-
1. Re: JBOSS Support for CRL
anil.saldhana Jul 23, 2008 5:47 AM (in response to mali519)I am guessing that what you are referring is to the "crlFile" setting on the JSSE Connector in tomcat server.xml. Is that correct?
The current implementation of the tomcat socket factory does a load of the crl file when tomcat starts.
http://svn.apache.org/repos/asf/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE15SocketFactory.java
This is the classic problem that exists in the tomcat infrastructure that any changes to server.xml including any files that may be related to the tomcat server configuration, requires a restart.
For JBoss, we have had a feature request for a long time now.
https://jira.jboss.org/jira/browse/JBAS-3019
Vote on this JIRA issue if you want to raise the priority.
What is really needed is a JBoss version of the JDK TrustManager implementation that can lazily load CRL Files, that can be plugged in at the JVM level, such that not only the https layer but also RMI/SSL etc can make use of CRL validation. -
2. Re: JBOSS Support for CRL
mali519 Jul 23, 2008 4:49 PM (in response to mali519)Yes i was raising concerns on crlFile
I can understand that tomcat reads the sever.xml on startup only and that is a limitation we might have to live with it.
However, i could not understand the behavior of CRL once next update expires. It is blocking all connections simply because it could not verify the CRL. I am really hoping there is already a patch or workaround for this. -
3. Re: JBOSS Support for CRL
anil.saldhana Jul 28, 2008 2:13 PM (in response to mali519)Are you saying that you update the crl file, restart JBoss/Tomcat and the connections hang? Or the running system just hangs on connections if the crl file just got updated?
-
4. Re: JBOSS Support for CRL
mali519 Jul 30, 2008 6:47 PM (in response to mali519)I meant JBOSS/tomcat is not allowing connections, if CRL next update has expired. The workaround is to restart JBOSS. However, it will stop accepting connections again once the next update expires.