Hi all.
I've studied the documentation at
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and
I have several questions on it.
1. While the APR/Native has config option SSLCACertificateFile that
defines the set of allowed client cert authorities the JSSE SSL has no
analogous option. Is the set of allowed client cert authorities defined
implicitly by the java cacerts file located in
$JAVA_HOME/lib/security/cacerts ?
2. It seems me that checking of revocation of client certificate is done
via "static" crl files located in APR's SSLCARevocationPath or JSSE's
crlFile. If I write a cron task that periodically downloads crl list(s),
will the Tomcat react on this change of CRL file(s)? I've found in
org.apache.httpd.dev mail list a 5 years old mail saying that the Apache
Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj
3. And in general what is better to use APR or JSSE ? My opinion is: if
the Tomcat serves not a web portal the JSSE is good enough although I
can use only one crl file for client cert checking. In case of APR I
must compile native libs on Linux so it is more complicated but more
powerful ...
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org