Just a quick follow up , trying to get some answers, I added include
<stdio.h> to sslutils.c (which has alll the ocsp functions ) to
print some info.I added printf calls to every function defined in
this file. Interestingly enough when I issue the openssl s_client
-connect debug.ieml.ru:8443 -tls1_2 -status -proxy 192.168.1.6:3131
both tls1_2 and tls 1_3 versions and when I access the server from
another machine via browser none of printf calls are displayed,
however, when I issue ssllabs server test (which is also supposedly
capable of detecting ocsp) some of them start to appear. sadly none
of them are ocsp related. I did put basic ifdef test for
HAVE_OCSP_STAPLING, surprisingly it shows that ocsp support is
indeed enabled . So here are both the modified sslutils.c file and
tomcat log snippet (not sure if attachments are allowed on the list
so posting it here )
Not sure where to go from here
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed
with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version
2.0
* (the "License"); you may not use this file except in compliance
with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/** SSL Utilities
*/
#include "tcn.h"
#include <stdio.h>
#ifdef HAVE_OPENSSL
#include "apr_poll.h"
#include "ssl_private.h"
#ifdef WIN32
extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data);
#endif
#ifdef HAVE_OCSP_STAPLING
#include <openssl/bio.h>
#include <openssl/ocsp.h>
/* defines with the values as seen by the asn1parse -dump openssl
command */
#define ASN1_SEQUENCE 0x30
#define ASN1_OID 0x06
#define ASN1_STRING 0x86
static int ssl_verify_OCSP(X509_STORE_CTX *ctx);
static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX
*ctx);
#endif
/* _________________________________________________________________
**
** Additional High-Level Functions for OpenSSL
** _________________________________________________________________
*/
/* we initialize this index at startup time
* and never write to it at request time,
* so this static is thread safe.
* also note that OpenSSL increments at static variable when
* SSL_get_ex_new_index() is called, so we _must_ do this at startup.
*/
static int SSL_app_data2_idx = -1;
static int SSL_app_data3_idx = -1;
static int SSL_app_data4_idx = -1;
void SSL_init_app_data_idx(void)
{ printf(" SSL_init_app_data_idx\n");
#ifdef HAVE_OCSP_STAPLING
printf("Hi OCSP \n");
#else
printf("Sorry no OCSP support\n");
#endif
int i;
if (SSL_app_data2_idx > -1) {
return;
}
/* we _do_ need to call this twice */
for (i = 0; i <= 1; i++) {
SSL_app_data2_idx =
SSL_get_ex_new_index(0,
"Second Application Data for SSL",
NULL, NULL, NULL);
}
if (SSL_app_data3_idx > -1) {
return;
}
SSL_app_data3_idx =
SSL_get_ex_new_index(0,
"Third Application Data for SSL",
NULL, NULL, NULL);
if (SSL_app_data4_idx > -1) {
return;
}
SSL_app_data4_idx =
SSL_get_ex_new_index(0,
"Fourth Application Data for SSL",
NULL, NULL, NULL);
}
void *SSL_get_app_data2(SSL *ssl)
{
printf("ssl_get_app_data2 \n");
return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx);
}
void SSL_set_app_data2(SSL *ssl, void *arg)
{
printf("ssl_set_app_data2 \n");
SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg);
return;
}
void *SSL_get_app_data3(const SSL *ssl)
{
printf("ssl_get_app_data3 \n");
return SSL_get_ex_data(ssl, SSL_app_data3_idx);
}
void SSL_set_app_data3(SSL *ssl, void *arg)
{
printf("ssl_set_app_data3 \n");
SSL_set_ex_data(ssl, SSL_app_data3_idx, arg);
}
void *SSL_get_app_data4(const SSL *ssl)
{
printf("ssl_get_app_data4 \n");
return SSL_get_ex_data(ssl, SSL_app_data4_idx);
}
void SSL_set_app_data4(SSL *ssl, void *arg)
{
printf("ssl_set_app_data4 \n");
SSL_set_ex_data(ssl, SSL_app_data4_idx, arg);
}
/* Simple echo password prompting */
int SSL_password_prompt(tcn_pass_cb_t *data)
{
printf(" SSL_password_prompt\n");
int rv = 0;
data->password[0] = '\0';
if (data->cb.obj) {
JNIEnv *e;
jobject o;
jstring prompt;
tcn_get_java_env(&e);
prompt = AJP_TO_JSTRING(data->prompt);
if ((o = (*e)->CallObjectMethod(e, data->cb.obj,
data->cb.mid[0], prompt))) {
TCN_ALLOC_CSTRING(o);
if (J2S(o)) {
strncpy(data->password, J2S(o), SSL_MAX_PASSWORD_LEN);
data->password[SSL_MAX_PASSWORD_LEN-1] = '\0';
