Re: Certificate Revocation Lists in Tomcat 5.5
I've gotten it to work!! (Well, mostly :) )
The last problem that I was having (below) is that the parameter in the
server.xml file should have been crlFile rather than crlFiles (with an 's').
Now, when I point to a CRL file in the server.xml file and then try to
access the site with a revoked cert, I am refused. So, Tomcat 5.5.12 does
support CRLs, but it takes some extra work.
Now, one last question that maybe someone can answer...
As you may have guessed by the error I made above (adding the 's' to
crlFile), I want to be able to point to multiple CRL files. Ideally, point
to a directory which contains multiple CRL files. I don't see any way to do
this. Does anyone know of a way? If I can get this last part, I will be
golden.
Thanks again everyone for your help.
-Kennedy
- Original Message -
From: Kennedy Roberts [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Thursday, December 01, 2005 2:18 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
Ok, hopefully I am getting close:
I have recompiled the tomcat-util.jar using the 1.5 JDK. I have looked at
the contents of the jar and it does now include the JSSE15Factory and
JSSE15SocketFactory classes. The version of the tomcat-util.jar that came
with Tomcat 5.5.12 did not even have these files in it. So, I take that
to mean that the recompilation was a success.
I place this jar in the {tomcat.home}/server/lib directory and restarted
Tomcat AND my webapp. I've also added the following to my
{tomcat.home}/conf/server.xml file:
crlFiles=C:\crl.txt
This crl.txt is a CRL which I have confirmed (using openSSL) contains one
of my user certificates.
...and it's still not working. I put a System.out.println() statement in
the JSSE15SocketFactory to see if it is getting called, but I'm not seeing
this statement in the log, as if this class isn't getting called.
Any ideas? I think I'm close to getting this working, and looking through
the archives, a definitive solution to this problem would help a bunch of
people out!
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat 5.5
CRL support is present in Tomcat 5.5.12.
I am not an expert on Tomcat CRL support but what I
know is the following:
- You will need to recompile some of the
tomcat-util.jar classes with JDK 1.5 because Tomcat
5.5.12 was compiled with JDK 1.4. The classes to be
recompiled are:
org.apache.tomcat.util.net.jsse.JSSE15Factory and
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
classes.
- The crlFile property needs to be added inside your
SSL Connector in the server.xml file. The value is the
location of the CRL file on your system.
Regards,
Martin
--- Duan, Nick [EMAIL PROTECTED] wrote:
Tomcat currently doesn't support cert validation
against CRL. You may
want to use Apache's mod_ssl to do the CRL checking.
You will have to
use mod_jk to connect Apache web server with tomcat.
SSL is very computational intensive. Use Apache's
httpd to do the SSL
work is more efficient than to use Java-based
tomcat.
ND
-Original Message-
From: Kennedy Roberts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:55 AM
To: users@tomcat.apache.org
Subject: Certificate Revocation Lists in Tomcat 5.5
Hi all,
We've recently migrated our (SSL enabled) web
application from
SunOne to
Tomcat 5.5, and I can't find any information on
handling Certificate
Revocation Lists in Tomcat. In SunOne, there was a
function in the
administration console that let you import a CRL.
Is there any
equivalent
in Tomcat, or perhaps some other command line
equivalent?
Thanks for your help.
-Kennedy
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Ok, hopefully I am getting close:
I have recompiled the tomcat-util.jar using the 1.5 JDK. I have looked at
the contents of the jar and it does now include the JSSE15Factory and
JSSE15SocketFactory classes. The version of the tomcat-util.jar that came
with Tomcat 5.5.12 did not even have these files in it. So, I take that to
mean that the recompilation was a success.
I place this jar in the {tomcat.home}/server/lib directory and restarted
Tomcat AND my webapp. I've also added the following to my
{tomcat.home}/conf/server.xml file:
crlFiles=C:\crl.txt
This crl.txt is a CRL which I have confirmed (using openSSL) contains one of
my user certificates.
