Bug ID: 62094
           Summary: Certificate verification using CRL with Tomcat APR
                    connector does not work
           Product: Tomcat Native
           Version: 1.2.7
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Library
  Target Milestone: ---

Certificate verification using CRL with Tomcat APR connector does not work

[Frequency of Occurrence]

Neither SSLCARevocationFile nor SSLCARevocationPath has any effect for
certificate verification.

[System/Software Info]
OS: Red Hat Enterprise Linux Server release 7.3 (Maipo)
Tomcat: 8.0.44
Tomcat Native: 1.2.7
Tomcat APR: 1.5.2
OpenSSL: 1.0.2k

Note: The issue also exists in Windows platform.

1. OpenSSL binary/utility (usually available on common Linux distribution)
2. OpenSSL library. See the References section.
3. APR library for Linux. See the References section.
4. Tomcat Native library for Linux (this needs to be built from the source
code.  Tomcat does not include this for Linux.) See the References section.

[Setup Steps]
I. Certificates
1. Use OpenSSL to create the certificates as follows.  See the information
regarding how to create certificates in the References section
(1.1) a private CA certificate
(1.2) a server identity certificate, signed by the private CA certificate
created in Step (1.1)
(1.3) a client/browser identity certificate, signed by the private CA
certificate created in Step (1.1).  Convert the client/browser identity
certificate from PEM to PKCS12, say "browsercert.p12".
2. After creating the client/browser identity certificate, revoke it.
3. Create a CRL from the private CA.
4. Import the client/browser identity certificate to to the browser of your

II. Tomcat Setup
1. Get Tomcat for Linux and deploy it onto a Linux test server.
2. Configure the connectors in Tomcat server.xml as follows:

// --- Tomcat 'server.xml' [S] ---
<Connector port="18080" protocol="HTTP/1.1"
  redirectPort="18443" />

  SSLProtocol = "TLSv1.2"
  server="Tomcat 8.0.44"
  SSLHonorCipherOrder="true" />
// --- Tomcat 'server.xml' [E] ---

3. Create the file "" with the contents as below (adjust to the actual
deployment environment accordingly)
// --- "" [S] ---


export JRE_BIN=$JRE_HOME/bin/java
// --- "" [E] ---

4. Copy the required APR libraries to "$CATALINA_HOME\bin"
(4.1) APR:
(4.2) tcnative:
(4.3) OpenSSL:,

5. Create the folder "ssl" under "$CATALINA_HOME".

6. Put the following certificates to the locations as follows, where
"$CATALINA_HOME" is where Tomcat locates.
(2.1) the private CA certificate -> "$CATALINA_HOME/ssl/ca"
(2.2) the server identity certificate -> "$CATALINA_HOME/ssl/cert"
(2.3) the private CA CRL -> "$CATALINA_HOME/ssl/crl"

[Test Procedure]
*Ensure all setup is complete properly.

1. Start Tomcat.
2. Start the web browser and connect to Tomcat using
"https://_TOMCAT_SERVER_ADDR:18443/index.jsp";.  When prompted, choose the
imported client/browser idenity certificate for the connection.

Expected Results:
1. The connection would fail due to the revoked client/browser certificate.

Actual Results:
1. The connection still goes through and Tomcat "index.jsp" is accessible.

[Investigation Findings]
1. In tcnative, CRL check flags for OpenSSL is not set for the corresponding
SSLContext.  See the function “TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)”
in “tomcat-native-1.2.7-src\native\src\sslcontext.c”.
2. In tcnative, CRL cert store is not set in the corresponding SSLContext. See
the function “TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)” in

[Proposed Fixes]
The fix is courtesy of C.Y. Chen.  See the attached file "sslconext.c".  Look
for "CRL Fix" for the modification.

1. Certificate Creation

2. Default OpenSSL configuration file may be available on a Linux server at:

3. Tomcat
(3.1) Main:
(3.2) 8.0.44 download:

4. Tomcat APR:
(4.1) Main:
(4.2) 1.5.2 download:

5. Tomcat Native
(5.1) Main:
(5.2) 1.2.7 download:

6. OpenSSL
(6.1) Main:
(6.2) 1.0.2k:

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to