rv = (int)strlen(data->password);
}
TCN_FREE_CSTRING(o);
}
}
else {
#ifdef WIN32
rv = WIN32_SSL_password_prompt(data);
#else
EVP_read_pw_string(data->password, SSL_MAX_PASSWORD_LEN,
data->prompt, 0);
#endif
rv = (int)strlen(data->password);
}
if (rv > 0) {
/* Remove LF char if present */
char *r = strchr(data->password, '\n');
if (r) {
*r = '\0';
rv--;
}
#ifdef WIN32
if ((r = strchr(data->password, '\r'))) {
*r = '\0';
rv--;
}
#endif
}
return rv;
}
int SSL_password_callback(char *buf, int bufsiz, int verify,
void *cb)
{ printf("SSL_password_callback\n");
tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb;
if (buf == NULL)
return 0;
*buf = '\0';
if (cb_data == NULL)
cb_data = &tcn_password_callback;
if (!cb_data->prompt)
cb_data->prompt = SSL_DEFAULT_PASS_PROMPT;
if (cb_data->password[0]) {
/* Return already obtained password */
strncpy(buf, cb_data->password, bufsiz);
buf[bufsiz - 1] = '\0';
return (int)strlen(buf);
}
else {
if (SSL_password_prompt(cb_data) > 0)
strncpy(buf, cb_data->password, bufsiz);
}
buf[bufsiz - 1] = '\0';
return (int)strlen(buf);
}
/* _________________________________________________________________
**
** Custom (EC)DH parameter support
** _________________________________________________________________
*/
DH *SSL_dh_GetParamFromFile(const char *file)
{
printf("SSL_dh_GetParamFromFile\n");
DH *dh = NULL;
BIO *bio;
if ((bio = BIO_new_file(file, "r")) == NULL)
return NULL;
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
return dh;
}
#ifdef HAVE_ECC
EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
{
printf("SSL_ec_GetParamFromFile\n");
EC_GROUP *group = NULL;
BIO *bio;
if ((bio = BIO_new_file(file, "r")) == NULL)
return NULL;
group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
BIO_free(bio);
return (group);
}
#endif
/*
* Hand out standard DH parameters, based on the authentication
strength
*/
DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen)
{
printf("SSL_callback_tmp_DH\n");
EVP_PKEY *pkey = SSL_get_privatekey(ssl);
int type = pkey != NULL ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
/*
* OpenSSL will call us with either keylen == 512 or keylen ==
1024
* (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
* Adjust the DH parameter length according to the size of the
* RSA/DSA private key used for the current connection, and always
* use at least 1024-bit parameters.
* Note: This may cause interoperability issues with
implementations
* which limit their DH support to 1024 bit - e.g. Java 7 and
earlier.
* In this case, SSLCertificateFile can be used to specify fixed
* 1024-bit DH parameters (with the effect that OpenSSL skips this
* callback).
*/
if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) {
keylen = EVP_PKEY_bits(pkey);
}
return SSL_get_dh_params(keylen);
}
/*
* Read a file that optionally contains the server certificate in PEM
* format, possibly followed by a sequence of CA certificates that
* should be sent to the peer in the SSL Certificate message.
*/
int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
int skipfirst)
{
printf("SSL_CTX_use_certificate_chain\n");
BIO *bio;
X509 *x509;
unsigned long err;
int n;
if ((bio = BIO_new(BIO_s_file())) == NULL)
return -1;
if (BIO_read_filename(bio, file) <= 0) {
BIO_free(bio);
return -1;
}
/* optionally skip a leading server certificate */
if (skipfirst) {
if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
{
BIO_free(bio);
return -1;
}
X509_free(x509);
}
/* free a perhaps already configured extra chain */
SSL_CTX_clear_extra_chain_certs(ctx);
/* create new extra chain by loading the certs */
n = 0;
while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL)
{
if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
BIO_free(bio);
return -1;
}
n++;
}
/* Make sure that only the error is just an EOF */
if ((err = ERR_peek_error()) > 0) {
if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
&& ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
BIO_free(bio);
return -1;
}
while (SSL_ERR_get() > 0) ;
}
BIO_free(bio);
return n;
}
/*
* This OpenSSL callback function is called when OpenSSL
* does client authentication and verifies the certificate chain.
