Re: OCSP stapling in tomcat 7 with APR
Hi Chris!My main goal is for Tomcat to connect to Cómodo ,to get server side OCSP stapling working,I was only testing with OpenSSL OCSP command to make sure that Cómodo OCSP is reachable in the first place. От: Christopher Schultz Отправлено: 23 октября 2018 г. 23:28:14 Кому: users@tomcat.apache.org Тема: Re: OCSP stapling in tomcat 7 with APR -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/23/18 13:04, Усманов Азат Анварович wrote: > Hi everyone! I did manage to run ocsp check manually without a > proxy (some network issue),still no success with tomcat ocsp or > ssllabs however. > > openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer > issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url > http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK > /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018 > GMT Next Update: Oct 28 07:35:07 2018 GMT I'm a little lost: are you trying to get your local responder working for testing, or are you trying to get your server to connect to Comodo's OCSP service? It looks like the above worked correctly. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8 pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8 22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK 3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4 tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7 /J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/ 0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY= =9Yca -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP stapling in tomcat 7 with APR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/23/18 13:04, Усманов Азат Анварович wrote: > Hi everyone! I did manage to run ocsp check manually without a > proxy (some network issue),still no success with tomcat ocsp or > ssllabs however. > > openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer > issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url > http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK > /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018 > GMT Next Update: Oct 28 07:35:07 2018 GMT I'm a little lost: are you trying to get your local responder working for testing, or are you trying to get your server to connect to Comodo's OCSP service? It looks like the above worked correctly. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8 pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8 22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK 3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4 tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7 /J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/ 0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY= =9Yca -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP stapling in tomcat 7 with APR
c 07 dc 9e 98 9d 55 64 ...OR.Ud 0020 - bd 43 11 8d 8a bb 80 ee-0f ea dd 94 fc 95 76 08 .Cv. 0030 - 25 7c 3e dc 7a 2b 0c be-04 4e 56 13 0c 4d ae ef %|>.z+...NV..M.. 0040 - 8a 97 3a 60 dd 08 5c 04-78 32 cb ca 46 7a cb 1c ..:`..\.x2..Fz.. 0050 - f9 69 bc 85 d1 ac bc 7e-93 93 dd b9 02 dc f5 5a .i.~...Z 0060 - df 4a 70 0c 34 e0 37 cd-09 a7 e4 3e 77 ce 93 e2 .Jp.4.7>w... 0070 - 9b cf a4 40 01 9f e2 36-6f 76 d1 6a 80 0f 4a 78 ...@...6ov.j..Jx 0080 - a4 ee 93 80 aa 4c 21 af-61 19 5b 6a 49 52 3d e0 .L!.a.[jIR=. 0090 - c2 6f f1 4e 9c 4e 3d e4-91 2e e3 6a ea 52 ea a9 .o.N.N=j.R.. 00a0 - 8e cc 33 f4 e7 aa 2a 04-93 26 a8 36 4e 01 b0 12 ..3...*..&.6N... 00b0 - ca d2 df 64 0b 98 2b 57-7f be 68 8a 0d 43 26 06 ...d..+W..h..C&. Start Time: 1540313457 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes Any idea how to identify which command tomcat sends to ocsp_responder ? От: Усманов Азат Анварович Отправлено: 19 октября 2018 г. 15:29:54 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR Hi !turns out to be a proxy issue because once I modify the openssl ocp command to include my proxy 192.168.1.6 and port I get the correct response openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 14 07:35:10 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Cert Status: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT Signature Algorithm: sha256WithRSAEncryption 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22: be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72: 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa: 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19: bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4: a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e: c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b: 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6: ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10: ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41: 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c: d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a: 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3: 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c: 17:8c:a4:9a Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT now the question is how to tell tomcat to use proxy when making ocsp requests I have tried to put proxyName and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp ) Any suggestions? От: Mark Thomas Отправлено: 17 октября 2018 г. 18:43:39 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301 That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > _
