Hi all, I have configured a stand alone tomcat server with apr support that hosts a web application. I wanted to enable client authentication so I put in server.xml the following:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" executor="ThreadPool-port-8443" port="8443" address="my_server" SSLEnabled="true" scheme="https" secure="true" SSLVerifyClient="require" SSLVerifyDepth="4" SSLCertificateChainFile="/path/to/certs/bundle_cert.pem" SSLCACertificateFile="/path/to/certs/root_bundle_cert.pem" SSLCertificateFile="/path/to/certs/my_server.crt" SSLCertificateKeyFile="/path/to/certs/my_server.key" SSLCARevocationFile="/path/to/certs/crl/tomcat.pem" /> Everything seems ok, but there are some issues ... 1) When CRL expires, Tomcat rejects every client certificate as expired, even for certificates that were revoked before the expiration of the CRL and CRL was aware of (IMHO they should be treated as revoked ones). 2) If a certificate is revoked, user can still authenticate even though CRL is automatically updated. It seems to me that tomcat reads CRL once (when starting) and never again. Is that true? If I restart tomcat everything works well. Is there any other way to reload the CRL? 3) I cannot find information about OCSP directives like SSLOCSPEnable (http://httpd.apache.org/docs/trunk/mod/mod_ssl.html). Is OCSP supported for my configuration? If not, is there any plan for supporting it? Thanks, in advance, Pavlos Server Configuration: Tomcat: 6.0.16 APR: 1.2.12 Tomcat Native: 1.1.13 OpenSSL: 0.9.8g Java: 1.6.0_06 --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
