Martin,
Thanks again for you input. The reason I ask about "quirks" is because I
have seen examples using crlFiles (not the 's') rather than crlFile. The
value for this parameter then used a wildcard to point to all of the files
in a certain directory. Have you seen it used like this?
And just to clarify: once I do have a CRL, if I point to it in this manner,
and also have client authentication enabled, I should be barred from
accessing the site with a revoked certificate, correct?
Thanks,
Kennedy
----- Original Message -----
From: "Martin Dubuc" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, November 30, 2005 2:45 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
1) crlFile is a standard parameter for Connector since
Tomcat 5.5.10 if my recollection is right.
2) There are no quirks in using it.
Martin
--- Kennedy Roberts <[EMAIL PROTECTED]> wrote:
After doing some research, I have found a few
examples of
{tomcat.home}/conf/server.xml files online that use
the "crlFiles" param as
part of a connector. Is this a standard parameter
that can be used in the
server.xml file? I ask because the sites where I
have found these examples
are not clear in whether this is some "added"
functionality. The reason I
don't try it out myself is because at this point I
don't have a CRL which
contains any of the certificates we use in our
development environment.
To summarize:
1) Is the crlFiles param a standard <connector>
element?
2) Has (does) anyone use this param, and are there
any quirks to using it.
Thanks,
Kennedy
----- Original Message -----
From: "Martin Dubuc" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat
5.5
> CRL support is present in Tomcat 5.5.12.
>
> I am not an expert on Tomcat CRL support but what
I
> know is the following:
>
> - You will need to recompile some of the
> tomcat-util.jar classes with JDK 1.5 because
Tomcat
> 5.5.12 was compiled with JDK 1.4. The classes to
be
> recompiled are:
> org.apache.tomcat.util.net.jsse.JSSE15Factory and
>
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
> classes.
> - The crlFile property needs to be added inside
your
> SSL Connector in the server.xml file. The value is
the
> location of the CRL file on your system.
>
> Regards,
>
> Martin
>
> --- "Duan, Nick" <[EMAIL PROTECTED]>
wrote:
>
>> Tomcat currently doesn't support cert validation
>> against CRL. You may
>> want to use Apache's mod_ssl to do the CRL
checking.
>> You will have to
>> use mod_jk to connect Apache web server with
tomcat.
>>
>> SSL is very computational intensive. Use
Apache's
>> httpd to do the SSL
>> work is more efficient than to use Java-based
>> tomcat.
>>
>> ND
>>
>> -----Original Message-----
>> From: Kennedy Roberts
[mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, November 29, 2005 10:55 AM
>> To: users@tomcat.apache.org
>> Subject: Certificate Revocation Lists in Tomcat
5.5
>>
>> Hi all,
>>
>> We've recently migrated our (SSL enabled) web
>> application from
>> SunOne to
>> Tomcat 5.5, and I can't find any information on
>> handling Certificate
>> Revocation Lists in Tomcat. In SunOne, there was
a
>> function in the
>> administration console that let you import a CRL.
>> Is there any
>> equivalent
>> in Tomcat, or perhaps some other command line
>> equivalent?
>>
>> Thanks for your help.
>>
>> -Kennedy
>>
>>
>>
>
---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>>
>>
>
---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
[EMAIL PROTECTED]
> For additional commands, e-mail:
[EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
