On Wed, Nov 28, 2012 at 1:39 PM, André Warnier <a...@ice-sa.com> wrote:
> Daniel Mikusa wrote:
>>
>> On Nov 28, 2012, at 11:56 AM, Will Nordmeyer wrote:
>>
>>> On Wed, Nov 28, 2012 at 9:03 AM, Will Nordmeyer <quark...@gmail.com>
>>> wrote:
>>>>
>>>> On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa <dmik...@vmware.com>
>>>> wrote:
>>>>>
>>>>> On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote:
>>>>>
>>>>>> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote:
>>>>>>>
>>>>>>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote:
>>>>>>>>>
>>>>>>>> Does that give you a clear(er) picture?  :)
>>>>>>>
>>>>>>> Definitely.  A couple suggestions…
>>>>>>>
>>>>>>> 1.) You may want to take a look at
>>>>>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.  Search for 
>>>>>>> "crlFile" and
>>>>>>> you can see how this is being configured and utilized.
>>>>>>>
>>>>>>>
>>>>>>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>>>>>>
>>>>>>> 2.) Maybe try using Tomcat native and the APR connector.  This would
>>>>>>> offload SSL to openssl which may handle things more efficiently.
>>>>>>>
>>>>>>> Dan
>>>>>>>
>>>>>> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me
>>>>>> for the Client Certificate.
>>>>>>
>>>>>> The log file has:
>>>>>>
>>>>>> Nov 28, 2012 8:10:36 AM
>>>>>> org.apache.catalina.startup.SetAllPropertiesRule begin
>>>>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>>>>>> property 'clientAuth' to 'true' did not find a matching property.
>>>>>
>>>>> clientAuth only works for the BIO / NIO connectors.  I think you want
>>>>> "SSLVerifyClient" with the APR connector.
>>>>>
>>>>>
>>>>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>>>>>
>>>>> Dan
>>>>>
>>>> OK... thanks.  That was purely me and literacy this morning.  I looked
>>>> RIGHT at that line and decided, nope...must not apply to me.  I
>>>> changed everything ELSE.
>>>
>>> I've got the tomcat-native & APR configured, but when I add the SSL
>>> Certificate Revocation options, it prompts me for my cert and then
>>> gives a page cannot be displayed.
>>
>>
>> You might want to try and capture some traces with Wireshark.  This could
>> give you some more insight into what is happening as the request is made.
>>
>
> You may also try with Firefox as a browser, with the HttpFox plugin.
> I just ran a quick test with a HTTPS website, and it seems to show a good
> portion of the SSL exchanges.  It will not be as telling, but is a lot
> easier to use than Wireshark.
>
> One problem with IE is the "friendly error messages" option, which hides the
> real server responses and displays some built-in page instead, which tells
> you nothing really about the problem.
>
I ran with Firefox & HttpFox - Just gets an NS_ERROR_NET_RESET.   The
catalina.out file shows nothing, I don't see any indication that the
server is doing anything with the revocation list when it gets my
certificate.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to