...and it's still not working. I put a System.out.println() statement in
the JSSE15SocketFactory to see if it is getting called, but I'm not seeing
this statement in the log, as if this class isn't getting called.
Any ideas? I think I'm close to getting this working, and looking through
the archives, a definitive solution to this problem would help a bunch of
people out!
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat 5.5
CRL support is present in Tomcat 5.5.12.
I am not an expert on Tomcat CRL support but what I
know is the following:
- You will need to recompile some of the
tomcat-util.jar classes with JDK 1.5 because Tomcat
5.5.12 was compiled with JDK 1.4. The classes to be
recompiled are:
org.apache.tomcat.util.net.jsse.JSSE15Factory and
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
classes.
- The crlFile property needs to be added inside your
SSL Connector in the server.xml file. The value is the
location of the CRL file on your system.
Regards,
Martin
--- Duan, Nick [EMAIL PROTECTED] wrote:
Tomcat currently doesn't support cert validation
against CRL. You may
want to use Apache's mod_ssl to do the CRL checking.
You will have to
use mod_jk to connect Apache web server with tomcat.
SSL is very computational intensive. Use Apache's
httpd to do the SSL
work is more efficient than to use Java-based
tomcat.
ND
-Original Message-
From: Kennedy Roberts [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:55 AM
To: users@tomcat.apache.org
Subject: Certificate Revocation Lists in Tomcat 5.5
Hi all,
We've recently migrated our (SSL enabled) web
application from
SunOne to
Tomcat 5.5, and I can't find any information on
handling Certificate
Revocation Lists in Tomcat. In SunOne, there was a
function in the
administration console that let you import a CRL.
Is there any
equivalent
in Tomcat, or perhaps some other command line
equivalent?
Thanks for your help.
-Kennedy
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Martin,
Thanks again for you input. The reason I ask about quirks is because I
have seen examples using crlFiles (not the 's') rather than crlFile. The
value for this parameter then used a wildcard to point to all of the files
in a certain directory. Have you seen it used like this?
And just to clarify: once I do have a CRL, if I point to it in this manner,
and also have client authentication enabled, I should be barred from
accessing the site with a revoked certificate, correct?
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, November 30, 2005 2:45 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
1) crlFile is a standard parameter for Connector since
Tomcat 5.5.10 if my recollection is right.
2) There are no quirks in using it.
Martin
--- Kennedy Roberts [EMAIL PROTECTED] wrote:
After doing some research, I have found a few
examples of
{tomcat.home}/conf/server.xml files online that use
the crlFiles param as
part of a connector. Is this a standard parameter
that can be used in the
server.xml file? I ask because the sites where I
have found these examples
are not clear in whether this is some added
functionality. The reason I
don't try it out myself is because at this point I
don't have a CRL which
contains any of the certificates we use in our
development environment.
To summarize:
1) Is the crlFiles param a standard connector
element?
2) Has (does) anyone use this param, and are there
any quirks to using it.
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat
5.5
CRL support is present in Tomcat 5.5.12.
I am not an expert on Tomcat CRL support but what
I
know is the following:
- You will need to recompile some of the
tomcat-util.jar classes with JDK 1.5 because
Tomcat
5.5.12 was compiled with JDK 1.4. The classes to
be
recompiled are:
org.apache.tomcat.util.net.jsse.JSSE15Factory and
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
classes.
- The crlFile property needs to be added inside
your
SSL Connector in the server.xml file. The value is
the
location of the CRL file on your system.
Regards,
Martin
--- Duan, Nick [EMAIL PROTECTED]
wrote:
Tomcat currently doesn't support cert validation
against CRL. You may
want to use Apache's mod_ssl to do the CRL
checking.
You will have to
use mod_jk to connect Apache web server with
tomcat.
SSL is very computational intensive. Use
Apache's
httpd to do the SSL
work is more efficient than to use Java-based
tomcat.
