Re: Certificate Revocation Lists in Tomcat 5.5

Wed, 30 Nov 2005 19:41:37 -0800 

The answer here is "definite maybe"
If the certificate issuer does not support Online Certificate Status Protocol (OCSP) Then there is no ability to verify that the certificate is invalid as the ability to determine 'revoked status' in itself fails 

To this day this is a known bug with CRLs

and one which should force more verifiable security precautions such as 
Kerberos from MIT

or perhaps the use of Public Key Encryption (PKI)

Martin-


----- Original Message ----- 
From: "Kennedy Roberts" <[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, November 30, 2005 2:49 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5



Martin,


Thanks again for you input.  The reason I ask about "quirks" is because I 
have seen examples using crlFiles (not the 's') rather than crlFile.  The 
value for this parameter then used a wildcard to point to all of the files 
in a certain directory.  Have you seen it used like this?



And just to clarify: once I do have a CRL, if I point to it in this 
manner, and also have client authentication enabled, I should be barred 
from accessing the site with a revoked certificate, correct?


Thanks,

Kennedy



----- Original Message ----- 
From: "Martin Dubuc" <[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, November 30, 2005 2:45 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5



1) crlFile is a standard parameter for Connector since
Tomcat 5.5.10 if my recollection is right.

2) There are no quirks in using it.

Martin

--- Kennedy Roberts <[EMAIL PROTECTED]> wrote:


After doing some research, I have found a few
examples of
{tomcat.home}/conf/server.xml files online that use
the "crlFiles" param as
part of a connector.  Is this a standard parameter
that can be used in the
server.xml file?  I ask because the sites where I
have found these examples
are not clear in whether this is some "added"
functionality.  The reason I
don't try it out myself is because at this point I
don't have a CRL which
contains any of the certificates we use in our
development environment.

To summarize:

1)  Is the crlFiles param a standard <connector>
element?

2) Has (does) anyone use this param, and are there
any quirks to using it.

Thanks,

Kennedy



----- Original Message ----- 
From: "Martin Dubuc" <[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat
5.5


> CRL support is present in Tomcat 5.5.12.
>
> I am not an expert on Tomcat CRL support but what
I
> know is the following:
>
> - You will need to recompile some of the
> tomcat-util.jar classes with JDK 1.5 because
Tomcat
> 5.5.12 was compiled with JDK 1.4. The classes to
be
> recompiled are:
> org.apache.tomcat.util.net.jsse.JSSE15Factory and
>
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
> classes.
> - The crlFile property needs to be added inside
your
> SSL Connector in the server.xml file. The value is
the
> location of the CRL file on your system.
>
> Regards,
>
> Martin
>
> --- "Duan, Nick" <[EMAIL PROTECTED]>
wrote:
>
>> Tomcat currently doesn't support cert validation
>> against CRL.  You may
>> want to use Apache's mod_ssl to do the CRL
checking.
>>  You will have to
>> use mod_jk to connect Apache web server with
tomcat.
>>
>> SSL is very computational intensive.  Use
Apache's
>> httpd to do the SSL
>> work is more efficient than to use Java-based
>> tomcat.
>>
>> ND
>>
>> -----Original Message-----
>> From: Kennedy Roberts
[mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, November 29, 2005 10:55 AM
>> To: users@tomcat.apache.org
>> Subject: Certificate Revocation Lists in Tomcat
5.5
>>
>> Hi all,
>>
>>     We've recently migrated our (SSL enabled) web
>> application from
>> SunOne to
>> Tomcat 5.5, and I can't find any information on
>> handling Certificate
>> Revocation Lists in Tomcat.  In SunOne, there was
a
>> function in the
>> administration console that let you import a CRL.
>> Is there any
>> equivalent
>> in Tomcat, or perhaps some other command line
>> equivalent?
>>
>> Thanks for your help.
>>
>> -Kennedy
>>
>>
>>
>


---------------------------------------------------------------------

>> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>>
>>
>


---------------------------------------------------------------------

>> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>>
>
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
>


---------------------------------------------------------------------

> To unsubscribe, e-mail:
[EMAIL PROTECTED]
> For additional commands, e-mail:
[EMAIL PROTECTED]
>




---------------------------------------------------------------------

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]








__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to