Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
Regards,
Rainer
Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
SSLLabs test still shows "OCSP stapling no" even with the latest version
openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR
_ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response
er
ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===================================================================================================================================================================================================>]
5 --.-K/s в 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
________________________________
От: Усманов Азат Анварович <usma...@ieml.ru>
Отправлено: 15 октября 2018 г. 18:20:14
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized
option warning
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
--enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt
-lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
От: Mark Thomas <ma...@apache.org>
Отправлено: 15 октября 2018 г. 15:01:58
Кому: users@tomcat.apache.org
Тема: Re: OCSP stapling in tomcat 7 with APR
On 14/10/18 18:45, Усманов Азат Анварович wrote:
Hello everyone! I have an java 7 web app running on tomcat 7 with
APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own
certificate and deliver the response to the user's browser during the TLS
handshake. This eliminates the need to make a separate connection to the CA's
revocation service before the Web page is displayed, improving the page's
performance and reliability.
I did search the mailing list and found this question
https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I
miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
