On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote: > On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer <quark...@gmail.com> wrote: >> On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa <dmik...@vmware.com> wrote: >>> On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: >>> >>>> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>>>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: >>>>> >>>>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> >>>>>> wrote: >>>>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>>>>>> > >>>>>> Does that give you a clear(er) picture? :) >>>>> >>>>> Definitely. A couple suggestions… >>>>> >>>>> 1.) You may want to take a look at >>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" >>>>> and you can see how this is being configured and utilized. >>>>> >>>>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>>>> >>>>> 2.) Maybe try using Tomcat native and the APR connector. This would >>>>> offload SSL to openssl which may handle things more efficiently. >>>>> >>>>> Dan >>>>> >>>> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me >>>> for the Client Certificate. >>>> >>>> The log file has: >>>> >>>> Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule >>>> begin >>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting >>>> property 'clientAuth' to 'true' did not find a matching property. >>> >>> clientAuth only works for the BIO / NIO connectors. I think you want >>> "SSLVerifyClient" with the APR connector. >>> >>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native >>> >>> Dan >>> >> OK... thanks. That was purely me and literacy this morning. I looked >> RIGHT at that line and decided, nope...must not apply to me. I >> changed everything ELSE. > > I've got the tomcat-native & APR configured, but when I add the SSL > Certificate Revocation options, it prompts me for my cert and then > gives a page cannot be displayed.
You might want to try and capture some traces with Wireshark. This could give you some more insight into what is happening as the request is made. > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > scheme="https" > maxHttpHeaderSize="8192" > maxThreads="150" > minSpareThreads="25" > maxSpareThreads="75" > enableLookups="false" > acceptCount="100" > disableUploadTimeout="true" > compression="on" > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/ > > javascript,application/xml,application/x-javascript,application/javascript" > connectionTimeout="20000" > secure="true" > SSLCertificateFile="/etc/ssl/certs/mycert01.crt" > SSLCertificateKeyFile="/etc/ssl/certs/mykey01.pem" > SSLPassword="dmapsdev" > SSLCACertificateFile="/etc/ssl/certs/root-certs.pem" > SSLVerifyClient="require" > SSLCARevocationFile="/etc/ssl/certs/CRL-bundle.crl" > sslProtocol="TLS" /> > > Without the SSLCARevocationFile, it prompts for my certificate, gets > the PIN and goes to the app. > > How can I test/trace the Revocation File issues. The CRL-bundle.crl > file has 39 different X509 formatted CRLs, totaling 271 MB of data. Couple thoughts… 1.) Check that your certificates and CRL file are all valid and functioning properly. I'm not an expert with openssl, but I think "openssl verify" can be used to test this from the command line. 2.) Perhaps start with a smaller CRL file or create a set of testing certs that you can use to verify behavior. Dan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
