-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 7/10/13 7:39 AM, Mark Thomas wrote: > On 10/07/2013 12:25, Jan Vávra wrote: >> Hi all. I've studied the documentation at >> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support >> and I have several questions on it. >> >> 1. While the APR/Native has config option SSLCACertificateFile >> that defines the set of allowed client cert authorities the JSSE >> SSL has no analogous option. Is the set of allowed client cert >> authorities defined implicitly by the java cacerts file located >> in $JAVA_HOME/lib/security/cacerts ? > > Yes. > >> 2. It seems me that checking of revocation of client certificate >> is done via "static" crl files located in APR's >> SSLCARevocationPath or JSSE's crlFile. If I write a cron task >> that periodically downloads crl list(s), will the Tomcat react on >> this change of CRL file(s)? I've found in org.apache.httpd.dev >> mail list a 5 years old mail saying that the Apache Server is not >> doing it. http://markmail.org/message/nrhnyd6dppl25uxj > > My reading of the source code is that the CRLs are read once when > the server socket is created. Updates will be ignored. We should be thinking about a sane way to allow updates for all our connector types. I believe that CRLs are only loaded once no matter what kind of connector is being used. For all SSL connectors, does the connector have to be completely torn-down and re-created in order to change the CRL? Or could the Connector object stay up and "reload" itself? I think in either case, a small service interruption would be required between the teardown of the socket and the subsequent bind, since I'm fairly sure you can't reconfigure the SSLServerSocket on the fly. I don't see any existing "re-init" method in any of the Connector classes... could such a thing be added, and maybe exposed via JMX? >> 3. And in general what is better to use APR or JSSE ? My opinion >> is: if the Tomcat serves not a web portal the JSSE is good enough >> although I can use only one crl file for client cert checking. In >> case of APR I must compile native libs on Linux so it is more >> complicated but more powerful ... > > 'better' is subjective. The right answer depends on your > requirements. APR SSL is measurably faster than JSSE SSL (or was, at least the last time I compared the two). Compiling tcnative on Linux is trivial: two commands to build, one command to copy libraries into place (as long as you have the required packages/libraries installed, like 'httpd-devel' on many distros). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBCAAGBQJR3vPFAAoJEBzwKT+lPKRYHRYP9izmPVKHud3pem3tbrTZnUJJ AVr5Hwq4Uqf8G22KcO8K4k9Jo3TUG9eK/4qv7HWXlN+B90E3CUwVd9VL9PVV2Buo cVNffytRaP/ApGQ4yKWp+wibd/HNMRHPSMj/FEv7yk+mbrwvSfbWkUaWzlK4YhK+ 072PYwAEZdAvJ3WfgzwAU6Fr0avT3mTBfUwY6Glal/yedAtfdZmdD0hxtLvc3PYi 3QoePADmn/7Mh9k82H5TgYG/Prnxf24TmFDkboUE+dgydtMPSxf0OSV+pT4+cxwc 4OwcLHoA8hV2wsY7W+QXfQ3EbaYDksqrFxcDCkY76JcBE5HC/IdVpJq0cRiQMT8n 7X3QK0hhfNBcStBe/vZRx5/qFsFtwswCH/ZUvJ2Z36IMoTziuFYHCR6CQ0hqNURa xRIG8yEo/2kVKxCh2NAXiovxCq39hY6qUE8jnGBL6FvlV0L+y7By+Mho0v52B8Os CXfGPzGWumsHu1LCqtYD/IaAElT1MNVWJ+vTwvHaJETNXuKkwWAqHUmLcb8m5DMh ag7obmBzJKkIIkLfArhjuSPMoiu7STHLF6Wrm8DknX9tbzNZ/OB0++fT/ykpxD7r bWVx6ec9UrWVr9+/iwJSv4mrZUMY7iN6WDm+q6l+5A0/IN6cAxUqF+I7XjtvQpDI hb3UUC1a40Ilorqht7Q= =Gan+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
