
5i5/XP5vHSr0/W2onj56KpEM6zfrJ87X4SKyCMVe7vztorq/kzryUXSilHY2DBj3
JgWQF1LilhB3xo5LuZTbPhDjGZGROCNgf0mEeTV9grirHV1Q3NcLj0W0AeOdQ5Ib
/3gUCG74KmABYL9+FNZRrFJzngdT48ogBfsAodZ1IJTbAW2T4PvRQp+fX8/T1QBJ
L30KDbXpwGlJdrkh3PkCxT1Zk5o7qo8I5KzVkXCgR3u16f+pP+EzjiHMsAgGydZb
fwzCu5iRBhD6r6mBBcf16d1E0k8=
=URhz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message