4 Replies Latest reply on Jul 30, 2008 6:47 PM by mali519

    JBOSS Support for CRL

    mali519
    mali519 Jul 23, 2008 1:16 AM

      We are trying to setup HTTPS for JBOSS version 4.0.5. In this regards we discovered the following limitations in JBOSS

      1. JBOSS does not support CRL Distribution point using a HTTP URL. We worked around this issue by manually copying the CRL to a local CRL cache file and pointing crlFile to this local cache.

      2. In order for JBOSS to pick up the updated CRL , it requires a restart.

      3. The last but annoying aspect is that JBOSS does not accept connections if next update for CRL expired and it has not been able to acquire the CRL update. We plan to publish the CRL's routinely so it is important to pick up the dates. We basically set the next update in the CRL to be a day and noticed that JBOSS does not accept connections anymore if next update time has passed. Not sure why this behavior exists

      Can anyone recommend workaroud/resolution/patches for these issues especially #3. Really appreciate all your help

      Thanks,
      Mohammed

      • 3194 Views
      • Tags:
        • 1. Re: JBOSS Support for CRL
          anil.saldhana
          anil.saldhana Jul 23, 2008 5:47 AM (in response to mali519)

          I am guessing that what you are referring is to the "crlFile" setting on the JSSE Connector in tomcat server.xml. Is that correct?

          The current implementation of the tomcat socket factory does a load of the crl file when tomcat starts.
          http://svn.apache.org/repos/asf/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE15SocketFactory.java

          This is the classic problem that exists in the tomcat infrastructure that any changes to server.xml including any files that may be related to the tomcat server configuration, requires a restart.

          For JBoss, we have had a feature request for a long time now.
          https://jira.jboss.org/jira/browse/JBAS-3019
          Vote on this JIRA issue if you want to raise the priority.

          What is really needed is a JBoss version of the JDK TrustManager implementation that can lazily load CRL Files, that can be plugged in at the JVM level, such that not only the https layer but also RMI/SSL etc can make use of CRL validation.

            • Actions
          • 2. Re: JBOSS Support for CRL
            mali519
            mali519 Jul 23, 2008 4:49 PM (in response to mali519)

            Yes i was raising concerns on crlFile

            I can understand that tomcat reads the sever.xml on startup only and that is a limitation we might have to live with it.

            However, i could not understand the behavior of CRL once next update expires. It is blocking all connections simply because it could not verify the CRL. I am really hoping there is already a patch or workaround for this.

              • Actions
            • 3. Re: JBOSS Support for CRL
              anil.saldhana
              anil.saldhana Jul 28, 2008 2:13 PM (in response to mali519)

              Are you saying that you update the crl file, restart JBoss/Tomcat and the connections hang? Or the running system just hangs on connections if the crl file just got updated?

                • Actions
              • 4. Re: JBOSS Support for CRL
                mali519
                mali519 Jul 30, 2008 6:47 PM (in response to mali519)

                I meant JBOSS/tomcat is not allowing connections, if CRL next update has expired. The workaround is to restart JBOSS. However, it will stop accepting connections again once the next update expires.

                  • Actions