-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 7/11/13 2:04 PM, Christopher Schultz wrote: > Mark, > > On 7/10/13 7:39 AM, Mark Thomas wrote: >> On 10/07/2013 12:25, Jan Vávra wrote: >>> Hi all. I've studied the documentation at >>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support >>> >>> and I have several questions on it. >>> >>> 1. While the APR/Native has config option SSLCACertificateFile >>> that defines the set of allowed client cert authorities the >>> JSSE SSL has no analogous option. Is the set of allowed client >>> cert authorities defined implicitly by the java cacerts file >>> located in $JAVA_HOME/lib/security/cacerts ? > >> Yes. > >>> 2. It seems me that checking of revocation of client >>> certificate is done via "static" crl files located in APR's >>> SSLCARevocationPath or JSSE's crlFile. If I write a cron task >>> that periodically downloads crl list(s), will the Tomcat react >>> on this change of CRL file(s)? I've found in >>> org.apache.httpd.dev mail list a 5 years old mail saying that >>> the Apache Server is not doing it. >>> http://markmail.org/message/nrhnyd6dppl25uxj > >> My reading of the source code is that the CRLs are read once >> when the server socket is created. Updates will be ignored. > > We should be thinking about a sane way to allow updates for all > our connector types. I believe that CRLs are only loaded once no > matter what kind of connector is being used. > > For all SSL connectors, does the connector have to be completely > torn-down and re-created in order to change the CRL? Or could the > Connector object stay up and "reload" itself? > > I think in either case, a small service interruption would be > required between the teardown of the socket and the subsequent > bind, since I'm fairly sure you can't reconfigure the > SSLServerSocket on the fly. I take that back: I'll bet you can just change the behavior of the TrustManager mid-flight. So the only question is whether APR supports such a thing or not. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR3vTPAAoJEBzwKT+lPKRYHmYQAJA/90FmqkmXZHHPSrXKZno9 fj9kNXW3wqe3gmfjBpuzAPLbdC523JuB0g5P+Mt/UWwRcJYsXbCLVgzr//e2ewkw rl+7RnOVAhBE9qsDxkR7ET+5PZFkICPulnw2vltssKFz+N7ITasg3sgyq3XbMPmj eRJdxdLIPwGicTWoBEYypEcfXnK5HXNMxCGY/41+rw10R/czOhkW1lReEZQiQQkq 8wnthUu3883AVQNREMTjJOvEz7seQYzFE3R8hoLzhSLumWkcZXxHI526tJK3y/Qn Jl7KSokByo0QCWdcYFoZBy5apXgYeZ5nqhs0YD3LY2t7cmT0wHi3gqZdQCImVsIl gQqv4MpSGNbR2FV+s0SR5DxJyJ8Q/NypgZpaNQV5SEZuRU8z451nNdq3KSfAQaxH rCy7c8tlWJactuFbgDscmCUZrtWxTKYqUODTUT1PreB8Si3/BmTglxZ84lmixUsx MlVBBX8xwuewPxuCiQSsuHXiLoFZqhGEMxO8mpz3XY1/zkGXoXo6jvE+cf+bs1pS Kw7lm4EssANOvjoaE1DpFdbw37Xr0eNyYhAMzy4f/hnzyxn1M8zOm2oLE+6osfva KV9Ezb+u3e/kuroH9Lehj1q0KDaAUf/92Xw7hfeqECNasqvAFBTtG0hLtD5VJhB7 WPkocTPxXkTrEWyQ71W+ =4Uf+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