*/
int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
{
printf("SSL_callback_SSL_verify\n");
/* Get Apache context back through OpenSSL context */
SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl);
/* Get verify ingredients */
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int verify = con->ctx->verify_mode;
int depth = con->ctx->verify_depth;
#if defined(SSL_OP_NO_TLSv1_3)
con->pha_state = PHA_COMPLETE;
#endif
if (verify == SSL_CVERIFY_UNSET ||
verify == SSL_CVERIFY_NONE) {
return 1;
}
if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
(verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
ok = 1;
SSL_set_verify_result(ssl, X509_V_OK);
}
/*
* Expired certificates vs. "expired" CRLs: by default, OpenSSL
* turns X509_V_ERR_CRL_HAS_EXPIRED into a
"certificate_expired(45)"
* SSL alert, but that's not really the message we should convey
to the
* peer (at the very least, it's confusing, and in many cases,
it's also
* inaccurate, as the certificate itself may very well not have
expired
* yet). We set the X509_STORE_CTX error to something which
OpenSSL's
* s3_both.c:ssl_verify_alarm_type() maps to
SSL_AD_CERTIFICATE_UNKNOWN,
* i.e. the peer will receive a "certificate_unknown(46)" alert.
* We do not touch errnum, though, so that later on we will still
log
* the "real" error, as returned by OpenSSL.
*/
if (!ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED) {
X509_STORE_CTX_set_error(ctx, -1);
}
#ifdef HAVE_OCSP_STAPLING
/* First perform OCSP validation if possible */
if (ok) {
/* If there was an optional verification error, it's not
* possible to perform OCSP validation since the issuer may be
* missing/untrusted. Fail in that case.
*/
if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
X509_STORE_CTX_set_error(ctx,
X509_V_ERR_APPLICATION_VERIFICATION);
errnum = X509_V_ERR_APPLICATION_VERIFICATION;
ok = 0;
}
else {
int ocsp_response = ssl_verify_OCSP(ctx);
if (ocsp_response == OCSP_STATUS_REVOKED) {
ok = 0 ;
errnum = X509_STORE_CTX_get_error(ctx);
}
else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
/* TODO: do nothing for time being */
;
}
}
}
#endif
/*
* If we already know it's not ok, log the real reason
*/
if (!ok) {
/* TODO: Some logging
* Certificate Verification: Error
*/
if (con->peer) {
X509_free(con->peer);
con->peer = NULL;
}
}
if (errdepth > depth) {
/* TODO: Some logging
* Certificate Verification: Certificate Chain too long
*/
ok = 0;
}
return ok;
}
/*
* This callback function is executed while OpenSSL processes the SSL
* handshake and does SSL record layer stuff. It's used to trap
* client-initiated renegotiations, and for dumping everything to the
* log.
*/
void SSL_callback_handshake(const SSL *ssl, int where, int rc)
{
printf("SSL_callback_handshake\n");
tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl);
#ifdef HAVE_TLSV1_3
const SSL_SESSION *session = SSL_get_session(ssl);
#endif
/* Retrieve the conn_rec and the associated SSLConnRec. */
if (con == NULL) {
return;
}
#ifdef HAVE_TLSV1_3
/* TLS 1.3 does not use renegotiation so do not update the
renegotiation
* state once we know we are using TLS 1.3. */
if (session != NULL) {
if (SSL_SESSION_get_protocol_version(session) ==
TLS1_3_VERSION) {
return;
}
}
#endif
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
if ((where & SSL_CB_HANDSHAKE_START) &&
con->reneg_state == RENEG_REJECT) {
con->reneg_state = RENEG_ABORT;
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initated renegotiation. */
else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state ==
RENEG_INIT) {
con->reneg_state = RENEG_REJECT;
}
}
int SSL_callback_next_protos(SSL *ssl, const unsigned char **data,
unsigned int *len, void *arg)
{
printf("SSL_callback_next_protos\n");
tcn_ssl_ctxt_t *ssl_ctxt = arg;
*data = ssl_ctxt->next_proto_data;
*len = ssl_ctxt->next_proto_len;
return SSL_TLSEXT_ERR_OK;
}
/* The code here is inspired by nghttp2
*
* See
https://github.com/tatsuhiro-t/nghttp2/blob/ae0100a9abfcf3149b8d9e62aae216e946b517fb/src/shrpx_ssl.cc#L244
*/
int select_next_proto(SSL *ssl, const unsigned char **out, unsigned
char *outlen,
const unsigned char *in, unsigned int inlen, unsigned char
*supported_protos,
unsigned int supported_protos_len, int failure_behavior) {
printf("select_next_proto\n");
unsigned int i = 0;
unsigned char target_proto_len;
const unsigned char *p;
const unsigned char *end;
const unsigned char *proto;
unsigned char proto_len = '\0';
while (i < supported_protos_len) {
target_proto_len = *supported_protos;
++supported_protos;
p = in;
end = in + inlen;
while (p < end) {
proto_len = *p;
proto = ++p;
if (proto + proto_len <= end && target_proto_len ==
proto_len &&
memcmp(supported_protos, proto, proto_len) == 0) {
// We found a match, so set the output and return with
OK!
