Re: Certificate Revocation Lists in Tomcat 5.5
I've gotten it to work!! (Well, mostly :) ) The last problem that I was having (below) is that the parameter in the server.xml file should have been crlFile rather than crlFiles (with an 's'). Now, when I point to a CRL file in the server.xml file and then try to access the site with a revoked cert, I am refused. So, Tomcat 5.5.12 does support CRLs, but it takes some extra work. Now, one last question that maybe someone can answer... As you may have guessed by the error I made above (adding the 's' to crlFile), I want to be able to point to multiple CRL files. Ideally, point to a directory which contains multiple CRL files. I don't see any way to do this. Does anyone know of a way? If I can get this last part, I will be golden. Thanks again everyone for your help. -Kennedy - Original Message - From: "Kennedy Roberts" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, December 01, 2005 2:18 PM Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Ok, hopefully I am getting close: I have recompiled the tomcat-util.jar using the 1.5 JDK. I have looked at the contents of the jar and it does now include the JSSE15Factory and JSSE15SocketFactory classes. The version of the tomcat-util.jar that came with Tomcat 5.5.12 did not even have these files in it. So, I take that to mean that the recompilation was a success. I place this jar in the {tomcat.home}/server/lib directory and restarted Tomcat AND my webapp. I've also added the following to my {tomcat.home}/conf/server.xml file: crlFiles="C:\crl.txt" This crl.txt is a CRL which I have confirmed (using openSSL) contains one of my user certificates. ...and it's still not working. I put a System.out.println() statement in the JSSE15SocketFactory to see if it is getting called, but I'm not seeing this statement in the log, as if this class isn't getting called. Any ideas? I think I'm close to getting this working, and looking through the archives, a definitive solution to this problem would help a bunch of people out! Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Ok, hopefully I am getting close: I have recompiled the tomcat-util.jar using the 1.5 JDK. I have looked at the contents of the jar and it does now include the JSSE15Factory and JSSE15SocketFactory classes. The version of the tomcat-util.jar that came with Tomcat 5.5.12 did not even have these files in it. So, I take that to mean that the recompilation was a success. I place this jar in the {tomcat.home}/server/lib directory and restarted Tomcat AND my webapp. I've also added the following to my {tomcat.home}/conf/server.xml file: crlFiles="C:\crl.txt" This crl.txt is a CRL which I have confirmed (using openSSL) contains one of my user certificates. ...and it's still not working. I put a System.out.println() statement in the JSSE15SocketFactory to see if it is getting called, but I'm not seeing this statement in the log, as if this class isn't getting called. Any ideas? I think I'm close to getting this working, and looking through the archives, a definitive solution to this problem would help a bunch of people out! Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
The answer here is "definite maybe" If the certificate issuer does not support Online Certificate Status Protocol (OCSP) Then there is no ability to verify that the certificate is invalid as the ability to determine 'revoked status' in itself fails To this day this is a known bug with CRLs and one which should force more verifiable security precautions such as Kerberos from MIT or perhaps the use of Public Key Encryption (PKI) Martin- - Original Message - From: "Kennedy Roberts" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, November 30, 2005 2:49 PM Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Martin, Thanks again for you input. The reason I ask about "quirks" is because I have seen examples using crlFiles (not the 's') rather than crlFile. The value for this parameter then used a wildcard to point to all of the files in a certain directory. Have you seen it used like this? And just to clarify: once I do have a CRL, if I point to it in this manner, and also have client authentication enabled, I should be barred from accessing the site with a revoked certificate, correct? Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, November 30, 2005 2:45 PM Subject: Re: Certificate Revocation Lists in Tomcat 5.5 1) crlFile is a standard parameter for Connector since Tomcat 5.5.10 if my recollection is right. 