On Nov 26, 2012, at 3:35 PM, Will Nordmeyer wrote:

> have a new tomcat6.0.34 setup I'm configuring on my CentOS 6.3 (64
> bit). I've downloaded a series of CRLs for the certificate authorities
> I am using, converted them from DER to PEM with openssl:
> 
> openssl crl -inform DER -outform PEM -in f1.der -out f1.pem_crl
> openssl crl -inform DER -outform PEM -in f2.der -out f2.pem_crl
> 
> I then build a crl bundle with all the pem_crls (ends up with a 283 MB crl):
> 
> cat *.pem_crl > CRL-bundle.crl
> 
> Finally, I move it to /etc/ssl/certs
> 
> mv CRL-bundle.crl /etc/ssl/certs
> 
> I configure my connector as follows:
> 
> <Connector port="8080" protocol="HTTP/1.1"
>           SSLEnabled="true"
>           maxHttpHeaderSize="8192"
>           maxThreads="150"
>           minSpareThreads="25"
>           maxSpareThreads="75"
>           enableLookups="false"
>           acceptCount="100"
>           disableUploadTimeout="true"
>           compression="on"
>           compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>           
> javascript,application/xml,application/x-javascript,application/javascript"
>           connectionTimeout="20000"
>           secure="true"
>           keystorePass="mykeystorepass"
>           truststoreFile="/etc/ssl/certs/my.truststore"
>           truststorePass="mytruststorepass"
>           clientAuth="true"
>           sslProtocol="TLS"
>           crlFile="/etc/ssl/certs/CRL-bundle.crl"
>           redirectPort="8443" />
> 
> When I try to start tomcat6 like that, only one entry appears in my 
> catalina.out
> 
> Nov 20, 2012 8:58:29 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path:
> /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

If Tomcat appears to be hanging with this option enabled, I would suggest 
taking a thread dump and including it here.  Could provide some clues as to 
what is happening.

http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F

Dan


> 
> If I remove the crlFile reference in the server.xml, everything works
> fine (except crl lookups of course). The system starts up, the app is
> accessible, it prompts for the certificate...
> 
> Any thoughts on why it would be failing like that would be appreciated.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to