ND
-Original Message-
From: Kennedy Roberts
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:55 AM
To: users@tomcat.apache.org
Subject: Certificate Revocation Lists in Tomcat
5.5
Hi all,
We've recently migrated our (SSL enabled) web
application from
SunOne to
Tomcat 5.5, and I can't find any information on
handling Certificate
Revocation Lists in Tomcat. In SunOne, there was
a
function in the
administration console that let you import a CRL.
Is there any
equivalent
in Tomcat, or perhaps some other command line
equivalent?
Thanks for your help.
-Kennedy
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
The answer here is definite maybe
If the certificate issuer does not support Online Certificate Status
Protocol (OCSP)
Then there is no ability to verify that the certificate is invalid as the
ability to determine 'revoked status' in itself fails
To this day this is a known bug with CRLs
and one which should force more verifiable security precautions such as
Kerberos from MIT
or perhaps the use of Public Key Encryption (PKI)
Martin-
- Original Message -
From: Kennedy Roberts [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, November 30, 2005 2:49 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
Martin,
Thanks again for you input. The reason I ask about quirks is because I
have seen examples using crlFiles (not the 's') rather than crlFile. The
value for this parameter then used a wildcard to point to all of the files
in a certain directory. Have you seen it used like this?
And just to clarify: once I do have a CRL, if I point to it in this
manner, and also have client authentication enabled, I should be barred
from accessing the site with a revoked certificate, correct?
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, November 30, 2005 2:45 PM
Subject: Re: Certificate Revocation Lists in Tomcat 5.5
1) crlFile is a standard parameter for Connector since
Tomcat 5.5.10 if my recollection is right.
2) There are no quirks in using it.
Martin
--- Kennedy Roberts [EMAIL PROTECTED] wrote:
After doing some research, I have found a few
examples of
{tomcat.home}/conf/server.xml files online that use
the crlFiles param as
part of a connector. Is this a standard parameter
that can be used in the
server.xml file? I ask because the sites where I
have found these examples
are not clear in whether this is some added
functionality. The reason I
don't try it out myself is because at this point I
don't have a CRL which
contains any of the certificates we use in our
development environment.
To summarize:
1) Is the crlFiles param a standard connector
element?
2) Has (does) anyone use this param, and are there
any quirks to using it.
Thanks,
Kennedy
- Original Message -
From: Martin Dubuc [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Tuesday, November 29, 2005 3:11 PM
Subject: RE: Certificate Revocation Lists in Tomcat
5.5
CRL support is present in Tomcat 5.5.12.
I am not an expert on Tomcat CRL support but what
I
know is the following:
- You will need to recompile some of the
tomcat-util.jar classes with JDK 1.5 because
Tomcat
5.5.12 was compiled with JDK 1.4. The classes to
be
recompiled are:
org.apache.tomcat.util.net.jsse.JSSE15Factory and
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory
classes.
- The crlFile property needs to be added inside
your
SSL Connector in the server.xml file. The value is
the
location of the CRL file on your system.
Regards,
Martin
--- Duan, Nick [EMAIL PROTECTED]
wrote:
Tomcat currently doesn't support cert validation
against CRL. You may
want to use Apache's mod_ssl to do the CRL
checking.
You will have to
use mod_jk to connect Apache web server with
tomcat.
SSL is very computational intensive. Use
Apache's
httpd to do the SSL
work is more efficient than to use Java-based
tomcat.
ND
-Original Message-
From: Kennedy Roberts
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:55 AM
To: users@tomcat.apache.org
Subject: Certificate Revocation Lists in Tomcat
5.5
Hi all,
We've recently migrated our (SSL enabled) web
application from
SunOne to
Tomcat 5.5, and I can't find any information on
handling Certificate
Revocation Lists in Tomcat. In SunOne, there was
a
function in the
administration console that let you import a CRL.
Is there any
equivalent
in Tomcat, or perhaps some other command line
equivalent?
Thanks for your help.