*out = proto;
*outlen = proto_len;
return SSL_TLSEXT_ERR_OK;
}
// Move on to the next protocol.
p += proto_len;
}
// increment len and pointers.
i += target_proto_len;
supported_protos += target_proto_len;
}
if (supported_protos_len > 0 && inlen > 0 && failure_behavior ==
SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL) {
// There were no match but we just select our last protocol
and hope the other peer support it.
//
// decrement the pointer again so the pointer points to the
start of the protocol.
p -= proto_len;
*out = p;
*outlen = proto_len;
return SSL_TLSEXT_ERR_OK;
}
// TODO: OpenSSL currently not support to fail with fatal error.
Once this changes we can also support it here.
// Issue https://github.com/openssl/openssl/issues/188 has
been created for this.
// Nothing matched so not select anything and just accept.
return SSL_TLSEXT_ERR_NOACK;
}
int SSL_callback_select_next_proto(SSL *ssl, unsigned char **out,
unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
void *arg) {
printf("ssl_callback_select_next_proto\n");
tcn_ssl_ctxt_t *ssl_ctxt = arg;
return select_next_proto(ssl, (const unsigned char **) out,
outlen, in, inlen, ssl_ctxt->next_proto_data,
ssl_ctxt->next_proto_len, ssl_ctxt->next_selector_failure_behavior);
}
int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char
**out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg) {
tcn_ssl_ctxt_t *ssl_ctxt = arg;
printf("ssl_callback_alpn_select_proto\n");
return select_next_proto(ssl, out, outlen, in, inlen,
ssl_ctxt->alpn_proto_data, ssl_ctxt->alpn_proto_len,
ssl_ctxt->alpn_selector_failure_behavior);
}
#ifdef HAVE_OCSP_STAPLING
/* Function that is used to do the OCSP verification */
static int ssl_verify_OCSP(X509_STORE_CTX *ctx)
{
printf("ssl_verify_OCSP\n");
X509 *cert, *issuer;
int r = OCSP_STATUS_UNKNOWN;
printf("Hello, OCSP\n");
cert = X509_STORE_CTX_get_current_cert(ctx);
if (!cert) {
printf("CERT NOT OK\n");
/* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
* may yield NULL. Return early, but leave the ctx error as
is. */
return OCSP_STATUS_UNKNOWN;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK)
{
#else
/* No need to check cert->valid, because ssl_verify_OCSP() only
* is called if OpenSSL already successfully verified the
certificate
* (parameter "ok" in SSL_callback_SSL_verify() must be true).
*/
else if (X509_check_issued(cert,cert) == X509_V_OK) {
#endif
/* don't do OCSP checking for valid self-issued certs */
X509_STORE_CTX_set_error(ctx, X509_V_OK);
return OCSP_STATUS_UNKNOWN;
}
/* if we can't get the issuer, we cannot perform OCSP verification
*/
issuer = X509_STORE_CTX_get0_current_issuer(ctx);
if (issuer != NULL) {
r = ssl_ocsp_request(cert, issuer, ctx);
switch (r) {
case OCSP_STATUS_OK:
X509_STORE_CTX_set_error(ctx, X509_V_OK);
break;
case OCSP_STATUS_REVOKED:
/* we set the error if we know that it is revoked */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
break;
case OCSP_STATUS_UNKNOWN:
/* ssl_ocsp_request() sets the error correctly already. */
break;
}
}
return r;
}
/* Helps with error handling or realloc */
static void *apr_xrealloc(void *buf, size_t oldlen, size_t len,
apr_pool_t *p)
{
printf("apr_xrealloc\n");
void *newp = apr_palloc(p, len);
if(newp)
memcpy(newp, buf, oldlen);
return newp;
}
/* Parses an ASN.1 length.
* On entry, asn1 points to the current tag.
* Updates the pointer to the ASN.1 structure to point to the start of
the data.
* Returns 0 on success, 1 on failure.
*/
static int parse_asn1_length(unsigned char **asn1, int *len) {
printf("parse_asn1_length\n");
/* Length immediately follows tag so increment before reading
first (and
* possibly only) length byte.
*/
(*asn1)++;
if (**asn1 & 0x80) {
// MSB set. Remaining bits are number of bytes used to store
the length.
int i, l;
// How many bytes for this length?
i = **asn1 & 0x7F;
if (i == 0) {
/* This is the indefinite form of length. Since
certificates use DER
* this should never happen and is therefore an error.