2) There are no quirks in using it. Martin --- Kennedy Roberts <[EMAIL PROTECTED]> wrote: After doing some research, I have found a few examples of {tomcat.home}/conf/server.xml files online that use the "crlFiles" param as part of a connector. Is this a standard parameter that can be used in the server.xml file? I ask because the sites where I have found these examples are not clear in whether this is some "added" functionality. The reason I don't try it out myself is because at this point I don't have a CRL which contains any of the certificates we use in our development environment. To summarize: 1) Is the crlFiles param a standard element? 2) Has (does) anyone use this param, and are there any quirks to using it. Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 > CRL support is present in Tomcat 5.5.12. > > I am not an expert on Tomcat CRL support but what I > know is the following: > > - You will need to recompile some of the > tomcat-util.jar classes with JDK 1.5 because Tomcat > 5.5.12 was compiled with JDK 1.4. The classes to be > recompiled are: > org.apache.tomcat.util.net.jsse.JSSE15Factory and > org.apache.tomcat.util.net.jsse.JSSE15SocketFactory > classes. > - The crlFile property needs to be added inside your > SSL Connector in the server.xml file. The value is the > location of the CRL file on your system. > > Regards, > > Martin > > --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: > >> Tomcat currently doesn't support cert validation >> against CRL. You may >> want to use Apache's mod_ssl to do the CRL checking. >> You will have to >> use mod_jk to connect Apache web server with tomcat. >> >> SSL is very computational intensive. Use Apache's >> httpd to do the SSL >> work is more efficient than to use Java-based >> tomcat. >> >> ND >> >> -Original Message- >> From: Kennedy Roberts [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, November 29, 2005 10:55 AM >> To: users@tomcat.apache.org >> Subject: Certificate Revocation Lists in Tomcat 5.5 >> >> Hi all, >> >> We've recently migrated our (SSL enabled) web >> application from >> SunOne to >> Tomcat 5.5, and I can't find any information on >> handling Certificate >> Revocation Lists in Tomcat. In SunOne, there was a >> function in the >> administration console that let you import a CRL. >> Is there any >> equivalent >> in Tomcat, or perhaps some other command line >> equivalent? >> >> Thanks for your help. >> >> -Kennedy >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands,
Re: Certificate Revocation Lists in Tomcat 5.5
Martin, Thanks again for you input. The reason I ask about "quirks" is because I have seen examples using crlFiles (not the 's') rather than crlFile. The value for this parameter then used a wildcard to point to all of the files in a certain directory. Have you seen it used like this? And just to clarify: once I do have a CRL, if I point to it in this manner, and also have client authentication enabled, I should be barred from accessing the site with a revoked certificate, correct? Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, November 30, 2005 2:45 PM Subject: Re: Certificate Revocation Lists in Tomcat 5.5 1) crlFile is a standard parameter for Connector since Tomcat 5.5.10 if my recollection is right. 2) There are no quirks in using it. Martin --- Kennedy Roberts <[EMAIL PROTECTED]> wrote: After doing some research, I have found a few examples of {tomcat.home}/conf/server.xml files online that use the "crlFiles" param as part of a connector. Is this a standard parameter that can be used in the server.xml file? I ask because the sites where I have found these examples are not clear in whether this is some "added" functionality. The reason I don't try it out myself is because at this point I don't have a CRL which contains any of the certificates we use in our development environment. To summarize: 1) Is the crlFiles param a standard element? 2) Has (does) anyone use this param, and are there any quirks to using it. Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 > CRL support is present in Tomcat 5.5.12. > > I am not an expert on Tomcat CRL support but what I > know is the following: > > - You will need to recompile some of the > tomcat-util.jar classes with JDK 1.5 because Tomcat > 5.5.12 was compiled with JDK 1.4. The classes to be > recompiled are: > org.apache.tomcat.util.net.jsse.JSSE15Factory and > org.apache.tomcat.util.net.jsse.JSSE15SocketFactory > classes. > - The crlFile property needs to be added inside your > SSL Connector in the server.xml file. The value is the > location of the CRL file on your system. > > Regards, > > Martin > > --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: > >> Tomcat currently doesn't support cert validation >> against CRL. You may >> want to use Apache's mod_ssl to do the CRL checking. >> You will have to >> use mod_jk to connect Apache web server with tomcat. >> >> SSL is very computational intensive. Use Apache's >> httpd to do the SSL >> work is more efficient than to use Java-based >> tomcat. >> >> ND >> >> -Original