Re: OCSP stapling in tomcat 7 with APR
Hi !turns out to be a proxy issue because once I modify the openssl ocp command to include my proxy 192.168.1.6 and port I get the correct response openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 14 07:35:10 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Cert Status: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT Signature Algorithm: sha256WithRSAEncryption 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22: be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72: 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa: 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19: bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4: a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e: c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b: 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6: ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10: ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41: 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c: d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a: 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3: 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c: 17:8c:a4:9a Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT now the question is how to tell tomcat to use proxy when making ocsp requests I have tried to put proxyName and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp ) Any suggestions? От: Mark Thomas Отправлено: 17 октября 2018 г. 18:43:39 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301 That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > > От: Rainer Jung > Отправлено: 17 октября 2018 г. 16:41:27 > Кому: Tomcat Users List; Усманов Азат Анварович > Тема: Re: OCSP stapling in tomcat 7 with APR > > Redirect when accessing http://ocsp.comodoca.com could simply be a > trailing slash redirect (Location: http://ocsp.comodoca.com/). You > better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). > > Regards, > > Rainer > > Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: >> SSLLabs test still shows "OCSP stapling no" even with the latest version >> openssl >> >> I've tried to test it manually and got an error >> >> >> openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR >> >> >> _ieml_ru.crt -text -url http://ocsp.comodoca.com >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >>Hash Algorithm: sha1 >>
Re: OCSP stapling in tomcat 7 with APR
On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301 That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > > От: Rainer Jung > Отправлено: 17 октября 2018 г. 16:41:27 > Кому: Tomcat Users List; Усманов Азат Анварович > Тема: Re: OCSP stapling in tomcat 7 with APR > > Redirect when accessing http://ocsp.comodoca.com could simply be a > trailing slash redirect (Location: http://ocsp.comodoca.com/). You > better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). > > Regards, > > Rainer > > Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: >> SSLLabs test still shows "OCSP stapling no" even with the latest version >> openssl >> >> I've tried to test it manually and got an error >> >> >> openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR >> >> >> _ieml_ru.crt -text -url http://ocsp.comodoca.com >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >>Hash Algorithm: sha1 >>Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 >>Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 >>Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 >> Request Extensions: >> OCSP Nonce: >> 041002914B015477EC5C503D4FD630D616F3 >> Error querying OCSP responder >> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server >> response er >> >> ror:crypto/ocsp/ocsp_ht.c:260:Code=301 >> >> Not sure what might be the problem? >> 301 looks like a http error Moved Permamently which is strange because >> i tried to access http://ocsp.comodoca.com via wget >> >> wget http://ocsp.comodoca.com >> --2018-10-17 16:03:12-- http://ocsp.comodoca.com/ >> Устанавливается соединение с 192.168.1.2:3128... соединение установлено. >> Запрос Proxy послан, ожидается ответ... 200 OK >> Длина: 5 [application/ocsp-response] >> Saving to: «index.html.7» >> >> 100%[===>] >> 5 --.-K/s в 0s >> >> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5] >> >> [root] ~# less index.html.7 >> 0^C >> ^A^A >> index.html.7 (END) >> any ideas what might be the problem? >> >> >> >> От: Усманов Азат Анварович >> Отправлено: 15 октября 2018 г. 18:20:14 >> Кому: users@tomcat.apache.org >> Тема: Re: OCSP stapling in tomcat 7 with APR >> >> how do I make sure ocsp is enabled on tomcat native >> >> when I try to pass --enable-ocsp to tomcat native configure i get >> unrecognized option warning >> >> >>./configure --with-apr=/usr/local/apr >> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl >> --enable-ocsp >> configure: WARNING: unrecognized options: --enable-ocsp >> checking build system type... x86_64-pc-linux-gnu >> checking host system type... x86_64-pc-linux-gnu >> checking target system type... x86_64-pc-linux-gnu >> checking for a BSD-compatible install... /usr/bin/install -c >> checking for working mkdir -p... yes >> Tomcat Native Version: 1.2.17 >> checking for chosen layout... tcnative >
Re: OCSP stapling in tomcat 7 with APR
