You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Will Nordmeyer <qu...@gmail.com> on 2012/12/11 17:43:35 UTC
Revoked Certificate being accepted
I have my Tomcat 6.0.34 installation configured to use APR and
tcnative for certificate valiation & CRL checking.
I have a revoked CRL and when I use the openssl command line to check
the certificate, it properly returns certificate revoked.
When I try going in through tomcat, however, it prompts for a
certificate to be selected and then once I select the revoked
certificate, it lets me into the application.
]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose
-purpose sslclient TestThirtySeven_Revoked.pem
TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2, OU
= OU3, CN = TESTThirtySeven.REVOKED.9000050001
error 23 at 0 depth lookup:certificate revoked
Connector info from Tomcat:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
scheme="https"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/
javascript,application/xml,application/x-javascript,application/javascript"
connectionTimeout="20000"
secure="true"
SSLCertificateFile="/etc/ssl/certs/servercrt01.crt"
SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem"
SSLPassword="password"
SSLCACertificatePath="/etc/ssl/certs/"
SSLVerifyClient="require"
SSLCARevocationPath="/etc/ssl/certs/"
sslProtocol="TLS"
redirectPort="8443" />
The log file shows nothing related to CRL.
The /etc/ssl/certs directory has hash links to my CAs and CRLs.
Does it help if I hit the server with a baseball bat?
--Will
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Revoked Certificate being accepted
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
On 12/11/12 2:53 PM, Will Nordmeyer wrote:
> On Tue, Dec 11, 2012 at 2:25 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Will,
>>
>> On 12/11/12 11:43 AM, Will Nordmeyer wrote:
>>> I have my Tomcat 6.0.34 installation configured to use APR and
>>> tcnative for certificate valiation & CRL checking.
>>>
>>> I have a revoked CRL and when I use the openssl command line
>>> to check the certificate, it properly returns certificate
>>> revoked.
>>
>> You mean a revoked cert, right? I don't think you can revoke a
>> CRL. (Would that un-revoke the certs in the list...?)
>>
>>> When I try going in through tomcat, however, it prompts for a
>>> certificate to be selected and then once I select the revoked
>>> certificate, it lets me into the application.
>>
>> Did you start the server, revoke the certificate, then attempt to
>> use it to gain access? Tomcat loads the CRL once at startup when
>> using JSSE, so I assume the same thing happens with the APR
>> connector.
>>
>> If you restart Tomcat with no other changes, is the connection
>> blocked?
>>
>>> ]# openssl verify -CApath /etc/ssl/certs -crl_check_all
>>> -verbose -purpose sslclient TestThirtySeven_Revoked.pem
>>> TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU =
>>> OU2, OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23
>>> at 0 depth lookup:certificate revoked
>>>
>>> Connector info from Tomcat: <Connector port="8443"
>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192"
>>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>> enableLookups="false" acceptCount="100"
>>> disableUploadTimeout="true" compression="on"
>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>>>
>>>
javascript,application/xml,application/x-javascript,application/javascript"
>>>
>>>
>> connectionTimeout="20000"
>>> secure="true"
>>> SSLCertificateFile="/etc/ssl/certs/servercrt01.crt"
>>> SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem"
>>> SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/"
>>> SSLVerifyClient="require"
>>> SSLCARevocationPath="/etc/ssl/certs/" sslProtocol="TLS"
>>> redirectPort="8443" />
>>>
>>> The log file shows nothing related to CRL.
>>>
>>> The /etc/ssl/certs directory has hash links to my CAs and
>>> CRLs.
>>
>> You mean symlinks?
>>
>
>>> Does it help if I hit the server with a baseball bat?
>>
>> If I'm right (above), and the baseball bat causes a reboot
>> without any other damage, then it might actually help.
>>
>> I don't believe Tomcat has any current mechanism for refreshing
>> the CRL. I think that's been requested once or twice... not sure
>> if it's actually in Bugzilla. If it's not, it should be: care to
>> look and file the enhancement request if necessary?
>>
> OK... hit me with the baseball bat - I forgot to restart tomcat.
> I've read those steps repeatedly and forgot when it was important.
It's probably still worth filing such an enhancement request. Bouncing
the whole app server just to re-read the CRL is a bit heavy-handed.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDHo/4ACgkQ9CaO5/Lv0PC3VACcCRNtiZW2WQ9Mww6EMDRz5Nf6
t5kAn0JcBU3cxXMKC6KJyue9QyY9v44t
=5Qax
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Revoked Certificate being accepted
Posted by Will Nordmeyer <qu...@gmail.com>.
On Tue, Dec 11, 2012 at 2:25 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Will,
>
> On 12/11/12 11:43 AM, Will Nordmeyer wrote:
>> I have my Tomcat 6.0.34 installation configured to use APR and
>> tcnative for certificate valiation & CRL checking.
