On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer <quark...@gmail.com> wrote: > On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa <dmik...@vmware.com> wrote: >> On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: >> >>> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: >>>> >>>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> >>>>> wrote: >>>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>>>>>
>>>>> Does that give you a clear(er) picture? :) >>>> >>>> Definitely. A couple suggestions… >>>> >>>> 1.) You may want to take a look at >>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" >>>> and you can see how this is being configured and utilized. >>>> >>>> >>>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>>> >>>> 2.) Maybe try using Tomcat native and the APR connector. This would >>>> offload SSL to openssl which may handle things more efficiently. >>>> >>>> Dan >>>> >>> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me >>> for the Client Certificate. >>> >>> The log file has: >>> >>> Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule >>> begin >>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting >>> property 'clientAuth' to 'true' did not find a matching property. >> >> clientAuth only works for the BIO / NIO connectors. I think you want >> "SSLVerifyClient" with the APR connector. >> >> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native >> >> Dan >> > OK... thanks. That was purely me and literacy this morning. I looked > RIGHT at that line and decided, nope...must not apply to me. I > changed everything ELSE. I've got the tomcat-native & APR configured, but when I add the SSL Certificate Revocation options, it prompts me for my cert and then gives a page cannot be displayed. <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" disableUploadTimeout="true" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/xml,application/x-javascript,application/javascript" connectionTimeout="20000" secure="true" SSLCertificateFile="/etc/ssl/certs/mycert01.crt" SSLCertificateKeyFile="/etc/ssl/certs/mykey01.pem" SSLPassword="dmapsdev" SSLCACertificateFile="/etc/ssl/certs/root-certs.pem" SSLVerifyClient="require" SSLCARevocationFile="/etc/ssl/certs/CRL-bundle.crl" sslProtocol="TLS" /> Without the SSLCARevocationFile, it prompts for my certificate, gets the PIN and goes to the app. How can I test/trace the Revocation File issues. The CRL-bundle.crl file has 39 different X509 formatted CRLs, totaling 271 MB of data. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