Message- >> From: Kennedy Roberts [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, November 29, 2005 10:55 AM >> To: users@tomcat.apache.org >> Subject: Certificate Revocation Lists in Tomcat 5.5 >> >> Hi all, >> >> We've recently migrated our (SSL enabled) web >> application from >> SunOne to >> Tomcat 5.5, and I can't find any information on >> handling Certificate >> Revocation Lists in Tomcat. In SunOne, there was a >> function in the >> administration console that let you import a CRL. >> Is there any >> equivalent >> in Tomcat, or perhaps some other command line >> equivalent? >> >> Thanks for your help. >> >> -Kennedy >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> > > > > > > __ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
1) crlFile is a standard parameter for Connector since Tomcat 5.5.10 if my recollection is right. 2) There are no quirks in using it. Martin --- Kennedy Roberts <[EMAIL PROTECTED]> wrote: > After doing some research, I have found a few > examples of > {tomcat.home}/conf/server.xml files online that use > the "crlFiles" param as > part of a connector. Is this a standard parameter > that can be used in the > server.xml file? I ask because the sites where I > have found these examples > are not clear in whether this is some "added" > functionality. The reason I > don't try it out myself is because at this point I > don't have a CRL which > contains any of the certificates we use in our > development environment. > > To summarize: > > 1) Is the crlFiles param a standard > element? > > 2) Has (does) anyone use this param, and are there > any quirks to using it. > > Thanks, > > Kennedy > > > - Original Message - > From: "Martin Dubuc" <[EMAIL PROTECTED]> > To: "Tomcat Users List" > Sent: Tuesday, November 29, 2005 3:11 PM > Subject: RE: Certificate Revocation Lists in Tomcat > 5.5 > > > > CRL support is present in Tomcat 5.5.12. > > > > I am not an expert on Tomcat CRL support but what > I > > know is the following: > > > > - You will need to recompile some of the > > tomcat-util.jar classes with JDK 1.5 because > Tomcat > > 5.5.12 was compiled with JDK 1.4. The classes to > be > > recompiled are: > > org.apache.tomcat.util.net.jsse.JSSE15Factory and > > > org.apache.tomcat.util.net.jsse.JSSE15SocketFactory > > classes. > > - The crlFile property needs to be added inside > your > > SSL Connector in the server.xml file. The value is > the > > location of the CRL file on your system. > > > > Regards, > > > > Martin > > > > --- "Duan, Nick" <[EMAIL PROTECTED]> > wrote: > > > >> Tomcat currently doesn't support cert validation > >> against CRL. You may > >> want to use Apache's mod_ssl to do the CRL > checking. > >> You will have to > >> use mod_jk to connect Apache web server with > tomcat. > >> > >> SSL is very computational intensive. Use > Apache's > >> httpd to do the SSL > >> work is more efficient than to use Java-based > >> tomcat. > >> > >> ND > >> > >> -Original Message- > >> From: Kennedy Roberts > [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, November 29, 2005 10:55 AM > >> To: users@tomcat.apache.org > >> Subject: Certificate Revocation Lists in Tomcat > 5.5 > >> > >> Hi all, > >> > >> We've recently migrated our (SSL enabled) web > >> application from > >> SunOne to > >> Tomcat 5.5, and I can't find any information on > >> handling Certificate > >> Revocation Lists in Tomcat. In SunOne, there was > a > >> function in the > >> administration console that let you import a CRL. > >> Is there any > >> equivalent > >> in Tomcat, or perhaps some other command line > >> equivalent? > >> > >> Thanks for your help. > >> > >> -Kennedy > >> > >> > >> > > > - > >> To unsubscribe, e-mail: > >> [EMAIL PROTECTED] > >> For additional commands, e-mail: > >> [EMAIL PROTECTED] > >> > >> > >> > > > - > >> To unsubscribe, e-mail: > >> [EMAIL PROTECTED] > >> For additional commands, e-mail: > >> [EMAIL PROTECTED] > >> > >> > > > > > > > > > > > > __ > > Yahoo! Mail - PC Magazine Editors' Choice 2005 > > http://mail.yahoo.com > > > > > - > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
After doing some research, I have found a few examples of {tomcat.home}/conf/server.xml files online that use the "crlFiles" param as part of a connector. Is this a standard parameter that can be used in the server.xml file? I ask because the sites where I have found these examples are not clear in whether this is some "added" functionality. The reason I don't try it out myself is because at this point I don't have a CRL which contains any of the certificates we use in our development environment. To summarize: 1) Is the crlFiles param a standard element? 2) Has (does) anyone use this param, and are there any quirks to using it. Thanks, Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
