Bug 445052 - HTTP 1.1 support when fetching CRLs
HTTP 1.1 support when fetching CRLs
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
All Linux
urgent Severity low
: ---
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-05-02 19:35 EDT by Bob Lord
Modified: 2015-01-05 20:20 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:28:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
adding compression (16.79 KB, patch)
2009-03-26 16:23 EDT, Andrew Wnuk
no flags Details | Diff
small correction (13.36 KB, patch)
2009-03-26 16:40 EDT, Andrew Wnuk
no flags Details | Diff

  None (edit)
Description Bob Lord 2008-05-02 19:35:15 EDT
Description of problem:
Earlier versions of CS did not allow clients to fetch CRLs via HTTP1.1.  They
were forced to use HTTP1.0.

Dogtag should allow the following features:
-compression of the CRLs
-byte ranges so clients that were only able to fetch part of the CRL can retry,
starting in the middle of the CRL file. 
-If-Modified-Since so clients do not refetch a CRL they have previously fetched
and cached.
Comment 1 Andrew Wnuk 2009-02-20 18:37:26 EST
attachment (id=330055)
allows to generate link to the latest CRL via file publishing.

attachment (id=330387)
minor modifications

Now you need to configure Tomcat to support Partial Content GET requests to retrieve latest CRL.
Comment 3 Andrew Wnuk 2009-03-12 20:18:32 EDT
Here is the procedure:

1. Create target directory to be used by CRL file publisher.
   For example: /var/lib/pki-ca/webapps.ee/ca/ee/ca/crl

2. Create CRL file publisher using the same target directory
   with enabled link to the latest CRL. Default link name is derived
   from name of CRL issuing point and combined with extension entered
   via file publisher editor. Default link extension is 'der'.

3. Create file CRL rule using previously created CRL file publisher
   and NoMap mapper. Disable all unused rules.

4. Enable publishing but keep default LDAP connection disabled.

5. Modify /var/lib/pki-ca/conf/server.xml by adding context container
   in the EE section matching previously created target directory.
   For example:
     <Context path="/ca/ee/ca/crl"
      docBase="/var/lib/pki-ca/webapps.ee/ca/ee/ca/crl" allowLinking="true"/>

6. Missing part of CRL due to interrupted download can be retrieved
   wget -c http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin

7. Interrupted download can be emulated by 
   wget http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin
   mv MasterCRL.bin MasterCRL.bin.full
   dd if=MasterCRL.bin.full of=MasterCRL.bin count=100 bs=1
Comment 6 Andrew Wnuk 2009-03-26 16:23:32 EDT
Created attachment 336885 [details]
adding compression
Comment 7 Andrew Wnuk 2009-03-26 16:40:55 EDT
Created attachment 336891 [details]
small correction
Comment 8 Matthew Harmsen 2009-03-26 16:46:23 EDT
attachment (id=336885)
attachment (id=336891) +mharmsen
Comment 9 Andrew Wnuk 2009-03-26 17:19:27 EDT
svn commit pki/dogtag/util/pki-util.spec
Sending        pki/dogtag/util/pki-util.spec
Transmitting file data .
Committed revision 334.

svn commit pki/dogtag/common/pki-common.spec
Sending        pki/dogtag/common/pki-common.spec
Transmitting file data .
Committed revision 335.

svn commit pki/base/util/src/netscape/security/x509/X509CRLImpl.java
Sending        pki/base/util/src/netscape/security/x509/X509CRLImpl.java
Transmitting file data .
Committed revision 336.

svn commit pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
Sending        pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
Transmitting file data .
Committed revision 337.
Comment 10 Kashyap Chamarthy 2009-06-01 23:36:46 EDT
Verified: Was able to successfully retrieve Ful CRL, new CRL, missing CRL(in case of interrupted download)

Note You need to log in before you can comment on or make changes to this bug.