You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2018/03/19 13:52:05 UTC
tcnative experts: please have a look at BZ 53940
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I'm guessing this is mostly directed towards Rainer: can someone look
at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940? It's got a
proposed patch and IMO makes sense to implement.
I'm not familiar enough with OpenSSL and the way that the SSL engine
works to know if this is a valid technique.
Most people don't use CRLs so it won't affect their performance or
anything like that. But those who do rely on a CRL can't afford to
bounce their Tomcat instance or connector just to pick-up an updated CRL
.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqvwIQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiCuxAAxuBMKICpWJjbm274
B7sLkUQVX28xCKaoOPhjWOJGuYqNHV4lwq7BXcyzG5hxm2ehb+hx4jJaP+t2a01g
XrxNfLcD39g4rqThpi2U1YYY2+3k6VoBvfbATWHvIOmgFBtEqDGTapRwhYZie8Fq
+/xuB39h0XB10v1lmXtoREV6sSVzY3FvOqz4LcVh2TFQN6uBmI4TRKjyUgm0BeQQ
iq0OA7Hgsvp6Xgf6P11wVD6vq9opRnAbt6KiDg3WOKJPgthylwToIab/AJkkO/77
6cK2LF/otpKNxSfVRoqnzjV3X2DX1hNy2mK1JSp3lwFALUplsmC3R7s/THSPFda1
ttLUy7IiUd0+EWwmHwQzW1oRE4lOSB2z99Yuv4HSrhxW43+AjCVqIdUebDF4OI2G
Bf8zAYwNm8Eh6mgBaQ5l0EPRkN1CEVkbWwVg2M8BjbidBEVdKH4LcKT4riSGTNO8
tqWO8Zr1hQ50dpZ8Ulcilj7s14vznqJEVs/adOb/Br6vxf2RyVyHyMYaXVV3ifuy
+cp+Ef8Y/KGqyPjsJsgAsszL2W3d0qyw7+O57duGgVDLpHHX+qTLsqo5hmL5xD7D
mRQSOxcB66wYbO+HR5+T4NrLnymsZX3SngHbhkadAEsBtN8UHZGwi1c7n9mhRmAR
/LPTqnWd/z7wBkpr1583goBTmpw=
=bSIb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: tcnative experts: please have a look at BZ 53940
Posted by Rainer Jung <ra...@kippdata.de>.
Am 19.03.2018 um 15:13 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 3/19/18 9:54 AM, Mark Thomas wrote:
>> On 19/03/18 13:52, Christopher Schultz wrote:
>>> All,
>>>
>>> I'm guessing this is mostly directed towards Rainer: can someone
>>> look at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940?
>>> It's got a proposed patch and IMO makes sense to implement.
>>>
>>> I'm not familiar enough with OpenSSL and the way that the SSL
>>> engine works to know if this is a valid technique.
>>>
>>> Most people don't use CRLs so it won't affect their performance
>>> or anything like that. But those who do rely on a CRL can't
>>> afford to bounce their Tomcat instance or connector just to
>>> pick-up an updated CRL .
>>
>> Can't we just close that as WONTFIX on the grounds that you just
>> trigger the reload of the TLS config in Tomcat?
>
> It seems reasonable, but I believe this patch looks at the CRL's
> reload "schedule" (I didn't know CRLs had such as thing) and respects
> it. So Tomcat could auto-reload appropriately without having to set up
> e.g. cron to reload on a schedule.
>
> Also, I didn't realize that the reload was working for native-based
> connectors. Now that I think about it, I think you said at one point
> that we are simply relying on a finalizer to clean-up after abandoned
> native SSL engine resources rather than going through the trouble to
> maintain our own reference-counting infrastructure. So I guess that's
> a moot point.
>
> I'm okay closing this as WONTFIX with a note saying "issue a reload
> command yourself". The original poster can come back to request this
> feature specifically if manual-reloading is not acceptable.
Having only looked very shortly, there could be an issue with c->crl
being freed and reinitialized. If that is shared between threads, we
might get crashes under load or other misbehavior and instead would need
a more atomic way of updating.
I hope I find some time and can look at httpd, whether it supports such
a feature and how it is done there.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: tcnative experts: please have a look at BZ 53940
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 3/19/18 9:54 AM, Mark Thomas wrote:
> On 19/03/18 13:52, Christopher Schultz wrote:
>> All,
>>
>> I'm guessing this is mostly directed towards Rainer: can someone
>> look at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940?
>> It's got a proposed patch and IMO makes sense to implement.