> From: Mark Thomas [mailto:[EMAIL PROTECTED] > Subject: Re: Certificate Revocation Lists in Tomcat 5.5 > > Not necessarily. But it would create complications to > maintain 1.4 compatibility where there is 1.5 specific > code. The 1.5 code is skipped if 1.4 is used to build. Ah - so it's a build script issue, not one with the Java source code or a runtime determination. Would it be possible to include 1.5 versions of those two classes in the download? (I realize it would complicate the build script somewhat.) Are these classes used for anything other than CRL? > However, I would be wary of only compiling the "extra" > classes. To be on the safe side, I would re-build the > lot with 1.5. Shouldn't matter functionally, although the 1.5 javac may generate slightly better code. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
> From: Duan, Nick [mailto:[EMAIL PROTECTED] > Subject: RE: Certificate Revocation Lists in Tomcat 5.5 > > The official tomcat 5.5.12 was compiled and packaged with J2SE5.0, not > JDK 1.4. You'll get an error message if you run tomcat on 1.4. Only if you fail to read the instructions in RUNNING.txt and don't install the rather tiny compatibility package. TC 5.5 was compiled with 1.4 as the target, and is certainly not "packaged" with J2SE5.0 - that's a separate download from your friendly neighborhood JVM vendor, not from Apache. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Duan, Nick wrote: The official tomcat 5.5.12 was compiled and packaged with J2SE5.0, not JDK 1.4. You'll get an error message if you run tomcat on 1.4. ND Um, no it wasn't. It was built using 1.4. That is why the 5.0 specific stuff is missing. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
The official tomcat 5.5.12 was compiled and packaged with J2SE5.0, not JDK 1.4. You'll get an error message if you run tomcat on 1.4. ND -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 4:46 PM To: Tomcat Users List Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Caldarale, Charles R wrote: >>From: Duan, Nick [mailto:[EMAIL PROTECTED] >>Subject: RE: Certificate Revocation Lists in Tomcat 5.5 >> >>Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK >>1.4? > > > Because it's supposed to run on JRE 1.4 as well. Compiling on 1.5 would > have precluded that. Not necessarily. But it would create complications to maintain 1.4 compatibility where there is 1.5 specific code. The 1.5 code is skipped if 1.4 is used to build. > I'm a bit suspicious of the statement that certain classes had to be > recompiled with 1.5; I suspect there's something more subtle than that > going on. Nope, it is that simple. There was a discussion about this on the dev list recently. However, I would be wary of only compiling the "extra" classes. To be on the safe side, I would re-build the lot with 1.5. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Caldarale, Charles R wrote: From: Duan, Nick [mailto:[EMAIL PROTECTED] Subject: RE: Certificate Revocation Lists in Tomcat 5.5 Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK 1.4? Because it's supposed to run on JRE 1.4 as well. Compiling on 1.5 would have precluded that. Not necessarily. But it would create complications to maintain 1.4 compatibility where there is 1.5 specific code. The 1.5 code is skipped if 1.4 is used to build. I'm a bit suspicious of the statement that certain classes had to be recompiled with 1.5; I suspect there's something more subtle than that going on. Nope, it is that simple. There was a discussion about this on the dev list recently. However, I would be wary of only compiling the "extra" classes. To be on the safe side, I would re-build the lot with 1.5. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
> From: Duan, Nick [mailto:[EMAIL PROTECTED] > Subject: RE: Certificate Revocation Lists in Tomcat 5.5 > > Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK > 1.4? Because it's supposed to run on JRE 1.4 as well. Compiling on 1.5 would have precluded that. I'm a bit suspicious of the statement that certain classes had to be recompiled with 1.5; I suspect there's something more subtle than that going on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
