A little off-topic: Looking for ideas re. CRL Checking and Tomcat

O

ohaya

Hi,

I have a standalone Tomcat server that I've configured for both client
and server SSL authentication. I am aware that most would say that I
should use Apache and a connector in front of Tomcat, but for a number
of reasons, I'm being forced to go the standalone Tomcat route (plus the
site will be very low-traffic).

As I indicated, I have the client and server authentication working, but
from what I can tell so far, there doesn't seem to be an inherent way to
configure Tomcat, which apparently uses JSSE for the SSL features, to do
CRL checking (i.e., checking whether client certs are in a CRL).

I have a separate mechanism/method to periodically pull a CRL file onto
the server where Tomcat is going to be running, but I'm wondering what
the best approach would be to incorporate CRL checking of the client
certs, and so I thought that I might post here in the hopes that someone
might have some ideas.

I think that I could do something like write code that would initially
check the client cert against the CRL on local drive and then set a
session variable (e.g., "authenticated"), and then have code on each
page to check whether the session variable is set or not, but this seems
like a kind of brute force approach.

I'm looking forward to any suggestions.

Thanks in advance,
Jim

P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
I'm kind of surprised that so far at least, I have seen very little in
these docs mentioning CRLs and CRL checking. I guess I would've
expected that CRL checking would've been a key requirement in any kind
of software that involves PKI.
 
S

Sudsy

ohaya wrote:
P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
I'm kind of surprised that so far at least, I have seen very little in
these docs mentioning CRLs and CRL checking. I guess I would've
expected that CRL checking would've been a key requirement in any kind
of software that involves PKI.

It comes down to a question of who is willing to take responsibility
for maintaining a Certificate Revocation List (CRL for those who don't
know the terminology). Should it be the organization which issued the
certificate in the first place? How much server space and bandwidth
are they going to have to allocate to respond to queries? Will the cost
be factored into what you pay to have your certificate signed in the
first place? And what if a mistake is made and a certificate is revoked
by someone other than the owner? Who's going to accept liability when
a major site is knocked out of commission because the certificate has
been maliciously or accidentally added to a CRL? Just take a look at
what's happening in the domain registration arena!
It's a quagmire! That's probably why there's not a lot of attention
given to the issue. Besides which, people and organizations utilizing
the PKI (Public Key Infrastructure) should KNOW how important it is to
keep the private key secure and take appropriate steps, institute
controls, etc. Organizations will typically manage their own CRL when
using PKI to enable remote access to corporate data. As soon as a lap-
top goes missing, the key is administratively revoked.
ps. I prefer a mechanism which requires a password to "unlock" the key
on the remote client. If the client computer goes missing, the key
remains inaccessible. But that's just me being paranoid...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top