*/
return 1;
}
if (i > 3) {
/* Three bytes for length gives a maximum of 16MB which
should be
* far more than is required. (2 bytes is 64K which is
probably more
* than enough but play safe.)
*/
return 1;
}
// Most significant byte is first
l = 0;
while (i > 0) {
l <<= 8;
(*asn1)++;
l += **asn1;
i--;
}
*len = l;
} else {
// Single byte length
*len = **asn1;
}
(*asn1)++;
return 0;
}
/* parses the ocsp url and updates the ocsp_urls and nocsp_urls
variables
returns 0 on success, 1 on failure */
static int parse_ocsp_url(unsigned char *asn1, char ***ocsp_urls,
int *nocsp_urls, apr_pool_t *p)
{
printf("parse_ocsp_url\n");
char **new_ocsp_urls, *ocsp_url;
int len, err = 0, new_nocsp_urls;
if (*asn1 == ASN1_STRING) {
err = parse_asn1_length(&asn1, &len);
if (!err) {
new_nocsp_urls = *nocsp_urls+1;
if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls,*nocsp_urls,
new_nocsp_urls, p)) == NULL)
err = 1;
}
if (!err) {
*ocsp_urls = new_ocsp_urls;
*nocsp_urls = new_nocsp_urls;
*(*ocsp_urls + *nocsp_urls) = NULL;
if ((ocsp_url = apr_palloc(p, len + 1)) == NULL) {
err = 1;
}
else {
memcpy(ocsp_url, asn1, len);
ocsp_url[len] = '\0';
*(*ocsp_urls + *nocsp_urls - 1) = ocsp_url;
}
}
}
return err;
}
/* parses the ANS1 OID and if it is an OCSP OID then calls the
parse_ocsp_url function */
static int parse_ASN1_OID(unsigned char *asn1, char ***ocsp_urls, int
*nocsp_urls, apr_pool_t *p)
{
printf("PARSE OCSP_OID\n");
int len, err = 0 ;
const unsigned char OCSP_OID[] = {0x2b, 0x06, 0x01, 0x05, 0x05,
0x07, 0x30, 0x01};
err = parse_asn1_length(&asn1, &len);
if (!err && len == 8 && memcmp(asn1, OCSP_OID, 8) == 0) {
asn1+=len;
err = parse_ocsp_url(asn1, ocsp_urls, nocsp_urls, p);
}
return err;
}
/* Parses an ASN1 Sequence. It is a recursive function, since if it
finds a sequence
within the sequence it calls recursively itself. This function
stops when it finds
the end of the ASN1 sequence (marked by '\0'), so if there are
other sequences within
the same sequence the while loop parses the sequences */
/* This algo was developed with AIA in mind so it was tested only with
this extension */
static int parse_ASN1_Sequence(unsigned char *asn1, char ***ocsp_urls,
int *nocsp_urls, apr_pool_t *p)
{
printf("parse_ASN1_Sequence\n");
int len = 0 , err = 0;
while (!err && *asn1 != '\0') {
switch(*asn1) {
case ASN1_SEQUENCE:
err = parse_asn1_length(&asn1, &len);
if (!err) {
err = parse_ASN1_Sequence(asn1, ocsp_urls,
nocsp_urls, p);
}
break;
case ASN1_OID:
err = parse_ASN1_OID(asn1,ocsp_urls,nocsp_urls, p);
return err;
break;
default:
err = 1; /* we shouldn't have any errors */
break;
}
asn1+=len;
}
return err;
}
/* the main function that gets the ASN1 encoding string and returns
a pointer to a NULL terminated "array" of char *, that contains
the ocsp_urls */
static char **decode_OCSP_url(ASN1_OCTET_STRING *os, apr_pool_t *p)
{
printf("decode_OCSP_url\n");
char **response = NULL;
unsigned char *ocsp_urls;
int len, numofresponses = 0 ;
len = ASN1_STRING_length(os);
ocsp_urls = apr_palloc(p, len + 1);
memcpy(ocsp_urls,os->data, len);
ocsp_urls[len] = '\0';
if ((response = apr_pcalloc(p, sizeof(char *))) == NULL)
return NULL;
if (parse_ASN1_Sequence(ocsp_urls, &response, &numofresponses, p))
response = NULL;
return response;
}
/* stolen from openssl ocsp command */
static int add_ocsp_cert(OCSP_REQUEST *req, X509 *cert, X509 *issuer)
{
printf("add_ocsp_cert\n");
OCSP_CERTID *id;
if (!issuer)
return 0;
id = OCSP_cert_to_id(NULL, cert, issuer);
if (!id)
return 0;
if (!OCSP_request_add0_id(req, id)) {
OCSP_CERTID_free(id);
return 0;
} else {
/* id will be freed by OCSP_REQUEST_free() */
return 1;
}
}
/* Creates the APR socket and connect to the hostname. Returns the
socket or NULL if there is an error.
