Tomcat with native and CRL reloading.

October 2, 2012

Let’s not have the argument whether tomcat should be run as standalone (with tcnative and APR) or with a web server in the front that proxies the requests back to tomcat, but let’s assume that we have the case of tomcat native.
In this case one issue that comes up regularly when tomcat is also configured to do client certificate authentication is the CRL expiration. When the CRL expires tomcat refuses to do any more authentication and the application comes to a halt. Although this is not a bad thing to do per se (who would like to permit people to login if he is unable to have at least a rough estimate if one of the certificates has been revoked), the problem arises that there is no clean way of making tomcat reload the CRL if the old one expires. So in order to fix this problem a new patch for tcnative was created.
More information about the issues and the patch can be found in : link.

The important issue about this patch to me, is that the patch was created without having a test system and debugging was done by code inspection. The test system, and the debugging process where needed afterwards when another issue come up that had to do with the OCSP patch integration to tomcat. ( double apr_poll_destroy()). I was happy since it has been a while since I was able to develop anything without the use of a debugger, and the usual write-compile-debug procedure!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: