Tomcat Reload CRL support
Apache Tomcat with tcnative loads the CRL list when it starts up, and
ignores any following updates. The use of OCSP can help this issue to
be amortized. However, the issue comes back again when the CRL
expires, and Apache Tomcat refuses to complete any more requests
because of the expires CRL
- Download the new CRL and restart periodically the tomcat
server. One can setup a cron job that would download the new crl and
then restart tomcat, so it can re-read the new CRL. This however is
not the optimal solution, since tomcat should reload also the
applications that where running and also the cache and JIT environment
has to be re-created. This was the solution that we where using for
quite some time
- Use the following patch that enables the load of a new CRL (if one
exists) when the previous has expired.
This patch was produced based on tomcat 1.1.24 that we use in our
production enviroment. We also prefer the SSLCARevocationPath directive,
so most of our testing was done in this enviroment.
Download & Install
The use of this patch reloads the CRL if a new CRL exists, and the
previous one has expired. This has some interesting properties:
- If one wants to rely only on CRL reloading for client certificate
authentication, then with this patch tomcat will only reload the new
CRL is the old one has expired. In the meantime, a revoked
certificate, even if it exists in the CRL, can be used for
authentication without problem in tomcat. In case one wants to have a
more real time solution, the use
is strongly advised.
- The patch could be easily modified to check for a new CRL on every
request. However, this can create a lot of unnecessary overhead, and
it will duplicate the job of an OCSP server.