*/
static apr_socket_t *make_socket(char *hostname, int port, apr_pool_t
*mp)
{
printf("*make_socket\n");
apr_sockaddr_t *sa_in;
apr_status_t status;
apr_socket_t *sock = NULL;
status = apr_sockaddr_info_get(&sa_in, hostname, APR_INET, port,
0, mp);
if (status == APR_SUCCESS)
status = apr_socket_create(&sock, sa_in->family, SOCK_STREAM,
APR_PROTO_TCP, mp);
if (status == APR_SUCCESS)
status = apr_socket_connect(sock, sa_in);
if (status == APR_SUCCESS)
return sock;
return NULL;
}
/* Creates the request in a memory BIO in order to send it to the OCSP
server.
Most parts of this function are taken from mod_ssl support for OCSP
(with some
minor modifications
*/
static BIO *serialize_request(OCSP_REQUEST *req, char *host, int port,
char *path)
{
printf("serialize_request\n");
BIO *bio;
int len;
len = i2d_OCSP_REQUEST(req, NULL);
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "POST %s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n"
"\r\n",
path, host, port, len);
if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
BIO_free(bio);
return NULL;
}
return bio;
}
/* Send the OCSP request to the OCSP server. Taken from mod_ssl OCSP
support */
static int ocsp_send_req(apr_socket_t *sock, BIO *req)
{
printf("ocsp_send_req\n");
int len;
char buf[TCN_BUFFER_SZ];
apr_status_t rv;
while ((len = BIO_read(req, buf, sizeof buf)) > 0) {
char *wbuf = buf;
apr_size_t remain = len;
do {
apr_size_t wlen = remain;
rv = apr_socket_send(sock, wbuf, &wlen);
wbuf += remain;
remain -= wlen;
} while (rv == APR_SUCCESS && remain > 0);
if (rv != APR_SUCCESS) {
return 0;
}
}
return 1;
}
/* Parses the buffer from the response and extracts the OCSP response.
Taken from openssl library */
static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
{
printf("parse_ocsp_resp\n");
BIO *mem = NULL;
char tmpbuf[1024];
OCSP_RESPONSE *resp = NULL;
char *p, *q, *r;
int retcode;
mem = BIO_new(BIO_s_mem());
if(mem == NULL)
return NULL;
BIO_write(mem, buf, len); /* write the buffer to the bio */
if (BIO_gets(mem, tmpbuf, 512) <= 0) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
#endif
goto err;
}
/* Parse the HTTP response. This will look like this:
* "HTTP/1.0 200 OK". We need to obtain the numeric code and
* (optional) informational message.
*/
/* Skip to first white space (passed protocol info) */
for (p = tmpbuf; *p && !apr_isspace(*p); p++)
continue;
if (!*p) {
goto err;
}
/* Skip past white space to start of response code */
while (apr_isspace(*p))
p++;
if (!*p) {
goto err;
}
/* Find end of response code: first whitespace after start of code
*/
for (q = p; *q && !apr_isspace(*q); q++)
continue;
if (!*q) {
goto err;
}
/* Set end of response code and start of message */
*q++ = 0;
/* Attempt to parse numeric code */
retcode = strtoul(p, &r, 10);
if (*r)
goto err;
/* Skip over any leading white space in message */
while (apr_isspace(*q))
q++;
if (*q) {
/* Finally zap any trailing white space in message (include
CRLF) */
/* We know q has a non white space character so this is OK */
for(r = q + strlen(q) - 1; apr_isspace(*r); r--) *r = 0;
}
if (retcode != 200) {
goto err;
}
/* Find blank line marking beginning of content */
while (BIO_gets(mem, tmpbuf, 512) > 0) {
for (p = tmpbuf; apr_isspace(*p); p++)
continue;
if (!*p)
break;
}
if (*p) {
goto err;
}
if (!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
goto err;
}
err:
/* XXX No error logging? */
BIO_free(mem);
return resp;
}
/* Reads the response from the APR socket to a buffer, and parses the
buffer to
return the OCSP response */
#define ADDLEN 512
static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t
*sock)
{
printf("ocsp_get_resp\n");
int buflen;
apr_size_t totalread = 0;
apr_size_t readlen;
char *buf, tmpbuf[ADDLEN];
apr_status_t rv = APR_SUCCESS;
apr_pool_t *p;
OCSP_RESPONSE *resp;
apr_pool_create(&p, mp);
buflen = ADDLEN;
buf = apr_palloc(p, buflen);
if (buf == NULL) {
apr_pool_destroy(p);
return NULL;
}
while (rv == APR_SUCCESS ) {
readlen = sizeof(tmpbuf);
rv = apr_socket_recv(sock, tmpbuf, &readlen);
if (rv == APR_SUCCESS) { /* if we have read something .. we
can put it in the buffer*/
if ((totalread + readlen) >= buflen) {
buf = apr_xrealloc(buf, buflen, buflen + ADDLEN, p);
