Mark,
> Am 17.06.2019 um 18:00 schrieb Mark Thomas <ma...@apache.org>: > > On 17/06/2019 15:51, logo wrote: >> Mark, >> >> >> Am 2019-06-17 16:29, schrieb Mark Thomas: >>> On 17/06/2019 15:15, logo wrote: >>>> Hi Mark, >>>> >>>> having been in contact with Усманов, I can confirm your summary. >>>> >>>> May I add my question from February with additional info to this thread: >>>> https://markmail.org/message/zvziqrhm32bctm7e >>> >>> Thanks. >>> >>> Progress can be tracked here: >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 >>> >>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support >>> OCSP stapling with appropriate configuration. >>> >> >> Do you mean on trunk or really only configuration? >> >> I just tried it on 8.5.42 and it will not send the message on my >> letsencrypt cert. >> >> If it should work out of the box, do you mind to share the "appropriate" >> config here. > > I was testing Tomcat 9.0.x (latest source from Git) but with the > knowledge that we haven't made *any* changes to Tomcat to support OCSP > stapling and that 9.0.x and 8.5.x have very similar TLS code. > > I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP > stapling. My Connector configuration is: > > <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol" > port="8443" > proxyPort="443" > maxThreads="150" > useAsyncIO="true" > SSLEnabled="true"> > <UpgradeProtocol > className="org.apache.coyote.http2.Http2Protocol" > useSendfile="false" > maxConcurrentStreamExecution="50" /> > <SSLHostConfig> > <Certificate certificateKeyFile="/.../privkey.pem" > certificateFile="/.../cert.pem" > certificateChainFile="/.../chain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > Mark > I’m lost. My conf is pretty much similar. <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" allowTrace="false" maxThreads="150" SSLEnabled="true" compression="off" scheme="https" server="Apache Tomcat" secure="true" defaultSSLHostConfigName="xxx" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" /> <SSLHostConfig hostName="x (from the LE cert)" honorCipherOrder="true" certificateVerification="none" protocols="TLSv1.2+TLSv1.3" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="xxx" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> JAVA_OPTS are set (startup logs show 17-Jun-2019 16:46:48.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.server.enableStatusRequestExtension=true ) I use a JSSE keystore - that contains the correct cert. Openssl syntax did not change anything. Running openssl to the letsencrypt ocsp responder from the machine gives a positive result. Tcpdump shows data. $ openssl ocsp -verify_other intermediate.pem -issuer intermediate.pem -cert xxx.crt -text -url http://ocsp.int-x3.letsencrypt.org -header "Host=ocsp.int-x3.letsencrypt.org" OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 041237E97D620E10AFA0442E9C1D7B588046 Request Extensions: OCSP Nonce: 0410E8ED9179F620FD43BBCC4C81EC432CFB OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Jun 15 23:48:00 2019 GMT … Response verify OK But once I connect to tomcat from outside, I don’t see any tcpdump traffic. $ openssl s_client -connect xxx.dedyn.io:8443 -servername xxx.dedyn.io -tlsextdebug -status CONNECTED(00000003) TLS server extension "renegotiation info" (id=65281), len=1 0000 - 00 . TLS server extension "server name" (id=0), len=0 TLS server extension "EC point formats" (id=11), len=4 0000 - 03 00 01 02 .... TLS server extension "session ticket" (id=35), len=0 *****OCSP response: no response sent***** depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = xxx.dedyn.io verify return:1 --- Certificate chain 0 s:/CN=xxx.dedyn.io i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE—— Any debug info I can create? Thanks Peter > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
smime.p7s
Description: S/MIME cryptographic signature