I am guessing that what you are referring is to the "crlFile" setting on the JSSE Connector in tomcat server.xml. Is that correct?
The current implementation of the tomcat socket factory does a load of the crl file when tomcat starts.
This is the classic problem that exists in the tomcat infrastructure that any changes to server.xml including any files that may be related to the tomcat server configuration, requires a restart.
For JBoss, we have had a feature request for a long time now.
Vote on this JIRA issue if you want to raise the priority.
What is really needed is a JBoss version of the JDK TrustManager implementation that can lazily load CRL Files, that can be plugged in at the JVM level, such that not only the https layer but also RMI/SSL etc can make use of CRL validation.
Yes i was raising concerns on crlFile
I can understand that tomcat reads the sever.xml on startup only and that is a limitation we might have to live with it.
However, i could not understand the behavior of CRL once next update expires. It is blocking all connections simply because it could not verify the CRL. I am really hoping there is already a patch or workaround for this.
Are you saying that you update the crl file, restart JBoss/Tomcat and the connections hang? Or the running system just hangs on connections if the crl file just got updated?
I meant JBOSS/tomcat is not allowing connections, if CRL next update has expired. The workaround is to restart JBOSS. However, it will stop accepting connections again once the next update expires.