>>
>> I have a revoked CRL and when I use the openssl command line to
>> check the certificate, it properly returns certificate revoked.
>
> You mean a revoked cert, right? I don't think you can revoke a CRL.
> (Would that un-revoke the certs in the list...?)
>
>> When I try going in through tomcat, however, it prompts for a
>> certificate to be selected and then once I select the revoked
>> certificate, it lets me into the application.
>
> Did you start the server, revoke the certificate, then attempt to use
> it to gain access? Tomcat loads the CRL once at startup when using
> JSSE, so I assume the same thing happens with the APR connector.
>
> If you restart Tomcat with no other changes, is the connection blocked?
>
>> ]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose
>> -purpose sslclient TestThirtySeven_Revoked.pem
>> TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2,
>> OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23 at 0
>> depth lookup:certificate revoked
>>
>> Connector info from Tomcat: <Connector port="8443"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" acceptCount="100"
>> disableUploadTimeout="true" compression="on"
>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>> javascript,application/xml,application/x-javascript,application/javascript"
>>
>>
> connectionTimeout="20000"
>> secure="true" SSLCertificateFile="/etc/ssl/certs/servercrt01.crt"
>> SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem"
>> SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/"
>> SSLVerifyClient="require" SSLCARevocationPath="/etc/ssl/certs/"
>> sslProtocol="TLS" redirectPort="8443" />
>>
>> The log file shows nothing related to CRL.
>>
>> The /etc/ssl/certs directory has hash links to my CAs and CRLs.
>
> You mean symlinks?
>
>> Does it help if I hit the server with a baseball bat?
>
> If I'm right (above), and the baseball bat causes a reboot without any
> other damage, then it might actually help.
>
> I don't believe Tomcat has any current mechanism for refreshing the
> CRL. I think that's been requested once or twice... not sure if it's
> actually in Bugzilla. If it's not, it should be: care to look and file
> the enhancement request if necessary?
>
OK... hit me with the baseball bat - I forgot to restart tomcat. I've
read those steps repeatedly and forgot when it was important.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Revoked Certificate being accepted
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Will,
On 12/11/12 11:43 AM, Will Nordmeyer wrote:
> I have my Tomcat 6.0.34 installation configured to use APR and
> tcnative for certificate valiation & CRL checking.
>
> I have a revoked CRL and when I use the openssl command line to
> check the certificate, it properly returns certificate revoked.
You mean a revoked cert, right? I don't think you can revoke a CRL.
(Would that un-revoke the certs in the list...?)
> When I try going in through tomcat, however, it prompts for a
> certificate to be selected and then once I select the revoked
> certificate, it lets me into the application.
Did you start the server, revoke the certificate, then attempt to use
it to gain access? Tomcat loads the CRL once at startup when using
JSSE, so I assume the same thing happens with the APR connector.
If you restart Tomcat with no other changes, is the connection blocked?
> ]# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose
> -purpose sslclient TestThirtySeven_Revoked.pem
> TestThirtySeven_Revoked.pem: C = US, O = <ORG>, OU = OU1, OU = OU2,
> OU = OU3, CN = TESTThirtySeven.REVOKED.9000050001 error 23 at 0
> depth lookup:certificate revoked
>
> Connector info from Tomcat: <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> SSLEnabled="true" scheme="https" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" acceptCount="100"
> disableUploadTimeout="true" compression="on"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/
> javascript,application/xml,application/x-javascript,application/javascript"
>
>
connectionTimeout="20000"
> secure="true" SSLCertificateFile="/etc/ssl/certs/servercrt01.crt"
> SSLCertificateKeyFile="/etc/ssl/certs/serverkey.pem"
> SSLPassword="password" SSLCACertificatePath="/etc/ssl/certs/"
> SSLVerifyClient="require" SSLCARevocationPath="/etc/ssl/certs/"
> sslProtocol="TLS" redirectPort="8443" />
>
> The log file shows nothing related to CRL.
>
> The /etc/ssl/certs directory has hash links to my CAs and CRLs.
You mean symlinks?
> Does it help if I hit the server with a baseball bat?
If I'm right (above), and the baseball bat causes a reboot without any
other damage, then it might actually help.
I don't believe Tomcat has any current mechanism for refreshing the
CRL. I think that's been requested once or twice... not sure if it's
actually in Bugzilla. If it's not, it should be: care to look and file
the enhancement request if necessary?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDHiMMACgkQ9CaO5/Lv0PBO/wCgu/sgriILftk5KTHdkHXxLs69
830AoL0e+7wF9XuaDvI3rZeHpT3KDH0E
=X1wp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org