I have my Tomcat 6.0.34 installation configured to use APR and
tcnative for certificate valiation & CRL checking.
I have a revoked CRL and when I use the openssl command line to check
the certificate, it properly returns certificate revoked.
When I try going in through tomcat, however, it prompts for a
certificate to be selected and then once I select the revoked
certificate, it lets me into the application.
]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose
-purpose sslclient TestThirtySeven_Revoked.pem
TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2, OU
= OU3, CN = TESTThirtySeven.REVOKED.9000050001
error 23 at 0 depth lookup:certificate revoked
Connector info from Tomcat:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
scheme="https"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/xml,application/x-javascript,application/javascript"
connectionTimeout="20000"
secure="true"
SSLCertificateFile="/etc/ssl/certs/servercrt01.crt"
SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem"
SSLPassword="password"
SSLCACertificatePath="/etc/ssl/certs/"
SSLVerifyClient="require"
SSLCARevocationPath="/etc/ssl/certs/"
sslProtocol="TLS"
redirectPort="8443" />
The log file shows nothing related to CRL.
The /etc/ssl/certs directory has hash links to my CAs and CRLs.
Does it help if I hit the server with a baseball bat?
--Will
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