-Kennedy
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
__
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
RE: Certificate Revocation Lists in Tomcat 5.5
Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
That's indeed good news. I'd really like to know the result and appreciate any details. Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK 1.4? ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 3:24 PM To: Tomcat Users List Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Martin, I have yet to try what you suggested, but if this is the case, I am grateful for your advice. I had already got our web application up and running on stand alone Tomcat (5.5.12) when I ran into this issue. Realizing this, I was thinking that I would have to scrap my work and start over figuring out how to run our web app with Tomcat integrated with Apache HTTP server. That option seems more labor intensive, as configuration of Tomcat was a breeze (even using SSL). Two questions (for anyone): 1) Is there any reason why running our web app under Tomcat is not as good as running it under Tomcat/Apache HTTP server integrated? 2) With the solution proposed below, is it possible to point to more than one CRL file? We multiple from multiple agencies, and previously just imported them one at a time into SunOne. Thanks again for your help -Kennedy - Original Message - From: Martin Dubuc [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 3:11 PM Subject: RE: Certificate Revocation Lists in Tomcat 5.5 CRL support is present in Tomcat 5.5.12. I am not an expert on Tomcat CRL support but what I know is the following: - You will need to recompile some of the tomcat-util.jar classes with JDK 1.5 because Tomcat 5.5.12 was compiled with JDK 1.4. The classes to be recompiled are: org.apache.tomcat.util.net.jsse.JSSE15Factory and org.apache.tomcat.util.net.jsse.JSSE15SocketFactory classes. - The crlFile property needs to be added inside your SSL Connector in the server.xml file. The value is the location of the CRL file on your system. Regards, Martin --- Duan, Nick [EMAIL PROTECTED] wrote: Tomcat currently doesn't support cert validation against CRL. You may want to use Apache's mod_ssl to do the CRL checking. You will have to use mod_jk to connect Apache web server with tomcat. SSL is very computational intensive. Use Apache's httpd to do the SSL work is more efficient than to use Java-based tomcat. ND -Original Message- From: Kennedy Roberts [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 10:55 AM To: users@tomcat.apache.org Subject: Certificate Revocation Lists in Tomcat 5.5 Hi all, We've recently migrated our (SSL enabled) web application from SunOne to Tomcat 5.5, and I can't find any information on handling Certificate Revocation Lists in Tomcat. In SunOne, there was a function in the administration console that let you import a CRL. Is there any equivalent in Tomcat, or perhaps some other command line equivalent? Thanks for your help. -Kennedy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Certificate Revocation Lists in Tomcat 5.5
The official tomcat 5.5.12 was compiled and packaged with J2SE5.0, not JDK 1.4. You'll get an error message if you run tomcat on 1.4. ND -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 4:46 PM To: Tomcat Users List Subject: Re: Certificate Revocation Lists in Tomcat 5.5 Caldarale, Charles R wrote: From: Duan, Nick [mailto:[EMAIL PROTECTED] Subject: RE: Certificate Revocation Lists in Tomcat 5.5 Tomcat 5.5 supposed to run on JDK 1.5. Why was it compiled with JDK 1.4? Because it's supposed to run on JRE 1.4 as well. Compiling on 1.5 would have precluded that. Not necessarily. But it would create complications to maintain 1.4 compatibility where there is 1.5 specific code. The 1.5 code is skipped if 1.4 is used to build. I'm a bit suspicious of the statement that certain classes had to be recompiled with 1.5; I suspect there's something more subtle than that going on. Nope, it is that simple. There was a discussion about this on the dev list recently. However, I would be wary of only compiling the extra classes. To be on the safe side, I would re-build the lot with 1.5. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Revocation Lists in Tomcat 5.5
Duan, Nick wrote: The official tomcat 5.5.12 was compiled and packaged with J2SE5.0, not JDK 1.4. You'll get an error message if you run tomcat on 1.4. ND Um, no it wasn't. It was built using 1.4. That is why the 5.0 specific stuff is missing. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