if (buf == NULL) {
apr_pool_destroy(p);
return NULL;
}
buflen += ADDLEN; /* if needed we enlarge the buffer
*/
}
memcpy(buf + totalread, tmpbuf, readlen); /* the copy to
the buffer */
totalread += readlen; /* update the total bytes read */
}
else {
if (rv == APR_EOF && readlen == 0)
; /* EOF, normal situation */
else if (readlen == 0) {
/* Not success, and readlen == 0 .. some error */
apr_pool_destroy(p);
return NULL;
}
}
}
resp = parse_ocsp_resp(buf, buflen);
apr_pool_destroy(p);
return resp;
}
/* Creates and OCSP request and returns the OCSP_RESPONSE */
static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509 *cert,
X509 *issuer, char *url)
{
printf("get_ocsp_response\n");
OCSP_RESPONSE *ocsp_resp = NULL;
OCSP_REQUEST *ocsp_req = NULL;
BIO *bio_req;
char *hostname, *path, *c_port;
int port, use_ssl;
int ok = 0;
apr_socket_t *apr_sock = NULL;
apr_pool_t *mp;
if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 )
goto end;
if (sscanf(c_port, "%d", &port) != 1)
goto end;
/* Create the OCSP request */
ocsp_req = OCSP_REQUEST_new();
if (ocsp_req == NULL)
goto end;
if (add_ocsp_cert(ocsp_req,cert,issuer) == 0 )
goto free_req;
/* create the BIO with the request to send */
bio_req = serialize_request(ocsp_req, hostname, port, path);
if (bio_req == NULL) {
goto free_req;
}
apr_pool_create(&mp, p);
apr_sock = make_socket(hostname, port, mp);
if (apr_sock == NULL) {
goto free_bio;
}
ok = ocsp_send_req(apr_sock, bio_req);
if (ok) {
ocsp_resp = ocsp_get_resp(mp, apr_sock);
}
apr_socket_close(apr_sock);
free_bio:
BIO_free(bio_req);
apr_pool_destroy(mp);
free_req:
OCSP_REQUEST_free(ocsp_req);
end:
OPENSSL_free(hostname);
OPENSSL_free(c_port);
OPENSSL_free(path);
return ocsp_resp;
}
/* Process the OCSP_RESPONSE and returns the corresponding
answert according to the status.
*/
static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 *cert,
X509 *issuer)
{
printf("process_ocsp_response\n");
int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i;
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *ss;
OCSP_CERTID *certid;
r = OCSP_response_status(ocsp_resp);
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
return OCSP_STATUS_UNKNOWN;
}
bs = OCSP_response_get1_basic(ocsp_resp);
certid = OCSP_cert_to_id(NULL, cert, issuer);
if (certid == NULL) {
return OCSP_STATUS_UNKNOWN;
}
ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find
by serial number and get the matching response */
i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
if (i == V_OCSP_CERTSTATUS_GOOD)
o = OCSP_STATUS_OK;
else if (i == V_OCSP_CERTSTATUS_REVOKED)
o = OCSP_STATUS_REVOKED;
else if (i == V_OCSP_CERTSTATUS_UNKNOWN)
o = OCSP_STATUS_UNKNOWN;
/* we clean up */
OCSP_CERTID_free(certid);
OCSP_BASICRESP_free(bs);
return o;
}
static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX
*ctx)
{
printf("ssl_ocsp_request\n");
char **ocsp_urls = NULL;
int nid;
X509_EXTENSION *ext;
ASN1_OCTET_STRING *os;
apr_pool_t *p;
apr_pool_create(&p, NULL);
/* Get the proper extension */
nid = X509_get_ext_by_NID(cert,NID_info_access,-1);
if (nid >= 0 ) {
ext = X509_get_ext(cert,nid);
os = X509_EXTENSION_get_data(ext);
ocsp_urls = decode_OCSP_url(os, p);
}
printf("OCSP request\n");
/* if we find the extensions and we can parse it check
the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
if (ocsp_urls != NULL) {
printf("ocsp url not null\n");
OCSP_RESPONSE *resp;
int rv = OCSP_STATUS_UNKNOWN;
/* for the time being just check for the fist response .. a
better
approach is to iterate for all the possible ocsp urls */
resp = get_ocsp_response(p, cert, issuer, ocsp_urls[0]);
if (resp != NULL) {
rv = process_ocsp_response(resp, cert, issuer);
} else {
/* correct error code for application errors? */
X509_STORE_CTX_set_error(ctx,
X509_V_ERR_APPLICATION_VERIFICATION);
}
if (resp != NULL) {
OCSP_RESPONSE_free(resp);
apr_pool_destroy(p);
return rv;
}
}
apr_pool_destroy(p);
return OCSP_STATUS_UNKNOWN;
}
#endif /* HAVE_OCSP_STAPLING */
#endif /* HAVE_OPENSSL */
-----------------------------------------tomcat log
27-May-2019 14:15:59.727 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 31619 ms
SSL_init_app_data_idx
Hi OCSP
ssl_set_app_data3
ssl_set_app_data4