Unfortunately, I still got the same issue with the slash openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Request Extensions: OCSP Nonce: 0410A42C073C3EA560D427D719BA3A8EC5FB Error querying OCSP responder 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301 От: Rainer Jung Отправлено: 17 октября 2018 г. 16:41:27 Кому: Tomcat Users List; Усманов Азат Анварович Тема: Re: OCSP stapling in tomcat 7 with APR Redirect when accessing http://ocsp.comodoca.com could simply be a trailing slash redirect (Location: http://ocsp.comodoca.com/). You better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). Regards, Rainer Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: > SSLLabs test still shows "OCSP stapling no" even with the latest version > openssl > > I've tried to test it manually and got an error > > > openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR > > > _ieml_ru.crt -text -url http://ocsp.comodoca.com > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: >Hash Algorithm: sha1 >Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 >Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 >Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 041002914B015477EC5C503D4FD630D616F3 > Error querying OCSP responder > 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response > er > >ror:crypto/ocsp/ocsp_ht.c:260:Code=301 > > Not sure what might be the problem? > 301 looks like a http error Moved Permamently which is strange because > i tried to access http://ocsp.comodoca.com via wget > > wget http://ocsp.comodoca.com > --2018-10-17 16:03:12-- http://ocsp.comodoca.com/ > Устанавливается соединение с 192.168.1.2:3128... соединение установлено. > Запрос Proxy послан, ожидается ответ... 200 OK > Длина: 5 [application/ocsp-response] > Saving to: «index.html.7» > > 100%[===>] > 5 --.-K/s в 0s > > 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5] > > [root] ~# less index.html.7 > 0^C > ^A^A > index.html.7 (END) > any ideas what might be the problem? > > > ____________ > От: Усманов Азат Анварович > Отправлено: 15 октября 2018 г. 18:20:14 > Кому: users@tomcat.apache.org > Тема: Re: OCSP stapling in tomcat 7 with APR > > how do I make sure ocsp is enabled on tomcat native > > when I try to pass --enable-ocsp to tomcat native configure i get > unrecognized option warning > > >./configure --with-apr=/usr/local/apr > --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl > --enable-ocsp > configure: WARNING: unrecognized options: --enable-ocsp > checking build system type... x86_64-pc-linux-gnu > checking host system type... x86_64-pc-linux-gnu > checking target system type... x86_64-pc-linux-gnu > checking for a BSD-compatible install... /usr/bin/install -c > checking for working mkdir -p... yes > Tomcat Native Version: 1.2.17 > checking for chosen layout... tcnative > checking for APR... yes > configure: APR 1.6.5 detected. >setting CC to "gcc" >setting CPP to "gcc -E" >setting LIBTOOL to "/usr/local/apr/build-1/libtool" > checking JAVA_HOME... /usr/java/jdk1.7.0_79 >adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES > checking for JDK os include directory... linux >adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES > checking for gcc... gcc > checking whether the C compiler works... yes > checking for C compiler default output file name... a.out &
Re: OCSP stapling in tomcat 7 with APR
Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
Regards,
Rainer
Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
SSLLabs test still shows "OCSP stapling no" even with the latest version
openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR
_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response
er
ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===>]
5 --.-K/s в 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
От: Усманов Азат Анварович
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized
option warning
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
--enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________
От: Mark Thomas
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomc
Re: OCSP stapling in tomcat 7 with APR
SSLLabs test still shows "OCSP stapling no" even with the latest version
openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR
_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response
er
ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===>]
5 --.-K/s в 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
От: Усманов Азат Анварович
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized
option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
-with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________
От: Mark Thomas
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
On 14/10/18 18:45, Усманов Азат Анварович wrote:
> Hello everyone! I have an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP res
Re: OCSP stapling in tomcat 7 with APR
On Mon, Oct 15, 2018 at 11:39 AM Mark Thomas wrote:
> On 15/10/18 16:20, Усманов Азат Анварович wrote:
> > how do I make sure ocsp is enabled on tomcat native
> >
> > when I try to pass --enable-ocsp to tomcat native configure i get
> unrecognized option warning
>
> As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
> disable OCSP when building on Linux so you should be good with a
> standard build.
