Hi all.
I've studied the documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and I have several questions on it.

1. While the APR/Native has config option SSLCACertificateFile that defines the set of allowed client cert authorities the JSSE SSL has no analogous option. Is the set of allowed client cert authorities defined implicitly by the java cacerts file located in $JAVA_HOME/lib/security/cacerts ?

2. It seems me that checking of revocation of client certificate is done via "static" crl files located in APR's SSLCARevocationPath or JSSE's crlFile. If I write a cron task that periodically downloads crl list(s), will the Tomcat react on this change of CRL file(s)? I've found in org.apache.httpd.dev mail list a 5 years old mail saying that the Apache Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj

3. And in general what is better to use APR or JSSE ? My opinion is: if the Tomcat serves not a web portal the JSSE is good enough although I can use only one crl file for client cert checking. In case of APR I must compile native libs on Linux so it is more complicated but more powerful ...

Jan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to