>>
>> I'm not familiar enough with OpenSSL and the way that the SSL
>> engine works to know if this is a valid technique.
>>
>> Most people don't use CRLs so it won't affect their performance
>> or anything like that. But those who do rely on a CRL can't
>> afford to bounce their Tomcat instance or connector just to
>> pick-up an updated CRL .
>
> Can't we just close that as WONTFIX on the grounds that you just
> trigger the reload of the TLS config in Tomcat?
It seems reasonable, but I believe this patch looks at the CRL's
reload "schedule" (I didn't know CRLs had such as thing) and respects
it. So Tomcat could auto-reload appropriately without having to set up
e.g. cron to reload on a schedule.
Also, I didn't realize that the reload was working for native-based
connectors. Now that I think about it, I think you said at one point
that we are simply relying on a finalizer to clean-up after abandoned
native SSL engine resources rather than going through the trouble to
maintain our own reference-counting infrastructure. So I guess that's
a moot point.
I'm okay closing this as WONTFIX with a note saying "issue a reload
command yourself". The original poster can come back to request this
feature specifically if manual-reloading is not acceptable.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqvxXwdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8TQ/5AYDx/6FcpjBW5SOm
epfRIFQ+4QgLynAQMeBja2mYmtBd8mGYFRtw8NS9DHq+LcH4xIYhBl/CRiRdxpqz
MLUuUoTgvyDy8Sws/PY4HQEDX2/Yv64TYovSSpTuJJdkIDqDS4Wq5zL9hd9+DmDn
7IkbMoCv6rwI9SdP+dHhSm32lVYEzxN61WXQ/f9yadrEehwBDt6B0bGqbaDHfVr2
OMoUIu10p8Qxxmf98nFwBhGFhLxGXvdBZhLLUF2XqiHKzzjkubDxpTGXjg2mcUXu
H8LJYIWlW32kfA1oLWA6jeVPXtasuYEXXdvI+UIXxzIaUbrtEagmslX9H5ov7vha
gCug00Sdj+YqeUpP54vvF1/Mv0Dv2pNNH5/lDJkBADDsToUepUDn5G9YMuVv5vlN
5i5/XP5vHSr0/W2onj56KpEM6zfrJ87X4SKyCMVe7vztorq/kzryUXSilHY2DBj3
JgWQF1LilhB3xo5LuZTbPhDjGZGROCNgf0mEeTV9grirHV1Q3NcLj0W0AeOdQ5Ib
/3gUCG74KmABYL9+FNZRrFJzngdT48ogBfsAodZ1IJTbAW2T4PvRQp+fX8/T1QBJ
L30KDbXpwGlJdrkh3PkCxT1Zk5o7qo8I5KzVkXCgR3u16f+pP+EzjiHMsAgGydZb
fwzCu5iRBhD6r6mBBcf16d1E0k8=
=URhz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: tcnative experts: please have a look at BZ 53940
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Mar 19, 2018 at 2:54 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/03/18 13:52, Christopher Schultz wrote:
> > All,
> >
> > I'm guessing this is mostly directed towards Rainer: can someone look
> > at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940? It's got a
> > proposed patch and IMO makes sense to implement.
> >
> > I'm not familiar enough with OpenSSL and the way that the SSL engine
> > works to know if this is a valid technique.
> >
> > Most people don't use CRLs so it won't affect their performance or
> > anything like that. But those who do rely on a CRL can't afford to
> > bounce their Tomcat instance or connector just to pick-up an updated CRL
> > .
>
> Can't we just close that as WONTFIX on the grounds that you just trigger
> the reload of the TLS config in Tomcat?
>
> +1
That reload feature is good since it's so versatile and solves problems
without having to add hacks elsewhere.
Rémy
Re: tcnative experts: please have a look at BZ 53940
Posted by Mark Thomas <ma...@apache.org>.
On 19/03/18 13:52, Christopher Schultz wrote:
> All,
>
> I'm guessing this is mostly directed towards Rainer: can someone look
> at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940? It's got a
> proposed patch and IMO makes sense to implement.
>
> I'm not familiar enough with OpenSSL and the way that the SSL engine
> works to know if this is a valid technique.
>
> Most people don't use CRLs so it won't affect their performance or
> anything like that. But those who do rely on a CRL can't afford to
> bounce their Tomcat instance or connector just to pick-up an updated CRL
> .
Can't we just close that as WONTFIX on the grounds that you just trigger
the reload of the TLS config in Tomcat?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org