I've gotten it to work!! (Well, mostly :) )
The last problem that I was having (below) is that the parameter in the
server.xml file should have been crlFile rather than crlFiles (with an 's').
Now, when I point to a CRL file in the server.xml file and then try to
access the site with a revoked cert, I am refused. So, Tomcat 5.5.12 does
support CRLs, but it takes some extra work.
Now, one last question that maybe someone can answer...
As you may have guessed by the error I made above (adding the 's' to
crlFile), I want to be able to point to multiple CRL files. Ideally, point
to a directory which contains multiple CRL files. I don't see any way to do
this. Does anyone know of a way? If I can get this last part, I will be
golden.
Thanks again everyone for your help.
-Kennedy
----- Original Message -----
From: "Kennedy Roberts" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, December 01, 2005 2:18 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
Ok, hopefully I am getting close:
I have recompiled the tomcat-util.jar using the 1.5 JDK. I have looked at
the contents of the jar and it does now include the JSSE15Factory and
JSSE15SocketFactory classes. The version of the tomcat-util.jar that came
with Tomcat 5.5.12 did not even have these files in it. So, I take that
to mean that the recompilation was a success.
I place this jar in the {tomcat.home}/server/lib directory and restarted
Tomcat AND my webapp. I've also added the following to my
{tomcat.home}/conf/server.xml file:
crlFiles="C:\crl.txt"
This crl.txt is a CRL which I have confirmed (using openSSL) contains one
of my user certificates.
...and it's still not working. I put a System.out.println() statement in
the JSSE15SocketFactory to see if it is getting called, but I'm not seeing
this statement in the log, as if this class isn't getting called.
Any ideas? I think I'm close to getting this working, and looking through
the archives, a definitive solution to this problem would help a bunch of
people out!
Thanks,
Kennedy
----- Original Message -----
From: "Martin Dubuc" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat 5.5
CRL support is present in Tomcat 5.5.12.
I am not an expert on Tomcat CRL support but what I
know is the following:
- You will need to recompile some of the
tomcat-util.jar classes with JDK 1.5 because Tomcat
5.5.12 was compiled with JDK 1.4. The classes to be
recompiled are:
org.apache.tomcat.util.net.jsse.JSSE15Factory and
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
classes.
- The crlFile property needs to be added inside your
SSL Connector in the server.xml file. The value is the
location of the CRL file on your system.
Regards,
Martin
--- "Duan, Nick" <[EMAIL PROTECTED]> wrote:
Tomcat currently doesn't support cert validation
against CRL. You may
want to use Apache's mod_ssl to do the CRL checking.
You will have to
use mod_jk to connect Apache web server with tomcat.
SSL is very computational intensive. Use Apache's
httpd to do the SSL
work is more efficient than to use Java-based
tomcat.
ND
-----Original Message-----
From: Kennedy Roberts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:55 AM
To: users@tomcat.apache.org
Subject: Certificate Revocation Lists in Tomcat 5.5
Hi all,
We've recently migrated our (SSL enabled) web
application from
SunOne to
Tomcat 5.5, and I can't find any information on
handling Certificate
Revocation Lists in Tomcat. In SunOne, there was a
function in the
administration console that let you import a CRL.
Is there any
equivalent
in Tomcat, or perhaps some other command line
equivalent?
Thanks for your help.
-Kennedy
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
