On Mon, Mar 19, 2018 at 2:54 PM, Mark Thomas <ma...@apache.org> wrote:
> On 19/03/18 13:52, Christopher Schultz wrote: > > All, > > > > I'm guessing this is mostly directed towards Rainer: can someone look > > at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940? It's got a > > proposed patch and IMO makes sense to implement. > > > > I'm not familiar enough with OpenSSL and the way that the SSL engine > > works to know if this is a valid technique. > > > > Most people don't use CRLs so it won't affect their performance or > > anything like that. But those who do rely on a CRL can't afford to > > bounce their Tomcat instance or connector just to pick-up an updated CRL > > . > > Can't we just close that as WONTFIX on the grounds that you just trigger > the reload of the TLS config in Tomcat? > > +1 That reload feature is good since it's so versatile and solves problems without having to add hacks elsewhere. Rémy
