2. It seems me that checking of revocation of client certificate is done
via "static" crl files located in APR's SSLCARevocationPath or JSSE's
crlFile. If I write a cron task that periodically downloads crl list(s),
will the Tomcat react on this change of CRL file(s)? I've found in
org.apache.httpd.dev mail list a 5 years old mail saying that the Apache
Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj
My reading of the source code is that the CRLs are read once when the
server socket is created. Updates will be ignored.
You read also the JSSE source code and it behaves equally to the APR
(mod_ssl)?
3. And in general what is better to use APR or JSSE ? My opinion is: if
the Tomcat serves not a web portal the JSSE is good enough although I
can use only one crl file for client cert checking. In case of APR I
must compile native libs on Linux so it is more complicated but more
powerful ...
'better' is subjective. The right answer depends on your requirements.
Is there an article that gives more info on it? I'd like to have some
pros and cons. For now I'm a bit lazy to compile APR.
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
