-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Will,
On 12/11/12 11:43 AM, Will Nordmeyer wrote: > I have my Tomcat 6.0.34 installation configured to use APR and > tcnative for certificate valiation & CRL checking. > > I have a revoked CRL and when I use the openssl command line to > check the certificate, it properly returns certificate revoked. You mean a revoked cert, right? I don't think you can revoke a CRL. (Would that un-revoke the certs in the list...?) > When I try going in through tomcat, however, it prompts for a > certificate to be selected and then once I select the revoked > certificate, it lets me into the application. Did you start the server, revoke the certificate, then attempt to use it to gain access? Tomcat loads the CRL once at startup when using JSSE, so I assume the same thing happens with the APR connector. If you restart Tomcat with no other changes, is the connection blocked? > ]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose > -purpose sslclient TestThirtySeven_Revoked.pem > TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2, > OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23 at 0 > depth lookup:certificate revoked > > Connector info from Tomcat: <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" acceptCount="100" > disableUploadTimeout="true" compression="on" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/ > javascript,application/xml,application/x-javascript,application/javascript" > > connectionTimeout="20000" > secure="true" SSLCertificateFile="/etc/ssl/certs/servercrt01.crt" > SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem" > SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/" > SSLVerifyClient="require" SSLCARevocationPath="/etc/ssl/certs/" > sslProtocol="TLS" redirectPort="8443" /> > > The log file shows nothing related to CRL. > > The /etc/ssl/certs directory has hash links to my CAs and CRLs. You mean symlinks? > Does it help if I hit the server with a baseball bat? If I'm right (above), and the baseball bat causes a reboot without any other damage, then it might actually help. I don't believe Tomcat has any current mechanism for refreshing the CRL. I think that's been requested once or twice... not sure if it's actually in Bugzilla. If it's not, it should be: care to look and file the enhancement request if necessary? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHiMMACgkQ9CaO5/Lv0PBO/wCgu/sgriILftk5KTHdkHXxLs69 830AoL0e+7wF9XuaDvI3rZeHpT3KDH0E =X1wp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
