-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 3/19/18 9:54 AM, Mark Thomas wrote: > On 19/03/18 13:52, Christopher Schultz wrote: >> All, >> >> I'm guessing this is mostly directed towards Rainer: can someone >> look at https://bz.apache.org/bugzilla/show_bug.cgi?id=53940? >> It's got a proposed patch and IMO makes sense to implement. >> >> I'm not familiar enough with OpenSSL and the way that the SSL >> engine works to know if this is a valid technique. >> >> Most people don't use CRLs so it won't affect their performance >> or anything like that. But those who do rely on a CRL can't >> afford to bounce their Tomcat instance or connector just to >> pick-up an updated CRL . > > Can't we just close that as WONTFIX on the grounds that you just > trigger the reload of the TLS config in Tomcat? It seems reasonable, but I believe this patch looks at the CRL's reload "schedule" (I didn't know CRLs had such as thing) and respects it. So Tomcat could auto-reload appropriately without having to set up e.g. cron to reload on a schedule. Also, I didn't realize that the reload was working for native-based connectors. Now that I think about it, I think you said at one point that we are simply relying on a finalizer to clean-up after abandoned native SSL engine resources rather than going through the trouble to maintain our own reference-counting infrastructure. So I guess that's a moot point. I'm okay closing this as WONTFIX with a note saying "issue a reload command yourself". The original poster can come back to request this feature specifically if manual-reloading is not acceptable. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqvxXwdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8TQ/5AYDx/6FcpjBW5SOm epfRIFQ+4QgLynAQMeBja2mYmtBd8mGYFRtw8NS9DHq+LcH4xIYhBl/CRiRdxpqz MLUuUoTgvyDy8Sws/PY4HQEDX2/Yv64TYovSSpTuJJdkIDqDS4Wq5zL9hd9+DmDn 7IkbMoCv6rwI9SdP+dHhSm32lVYEzxN61WXQ/f9yadrEehwBDt6B0bGqbaDHfVr2 OMoUIu10p8Qxxmf98nFwBhGFhLxGXvdBZhLLUF2XqiHKzzjkubDxpTGXjg2mcUXu H8LJYIWlW32kfA1oLWA6jeVPXtasuYEXXdvI+UIXxzIaUbrtEagmslX9H5ov7vha gCug00Sdj+YqeUpP54vvF1/Mv0Dv2pNNH5/lDJkBADDsToUepUDn5G9YMuVv5vlN 5i5/XP5vHSr0/W2onj56KpEM6zfrJ87X4SKyCMVe7vztorq/kzryUXSilHY2DBj3 JgWQF1LilhB3xo5LuZTbPhDjGZGROCNgf0mEeTV9grirHV1Q3NcLj0W0AeOdQ5Ib /3gUCG74KmABYL9+FNZRrFJzngdT48ogBfsAodZ1IJTbAW2T4PvRQp+fX8/T1QBJ L30KDbXpwGlJdrkh3PkCxT1Zk5o7qo8I5KzVkXCgR3u16f+pP+EzjiHMsAgGydZb fwzCu5iRBhD6r6mBBcf16d1E0k8= =URhz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
