On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote: > have a new tomcat6.0.34 setup I'm configuring on my CentOS 6.3 (64 > bit). I've downloaded a series of CRLs for the certificate authorities > I am using, converted them from DER to PEM with openssl: > > openssl crl -inform DER -outform PEM -in f1.der -out f1.pem_crl > openssl crl -inform DER -outform PEM -in f2.der -out f2.pem_crl > > I then build a crl bundle with all the pem_crls (ends up with a 283 MB crl): > > cat *.pem_crl > CRL-bundle.crl > > Finally, I move it to /etc/ssl/certs > > mv CRL-bundle.crl /etc/ssl/certs > > I configure my connector as follows: > > <Connector port="8080" protocol="HTTP/1.1" > SSLEnabled="true" > maxHttpHeaderSize="8192" > maxThreads="150" > minSpareThreads="25" > maxSpareThreads="75" > enableLookups="false" > acceptCount="100" > disableUploadTimeout="true" > compression="on" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/ > > javascript,application/xml,application/x-javascript,application/javascript" > connectionTimeout="20000" > secure="true" > keystorePass="mykeystorepass" > truststoreFile="/etc/ssl/certs/my.truststore" > truststorePass="mytruststorepass" > clientAuth="true" > sslProtocol="TLS" > crlFile="/etc/ssl/certs/CRL-bundle.crl" > redirectPort="8443" /> > > When I try to start tomcat6 like that, only one entry appears in my > catalina.out > > Nov 20, 2012 8:58:29 AM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
If Tomcat appears to be hanging with this option enabled, I would suggest taking a thread dump and including it here. Could provide some clues as to what is happening. http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F Dan > > If I remove the crlFile reference in the server.xml, everything works > fine (except crl lookups of course). The system starts up, the app is > accessible, it prompts for the certificate... > > Any thoughts on why it would be failing like that would be appreciated. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