That's indeed good news. I'd really like to know the result and appreciate any details. Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK 1.4? ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 3:24 PM To: Tomcat Users List Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Martin, I have yet to try what you suggested, but if this is the case, I am grateful for your advice. I had already got our web application up and running on stand alone Tomcat (5.5.12) when I ran into this issue. Realizing this, I was thinking that I would have to scrap my work and start over figuring out how to run our web app with Tomcat integrated with Apache HTTP server. That option seems more labor intensive, as configuration of Tomcat was a breeze (even using SSL). Two questions (for anyone): 1) Is there any reason why running our web app under Tomcat is not as good as running it under Tomcat/Apache HTTP server integrated? 2) With the solution proposed below, is it possible to point to more than one CRL file? We multiple from multiple agencies, and previously just imported them one at a time into SunOne. Thanks again for your help -Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 > CRL support is present in Tomcat 5.5.12. > > I am not an expert on Tomcat CRL support but what I > know is the following: > > - You will need to recompile some of the > tomcat-util.jar classes with JDK 1.5 because Tomcat > 5.5.12 was compiled with JDK 1.4. The classes to be > recompiled are: > org.apache.tomcat.util.net.jsse.JSSE15Factory and > org.apache.tomcat.util.net.jsse.JSSE15SocketFactory > classes. > - The crlFile property needs to be added inside your > SSL Connector in the server.xml file. The value is the > location of the CRL file on your system. > > Regards, > > Martin > > --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: > >> Tomcat currently doesn't support cert validation >> against CRL. You may >> want to use Apache's mod_ssl to do the CRL checking. >> You will have to >> use mod_jk to connect Apache web server with tomcat. >> >> SSL is very computational intensive. Use Apache's >> httpd to do the SSL >> work is more efficient than to use Java-based >> tomcat. >> >> ND >> >> -Original Message- >> From: Kennedy Roberts [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, November 29, 2005 10:55 AM >> To: users@tomcat.apache.org >> Subject: Certificate Revocation Lists in Tomcat 5.5 >> >> Hi all, >> >> We've recently migrated our (SSL enabled) web >> application from >> SunOne to >> Tomcat 5.5, and I can't find any information on >> handling Certificate >> Revocation Lists in Tomcat. In SunOne, there was a >> function in the >> administration console that let you import a CRL. >> Is there any >> equivalent >> in Tomcat, or perhaps some other command line >> equivalent? >> >> Thanks for your help. >> >> -Kennedy >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> >> > - >> To unsubscribe, e-mail: >> [EMAIL PROTECTED] >> For additional commands, e-mail: >> [EMAIL PROTECTED] >> >> > > > > > > __ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Martin, I have yet to try what you suggested, but if this is the case, I am grateful for your advice. I had already got our web application up and running on stand alone Tomcat (5.5.12) when I ran into this issue. Realizing this, I was thinking that I would have to scrap my work and start over figuring out how to run our web app with Tomcat integrated with Apache HTTP server. That option seems more labor intensive, as configuration of Tomcat was a breeze (even using SSL). Two questions (for anyone): 1) Is there any reason why running our web app under Tomcat is not as good as running it under Tomcat/Apache HTTP server integrated? 2) With the solution proposed below, is it possible to point to more than one CRL file? We multiple from multiple agencies, and previously just imported them one at a time into SunOne. Thanks again for your help -Kennedy - Original Message - From: "Martin Dubuc" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- "Duan, Nick" <[EMAIL PROTECTED]> wrote: > Tomcat currently doesn't support cert validation > against CRL. You may > want to use Apache's mod_ssl to do the CRL checking. > You will have to > use mod_jk to connect Apache web server with tomcat. > > SSL is very computational intensive. Use Apache's > httpd to do the SSL > work is more efficient than to use Java-based > tomcat. > > ND > > -Original Message- > From: Kennedy Roberts [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 10:55 AM > To: users@tomcat.apache.org > Subject: Certificate Revocation Lists in Tomcat 5.5 > > Hi all, > > We've recently migrated our (SSL enabled) web > application from > SunOne to > Tomcat 5.5, and I can't find any information on > handling Certificate > Revocation Lists in Tomcat. In SunOne, there was a > function in the > administration console that let you import a CRL. > Is there any > equivalent > in Tomcat, or perhaps some other command line > equivalent? > > Thanks for your help. > > -Kennedy > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
I am trying to do the same thing. I haven't implemented anything yet but found this: http://a-select.surfnet.nl It looks like it handles CRLs and interfaces nicely with Tomcat. Paul Dobson -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 8:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]