-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Will,
On 12/11/12 2:53 PM, Will Nordmeyer wrote: > On Tue, Dec 11, 2012 at 2:25 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Will, >> >> On 12/11/12 11:43 AM, Will Nordmeyer wrote: >>> I have my Tomcat 6.0.34 installation configured to use APR and >>> tcnative for certificate valiation & CRL checking. >>> >>> I have a revoked CRL and when I use the openssl command line >>> to check the certificate, it properly returns certificate >>> revoked. >> >> You mean a revoked cert, right? I don't think you can revoke a >> CRL. (Would that un-revoke the certs in the list...?) >> >>> When I try going in through tomcat, however, it prompts for a >>> certificate to be selected and then once I select the revoked >>> certificate, it lets me into the application. >> >> Did you start the server, revoke the certificate, then attempt to >> use it to gain access? Tomcat loads the CRL once at startup when >> using JSSE, so I assume the same thing happens with the APR >> connector. >> >> If you restart Tomcat with no other changes, is the connection >> blocked? >> >>> ]# openssl verify -CApath /etc/ssl/certs -crl_check_all >>> -verbose -purpose sslclient TestThirtySeven_Revoked.pem >>> TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = >>> OU2, OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23 >>> at 0 depth lookup:certificate revoked >>> >>> Connector info from Tomcat: <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192" >>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >>> enableLookups="false" acceptCount="100" >>> disableUploadTimeout="true" compression="on" >>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/ >>> >>> javascript,application/xml,application/x-javascript,application/javascript" >>> >>> >> connectionTimeout="20000" >>> secure="true" >>> SSLCertificateFile="/etc/ssl/certs/servercrt01.crt" >>> SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem" >>> SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/" >>> SSLVerifyClient="require" >>> SSLCARevocationPath="/etc/ssl/certs/" sslProtocol="TLS" >>> redirectPort="8443" /> >>> >>> The log file shows nothing related to CRL. >>> >>> The /etc/ssl/certs directory has hash links to my CAs and >>> CRLs. >> >> You mean symlinks? >> > >>> Does it help if I hit the server with a baseball bat? >> >> If I'm right (above), and the baseball bat causes a reboot >> without any other damage, then it might actually help. >> >> I don't believe Tomcat has any current mechanism for refreshing >> the CRL. I think that's been requested once or twice... not sure >> if it's actually in Bugzilla. If it's not, it should be: care to >> look and file the enhancement request if necessary? >> > OK... hit me with the baseball bat - I forgot to restart tomcat. > I've read those steps repeatedly and forgot when it was important. It's probably still worth filing such an enhancement request. Bouncing the whole app server just to re-read the CRL is a bit heavy-handed. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHo/4ACgkQ9CaO5/Lv0PC3VACcCRNtiZW2WQ9Mww6EMDRz5Nf6 t5kAn0JcBU3cxXMKC6KJyue9QyY9v44t =5Qax -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