ssl_set_app_data2
ssl_get_app_data3
ssl_get_app_data4
ssl_get_app_data4
SSL_dh_GetParamFromFile
SSL_ec_GetParamFromFile
SSL_CTX_use_certificate_chain
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_next_protos
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_next_protos
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_next_protos
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_next_protos
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_next_protos
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callback_alpn_select_proto
select_next_proto
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_set_app_data2
SSL_callback_handshake
SSL_callback_handshake
SSL_callback_handshake
ssl_callbac
________________________________
От: Усманов Азат Анварович <usma...@ieml.ru>
Отправлено: 24 мая 2019 г. 7:21
Кому: Tomcat Users List
Тема: Re: OCSP with openSSL
Chris,
Yes the version is the same in
/usr/local/openssl/bin/openssl as well.
It is the same version Tomcat uses,I get this info in the logs
23-May-2019 12:55:42.145 INFO [main] org.apache.catalina.core.AprLife
cycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL
1.1.1a 20 Nov 2018]
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 23 мая 2019 г. 18:04:29
Кому: Усманов Азат Анварович
Тема: Re: OCSP with openSSL
Азат,
On 5/22/19 14:02, Усманов Азат Анварович wrote:
[root] ~# openssl version
OpenSSL 1.1.1a 20 Nov 2018
Great. Is this also the same version in
/usr/local/openssl/bin/openssl?
[root] ~# openssl ocsp -help
Usage: ocsp [options]
Excellent.
When you launch Tomcat, are you getting a message about the version of
OpenSSL in use, and does it agree with above?
AFAIK, OCSP is enabled by default in libtcnative. There were some
posts
a few months/years ago about someone trying to get it to work, and
having to edit the JVM's security.properties file and all kinds of
weird
stuff. I must admit it didn't make any sense to me at the time. I'm
sorry, but I don't personally have any experience with dealing with
OCSP, but hopefully this additio0nal information will give someone
else
some good info.
-chris
________________________________
От: Christopher Schultz <ch...@christopherschultz.net>
Отправлено: 22 мая 2019 г. 19:45
Кому: users@tomcat.apache.org
Тема: Re: OCSP with openSSL
Усманов,
On 5/22/19 07:28, Усманов Азат Анварович wrote:
Mark, I installed it just by downloading tcnative src tar.gz
file from tomcat website and issued ./configure
--with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
-with-ssl=/usr/local/openssl && make && make install && make clean
I'm not sure how to specify any ocsp related configure options
when building tomcat native from source
What is your OpenSSL version and capabilities?
$ openssl version
$ openssl -help
$ openssl ocsp -help
-chris
________________________________ От: Mark Thomas
<ma...@apache.org> Отправлено: 22 мая 2019 г. 13:41 Кому:
users@tomcat.apache.org Тема: Re: OCSP with openSSL
On 22/05/2019 11:28, Усманов Азат Анварович wrote:
Hi everyone! I have a web app running on tomcat and java 7 using
apr for TLS related issues. I m still unable to have OCSP
verification working with tomcat.
<snip/>
I have tried running tcpdump on the server but don't' see any
Comodo related IP addresses in the output when I access the
server in question in the browser. At this point I don't know
what else to do, If it was java I would just put some
System.out.println statements in OCSP SSL related source code and
recompile the tomcat source, but since in my case tomcat uses
OpenSSL and tomcat native I'm not sure how/where to do that. the
only places I found in the TC-native source that mentions OCSP
is sslutils.c source file. I'm not sure when/ if it is actually
gets called in my case. Maybe be someone with more c experience
c++ would help me with that. I really want to get to the bottom
of this. Any help is appreciated my tomcat version is 8.5.39 APR
based Apache Tomcat Native library [1.2.21] using APR version
[1.6.5]. Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 OS:
Linux RHEL 6.6
How did you build the Tomcat Native library? Was OCSP enabled?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org