On Tue, Dec 11, 2012 at 2:25 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Will, > > On 12/11/12 11:43 AM, Will Nordmeyer wrote: >> I have my Tomcat 6.0.34 installation configured to use APR and >> tcnative for certificate valiation & CRL checking. >> >> I have a revoked CRL and when I use the openssl command line to >> check the certificate, it properly returns certificate revoked. > > You mean a revoked cert, right? I don't think you can revoke a CRL. > (Would that un-revoke the certs in the list...?) > >> When I try going in through tomcat, however, it prompts for a >> certificate to be selected and then once I select the revoked >> certificate, it lets me into the application. > > Did you start the server, revoke the certificate, then attempt to use > it to gain access? Tomcat loads the CRL once at startup when using > JSSE, so I assume the same thing happens with the APR connector. > > If you restart Tomcat with no other changes, is the connection blocked? > >> ]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose >> -purpose sslclient TestThirtySeven_Revoked.pem >> TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2, >> OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23 at 0 >> depth lookup:certificate revoked >> >> Connector info from Tomcat: <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192" >> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" acceptCount="100" >> disableUploadTimeout="true" compression="on" >> compressableMimeType="text/html,text/xml,text/plain,text/css,text/ >> javascript,application/xml,application/x-javascript,application/javascript" >> >> > connectionTimeout="20000" >> secure="true" SSLCertificateFile="/etc/ssl/certs/servercrt01.crt" >> SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem" >> SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/" >> SSLVerifyClient="require" SSLCARevocationPath="/etc/ssl/certs/" >> sslProtocol="TLS" redirectPort="8443" /> >> >> The log file shows nothing related to CRL. >> >> The /etc/ssl/certs directory has hash links to my CAs and CRLs. > > You mean symlinks? >
>> Does it help if I hit the server with a baseball bat? > > If I'm right (above), and the baseball bat causes a reboot without any > other damage, then it might actually help. > > I don't believe Tomcat has any current mechanism for refreshing the > CRL. I think that's been requested once or twice... not sure if it's > actually in Bugzilla. If it's not, it should be: care to look and file > the enhancement request if necessary? > OK... hit me with the baseball bat - I forgot to restart tomcat. I've read those steps repeatedly and forgot when it was important. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
