You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ja kub <jj...@gmail.com> on 2013/11/12 11:56:26 UTC
crlFile update
Hello,
Is there any way to revoke certificate without restarting tomcat ?
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html :
crlFile The certificate revocation list to be used to verify client
certificates.
is this file reloaded by tomcat, or it is read only once at startup ?
regards
Jakub
Re: crlFile update
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Nov 12, 2013, at 1:54 PM, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Dan,
>
> On 11/12/13, 10:10 AM, Daniel Mikusa wrote:
>> On Nov 12, 2013, at 5:56 AM, Ja kub <jj...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> Is there any way to revoke certificate without restarting tomcat
>>> ?
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html :
>>> crlFile The certificate revocation list to be used to verify
>>> client certificates.
>>>
>>> is this file reloaded by tomcat, or it is read only once at
>>> startup ?
>>
>> I think this was answered recently on the list. Check out this
>> thread.
>>
>> http://marc.info/?l=tomcat-user&m=137345634818076&w=2
>
> Short answer: no, CRLs basically can't be updated (right now).
>
> I'll have to check, but I think re-reading the CRL at runtime isn't a
> huge problem for the JSSE connector. Can you log a bugzilla
> enhancement request?
I submitted this request.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55770
It's a pretty basic request though, so if anyone has more detailed thoughts on how this should work, please feel free to elaborate.
Dan
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSgnlhAAoJEBzwKT+lPKRYqZsQAI70270KC9lk9/oT+d7UCNYv
> G0zVLSdh9lIYYoyiPWYF1fCGZYd7J6I2zcsTxw/W4EZY4VJX3Y1QsJmwviTuYYVO
> jyDHS2Ph8fUhdsR2rUlT3VmUVWmjo5jrSRfa/S7LepnolEB00ewmLkGFi20bIRlP
> dJQU+qE0p/0mX+dgAKsLpnZCJlvO4FyWuCdWoBPQHZKh/Er1rahmmppv5lj1XHcG
> EUjDthcmSimUcqDh9hn3eW+u3CS3DeHJqe4im0mvnybK4pwIdLTD4KKWWUexpoGQ
> Gv57CL3OFWLWIckgXWWg3NMpDYr+ZiCpplklmtVmTLfx12y0yJKUxoC21rqPNk9R
> IVCoH9tv95kCGIHFZ0l2u5q7/3QJ8fkciT5l9AXDwEhYpQZwEnfTx9n3rNcP/yIp
> el4NY32g0gb8qF5ycKoReZkvwNKArEtCoL6x94jG4+4wh6DHHFA92KBcsZhs66RT
> JfVtueOMKFHQQIyhiiRuZVdphiMRAk0AFAqYebMwot034nQW3CHsWsz984jlJJyH
> Ck/jhyigd7SDVEXl+HHcx157v6lxtVrkaTxoeYQJhPK4XwHy1hNkHtFJ2fH0hj9j
> PMXYMr2t+mk9a23bO/dDABODD9Iyxlj/Lww+etvLzLu0wPWyAsuMpuKjsyBHeNBB
> Kqy6WJpLxUksYMBnLgeA
> =Xb71
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: crlFile update
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dan,
On 11/12/13, 10:10 AM, Daniel Mikusa wrote:
> On Nov 12, 2013, at 5:56 AM, Ja kub <jj...@gmail.com> wrote:
>
>> Hello,
>>
>> Is there any way to revoke certificate without restarting tomcat
>> ?
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html :
>> crlFile The certificate revocation list to be used to verify
>> client certificates.
>>
>> is this file reloaded by tomcat, or it is read only once at
>> startup ?
>
> I think this was answered recently on the list. Check out this
> thread.
>
> http://marc.info/?l=tomcat-user&m=137345634818076&w=2
Short answer: no, CRLs basically can't be updated (right now).
I'll have to check, but I think re-reading the CRL at runtime isn't a
huge problem for the JSSE connector. Can you log a bugzilla
enhancement request?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSgnlhAAoJEBzwKT+lPKRYqZsQAI70270KC9lk9/oT+d7UCNYv
G0zVLSdh9lIYYoyiPWYF1fCGZYd7J6I2zcsTxw/W4EZY4VJX3Y1QsJmwviTuYYVO
jyDHS2Ph8fUhdsR2rUlT3VmUVWmjo5jrSRfa/S7LepnolEB00ewmLkGFi20bIRlP
dJQU+qE0p/0mX+dgAKsLpnZCJlvO4FyWuCdWoBPQHZKh/Er1rahmmppv5lj1XHcG
EUjDthcmSimUcqDh9hn3eW+u3CS3DeHJqe4im0mvnybK4pwIdLTD4KKWWUexpoGQ
Gv57CL3OFWLWIckgXWWg3NMpDYr+ZiCpplklmtVmTLfx12y0yJKUxoC21rqPNk9R
IVCoH9tv95kCGIHFZ0l2u5q7/3QJ8fkciT5l9AXDwEhYpQZwEnfTx9n3rNcP/yIp
el4NY32g0gb8qF5ycKoReZkvwNKArEtCoL6x94jG4+4wh6DHHFA92KBcsZhs66RT
JfVtueOMKFHQQIyhiiRuZVdphiMRAk0AFAqYebMwot034nQW3CHsWsz984jlJJyH
Ck/jhyigd7SDVEXl+HHcx157v6lxtVrkaTxoeYQJhPK4XwHy1hNkHtFJ2fH0hj9j
PMXYMr2t+mk9a23bO/dDABODD9Iyxlj/Lww+etvLzLu0wPWyAsuMpuKjsyBHeNBB
Kqy6WJpLxUksYMBnLgeA
=Xb71
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: crlFile update
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Nov 12, 2013, at 5:56 AM, Ja kub <jj...@gmail.com> wrote:
> Hello,
>
> Is there any way to revoke certificate without restarting tomcat ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html :
> crlFile The certificate revocation list to be used to verify client
> certificates.
>
> is this file reloaded by tomcat, or it is read only once at startup ?
I think this was answered recently on the list. Check out this thread.
http://marc.info/?l=tomcat-user&m=137345634818076&w=2
Dan
>
> regards
> Jakub
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: crlFile update
Posted by Marek Jagielski <ma...@gmail.com>.
Soon I will stand in front of the same problem.
I think to implement my own TrustManager checking certificates by myself.
I've found (still not checked) an example here:
http://forum.spring.io/forum/spring-projects/web/117374-how-to-write-a-x509-custom-trust-manager-for-validating-the-client
TrustManagerFactory factory = TrustManagerFactory.getInstance("X509");
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(getClass().getResourceAsStream("ca.keystore"),
"123456".toCharArray());
factory.init(ks);
Certificate cert =
CertificateFactory.getInstance("X509").generateCertificate(getClass().getResourceAsStream("localhost.cer"));
for (TrustManager tm: factory.getTrustManagers())
((X509TrustManager)tm).checkClientTrusted(new X509Certificate[] {
(X509Certificate)cert }, "RSA");
Marek
2013/11/12 Ja kub <jj...@gmail.com>
> Hello,
>
> Is there any way to revoke certificate without restarting tomcat ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html :
> crlFile The certificate revocation list to be used to verify client
> certificates.
>
> is this file reloaded by tomcat, or it is read only once at startup ?
>
> regards
> Jakub
>
--
Marek Jagielski
+48 513 402 596