Bug 53940 - Added support for new CRL loading after expiration
Summary: Added support for new CRL loading after expiration
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: 1.1.24
Hardware: PC All
: P2 enhancement with 1 vote (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2012-09-27 14:54 UTC by Aristotelis
Modified: 2020-08-20 15:52 UTC (History)
0 users

CRL reloading support. (6.09 KB, patch)
2012-09-27 14:54 UTC, Aristotelis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aristotelis 2012-09-27 14:54:00 UTC
Created attachment 29426 [details]
CRL reloading support.

Apache Tomcat with tcnative loads the CRL list when it starts up, and ignores any following updates. The use of OCSP can help this issue to be amortized. However, the issue comes back again when the CRL expires, and Apache Tomcat refuses to complete any more requests because of the expired CRL.

With this patch, it is possible to reload the new CRL when the previous one expires. For more information about the patch please have a look at: http://code.uoa.gr/p/tomcat-ocsp/reload.php

It would be nice to include it in tha main Tomcat Tree, since together with the OCSP support, it is possible to have fast and stable cert verification to be used with client authentication.
Comment 1 Mark Thomas 2020-08-20 15:52:09 UTC
This is no longer necessary. Tomcat now supports a general re-reading of all TLS config files.

See bug 61565.