On 10/07/2013 12:25, Jan Vávra wrote: > Hi all. > I've studied the documentation at > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and > I have several questions on it. > > 1. While the APR/Native has config option SSLCACertificateFile that > defines the set of allowed client cert authorities the JSSE SSL has no > analogous option. Is the set of allowed client cert authorities defined > implicitly by the java cacerts file located in > $JAVA_HOME/lib/security/cacerts ?
Yes. > 2. It seems me that checking of revocation of client certificate is done > via "static" crl files located in APR's SSLCARevocationPath or JSSE's > crlFile. If I write a cron task that periodically downloads crl list(s), > will the Tomcat react on this change of CRL file(s)? I've found in > org.apache.httpd.dev mail list a 5 years old mail saying that the Apache > Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj My reading of the source code is that the CRLs are read once when the server socket is created. Updates will be ignored. > 3. And in general what is better to use APR or JSSE ? My opinion is: if > the Tomcat serves not a web portal the JSSE is good enough although I > can use only one crl file for client cert checking. In case of APR I > must compile native libs on Linux so it is more complicated but more > powerful ... 'better' is subjective. The right answer depends on your requirements. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
