https://issues.apache.org/bugzilla/show_bug.cgi?id=45392
--- Comment #4 from Aristotelis <[EMAIL PROTECTED]> 2008-07-14 05:13:52 PST --- (In reply to comment #3) > -1. Please do not add zillions of random features to the Tomcat native code. > If > APR supports it, then it's ok, otherwise I don't think this is a good idea. > Plz correct me if I'm wrong on this, but tomcat using APR in order to have the openSSL functionality makes callbacks to tha native code that exists within apache tomcat. So actually for client authentication the function that is used to verify the certs is in sslutils.c : /* * This OpenSSL callback function is called when OpenSSL * does client authentication and verifies the certificate chain. */ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) So i believe this part is responsibility of tomcat (or perhaps i'm getting something totally wrong) (at least the code resides on this branch) On the side note, i don't think this is a random feature for tomcat, since i haven't found a proper way of reloading the CRL (besides restarting the service) and permitting clients connecting with revoked certificates in not the best case scenario (from a security point of view there must be a good reason for a certificate to be revoked). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
