On 15/10/18 16:20, Усманов Азат Анварович wrote: > how do I make sure ocsp is enabled on tomcat native > > when I try to pass --enable-ocsp to tomcat native configure i get > unrecognized option warning
As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to disable OCSP when building on Linux so you should be good with a standard build. Mark > > > ./configure --with-apr=/usr/local/apr > --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl > --enable-ocsp > configure: WARNING: unrecognized options: --enable-ocsp > checking build system type... x86_64-pc-linux-gnu > checking host system type... x86_64-pc-linux-gnu > checking target system type... x86_64-pc-linux-gnu > checking for a BSD-compatible install... /usr/bin/install -c > checking for working mkdir -p... yes > Tomcat Native Version: 1.2.17 > checking for chosen layout... tcnative > checking for APR... yes > configure: APR 1.6.5 detected. > setting CC to "gcc" > setting CPP to "gcc -E" > setting LIBTOOL to "/usr/local/apr/build-1/libtool" > checking JAVA_HOME... /usr/java/jdk1.7.0_79 > adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES > checking for JDK os include directory... linux > adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES > checking for gcc... gcc > checking whether the C compiler works... yes > checking for C compiler default output file name... a.out > checking for suffix of executables... > checking whether we are cross compiling... no > checking for suffix of object files... o > checking whether we are using the GNU C compiler... yes > checking whether gcc accepts -g... yes > checking for gcc option to accept ISO C89... none needed > checking for OpenSSL library... using openssl from > /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include > checking OpenSSL library version >= 1.0.2... ok > checking for OpenSSL DSA support... yes > adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES > setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib > -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto" > adding "-DHAVE_OPENSSL" to CFLAGS > setting TCNATIVE_LIBS to "" > setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt > -lpthread" > checking for apr_pollset_wakeup in -lapr-1... yes > adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS > configure: creating ./config.status > config.status: creating tcnative.pc > config.status: creating Makefile > config.status: executing default commands > configure: WARNING: unrecognized options: --enable-ocsp > > > > ________________________________ > От: Mark Thomas <ma...@apache.org> > Отправлено: 15 октября 2018 г. 15:01:58 > Кому: users@tomcat.apache.org > Тема: Re: OCSP stapling in tomcat 7 with APR > > On 14/10/18 18:45, Усманов Азат Анварович wrote: >> Hello everyone! I have an java 7 web app running on tomcat 7 with >> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP >> stapling on tomcat >> so that >> When OCSP is enabled, a server will pre-fetch the OCSP response for its own >> certificate and deliver the response to the user's browser during the TLS >> handshake. This eliminates the need to make a separate connection to the >> CA's revocation service before the Web page is displayed, improving the >> page's performance and reliability. >> I did search the mailing list and found this question >> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html >> but that user is using JSSE implementation for TLS not APR >> documentation for tomcat7 does have an example >> >> Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> secure="true" scheme="https" >> SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" >> SSLCertificateKeyFile="/path/to/ocsp-cert.key" >> SSLCACertificateFile="/path/to/ca.pem" >> SSLVerifyClient="require" >> SSLVerifyDepth="10" >> clientAuth="true"/> >> >> >> but that is for client-cert verification, Can we do it on server side? or do >> I miss something on how ocsp is supposed to work in the first place? > > If you build an OCSP enabled version of the APR/native connector, OCSP > stapling should just happen without any additional configuration. > Assuming you use an appropriate certificate etc. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org