>
+1, just build it and as long as the openssl version you're using supports
it you're good.
>
> Mark
>
>
> >
> >
> > ./configure --with-apr=/usr/local/apr
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
> --enable-ocsp
> > configure: WARNING: unrecognized options: --enable-ocsp
> > checking build system type... x86_64-pc-linux-gnu
> > checking host system type... x86_64-pc-linux-gnu
> > checking target system type... x86_64-pc-linux-gnu
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking for working mkdir -p... yes
> > Tomcat Native Version: 1.2.17
> > checking for chosen layout... tcnative
> > checking for APR... yes
> > configure: APR 1.6.5 detected.
> > setting CC to "gcc"
> > setting CPP to "gcc -E"
> > setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> > checking JAVA_HOME... /usr/java/jdk1.7.0_79
> > adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> > checking for JDK os include directory... linux
> > adding "-I/usr/java/jdk1.7.0_79/include/linux" to
> TCNATIVE_PRIV_INCLUDES
> > checking for gcc... gcc
> > checking whether the C compiler works... yes
> > checking for C compiler default output file name... a.out
> > checking for suffix of executables...
> > checking whether we are cross compiling... no
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether gcc accepts -g... yes
> > checking for gcc option to accept ISO C89... none needed
> > checking for OpenSSL library... using openssl from
> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> > checking OpenSSL library version >= 1.0.2... ok
> > checking for OpenSSL DSA support... yes
> > adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
> > setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
> > adding "-DHAVE_OPENSSL" to CFLAGS
> > setting TCNATIVE_LIBS to ""
> > setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt
> -lcrypt -lpthread"
> > checking for apr_pollset_wakeup in -lapr-1... yes
> > adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> > configure: creating ./config.status
> > config.status: creating tcnative.pc
> > config.status: creating Makefile
> > config.status: executing default commands
> > configure: WARNING: unrecognized options: --enable-ocsp
> >
> >
> >
> >
> > От: Mark Thomas
> > Отправлено: 15 октября 2018 г. 15:01:58
> > Кому: users@tomcat.apache.org
> > Тема: Re: OCSP stapling in tomcat 7 with APR
> >
> > On 14/10/18 18:45, Усманов Азат Анварович wrote:
> >> Hello everyone! I have an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> >> so that
> >> When OCSP is enabled, a server will pre-fetch the OCSP response for its
> own certificate and deliver the response to the user's browser during the
> TLS handshake. This eliminates the need to make a separate connection to
> the CA's revocation service before the Web page is displayed, improving the
> page's performance and reliability.
> >> I did search the mailing list and found this question
> >> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
> >> but that user is using JSSE implementation for TLS not APR
> >> documentation for tomcat7 does have an example
> >>
> >> Connector port="8443"
> >>protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>secure="true" scheme="https"
> >>SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
> >>SSLCertificateKeyFile="/path/to/ocsp-cert.key"
> >>SSLCACertificateFile="/path/to/ca.pem"
> >>SSLVerifyClient="require"
> >>SSLVerifyDepth="
Re: OCSP stapling in tomcat 7 with APR
On 15/10/18 16:20, Усманов Азат Анварович wrote:
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get
> unrecognized option warning
As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
disable OCSP when building on Linux so you should be good with a
standard build.
