Tomcat Reload CRL support

The problem

Apache Tomcat with tcnative loads the CRL list when it starts up, and ignores any following updates. The use of OCSP can help this issue to be amortized. However, the issue comes back again when the CRL expires, and Apache Tomcat refuses to complete any more requests because of the expires CRL

Solutions

• Download the new CRL and restart periodically the tomcat server. One can setup a cron job that would download the new crl and then restart tomcat, so it can re-read the new CRL. This however is not the optimal solution, since tomcat should reload also the applications that where running and also the cache and JIT environment has to be re-created. This was the solution that we where using for quite some time
• Use the following patch that enables the load of a new CRL (if one exists) when the previous has expired.

The patch

This patch was produced based on tomcat 1.1.24 that we use in our production enviroment. We also prefer the SSLCARevocationPath directive, so most of our testing was done in this enviroment.

Download & Install

• Download tomcat-native-reload-crl-0.1.diff

• cd tomcat-native-1.1.24-src
  patch -p1 < ./tomcat-native-reload-crl-0.1.diff
  

Discussion

The use of this patch reloads the CRL if a new CRL exists, and the previous one has expired. This has some interesting properties:

• If one wants to rely only on CRL reloading for client certificate authentication, then with this patch tomcat will only reload the new CRL is the old one has expired. In the meantime, a revoked certificate, even if it exists in the CRL, can be used for authentication without problem in tomcat. In case one wants to have a more real time solution, the use of OCSP is strongly advised.
• The patch could be easily modified to check for a new CRL on every request. However, this can create a lot of unnecessary overhead, and it will duplicate the job of an OCSP server.