Mark
>
>
> ./configure --with-apr=/usr/local/apr
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
> --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
> setting CC to "gcc"
> setting CPP to "gcc -E"
> setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
> adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory... linux
> adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for OpenSSL library... using openssl from
> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> checking OpenSSL library version >= 1.0.2... ok
> checking for OpenSSL DSA support... yes
> adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
> setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
> adding "-DHAVE_OPENSSL" to CFLAGS
> setting TCNATIVE_LIBS to ""
> setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt
> -lpthread"
> checking for apr_pollset_wakeup in -lapr-1... yes
> adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> configure: creating ./config.status
> config.status: creating tcnative.pc
> config.status: creating Makefile
> config.status: executing default commands
> configure: WARNING: unrecognized options: --enable-ocsp
>
>
>
>
> От: Mark Thomas
> Отправлено: 15 октября 2018 г. 15:01:58
> Кому: users@tomcat.apache.org
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>> Hello everyone! I have an java 7 web app running on tomcat 7 with
>> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
>> stapling on tomcat
>> so that
>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own
>> certificate and deliver the response to the user's browser during the TLS
>> handshake. This eliminates the need to make a separate connection to the
>> CA's revocation service before the Web page is displayed, improving the
>> page's performance and reliability.
>> I did search the mailing list and found this question
>> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
>> but that user is using JSSE implementation for TLS not APR
>> documentation for tomcat7 does have an example
>>
>> Connector port="8443"
>>protocol="org.apache.coyote.http11.Http11AprProtocol"
>>secure="true" scheme="https"
>>SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>SSLCACertificateFile="/path/to/ca.pem"
>>SSLVerifyClient="require"
>>SSLVerifyDepth="10"
>>clientAuth="true"/>
>>
>>
>> but that is for client-cert verification, Can we do it on server side? or do
>> I miss something on how ocsp is supposed to work in the first place?
>
> If you build an OCSP enabled version of the APR/native connector, OCSP
> stapling should just happen without any additional configuration.
> Assuming you use an appropriate certificate etc.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized
option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
-with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
____
От: Mark Thomas
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
On 14/10/18 18:45, Усманов Азат Анварович wrote:
> Hello everyone! I have an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own
> certificate and deliver the response to the user's browser during the TLS
> handshake. This eliminates the need to make a separate connection to the CA's
> revocation service before the Web page is displayed, improving the page's
> performance and reliability.
> I did search the mailing list and found this question
> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
> but that user is using JSSE implementation for TLS not APR
> documentation for tomcat7 does have an example
>
> Connector port="8443"
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>secure="true" scheme="https"
>SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>SSLCACertificateFile="/path/to/ca.pem"
>SSLVerifyClient="require"
>SSLVerifyDepth="10"
>clientAuth="true"/>
>
>
> but that is for client-cert verification, Can we do it on server side? or do
> I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP stapling in tomcat 7 with APR
On 14/10/18 18:45, Усманов Азат Анварович wrote: > Hello everyone! I have an java 7 web app running on tomcat 7 with > APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP > stapling on tomcat > so that > When OCSP is enabled, a server will pre-fetch the OCSP response for its own > certificate and deliver the response to the user's browser during the TLS > handshake. This eliminates the need to make a separate connection to the CA's > revocation service before the Web page is displayed, improving the page's > performance and reliability. > I did search the mailing list and found this question > https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html > but that user is using JSSE implementation for TLS not APR > documentation for tomcat7 does have an example > > Connector port="8443" >protocol="org.apache.coyote.http11.Http11AprProtocol" >secure="true" scheme="https" >SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" >SSLCertificateKeyFile="/path/to/ocsp-cert.key" >SSLCACertificateFile="/path/to/ca.pem" >SSLVerifyClient="require" >SSLVerifyDepth="10" >clientAuth="true"/> > > > but that is for client-cert verification, Can we do it on server side? or do > I miss something on how ocsp is supposed to work in the first place? If you build an OCSP enabled version of the APR/native connector, OCSP stapling should just happen without any additional configuration. Assuming you use an appropriate certificate etc. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OCSP stapling in tomcat 7 with APR
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat so that When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability. I did search the mailing list and found this question https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html but that user is using JSSE implementation for TLS not APR documentation for tomcat7 does have an example Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" secure="true" scheme="https" SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" SSLCertificateKeyFile="/path/to/ocsp-cert.key" SSLCACertificateFile="/path/to/ca.pem" SSLVerifyClient="require" SSLVerifyDepth="10" clientAuth="true"/> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
