On 05/12/2025 09:43, Michael Osipov wrote:
On 2025/12/04 16:38:04 Mark Thomas wrote:
Hi all,
Just a quick update.
Generally, things are moving forward nicely. OCSP protocol is working
(at a basic level) for:
- pure JSSE
- Tomcat Native / OpenSSL with JSSE trust
- Tomcat Native / OpenSSL with OpenSSL trust
- FFM / OpenSSL with JSSE trust
- FFM / OpenSSL with OpenSSL trust
I'm starting to look at aligning checks that JSSE and OpenSSL perform
and I am starting to reach the limits of what is possible with
pre-generated OCSP responses - particularly time based validation.
I think I am going to need to re-work the OCSP tests to use a "real"
OCSP responder. My plan is to use openssl (since it is required for
these tests anyway) and an expanded set of keys/certs we current use for
the other TLS tests.
We are starting to see dependencies on new Tomcat Native features so
some of the changes to 12.0.x will need to wait until the next Tomcat
Native release is available. I do plan to commit the changes I can as
soon as I am confident that they are stable.
A few remarks on OCSP I noticed mutual TLS auth a few years and never understood why Rainer did this. I
had instantly to set: <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
because it is a custom hack in libtcnative to always enable OCSP checks and our OCSP responder was very
often very slow. I had to read the source code and trace system calls to understand what is going on. It
would be better to do this what mod_ssl does:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslocspenable
I had already opted to disable OCSP checking by default so you should be
good.
Thanks again to Rémy and Dimitris who have provided the basis for a lot
of the additional code.
I now have Tomcat Native and Tomcat trunk patches that work together and
they should be consistent. OCSP testing is extended to include soft
fails (no and slow responders), all 5 variations of TLS config for a
single Connector and the 2017 security issue.
The additional OCSP checks broke the existing checks in a number of ways
(no nonce, old timestamp) so I think I'm going to have to remove them.
My plan is to commit the changes to Tomcat Native, produce 2.0.x and
1.3.x releases and then commit the changes to Tomcat. There might be a
few early changes to Tomcat to account for new OCSP functionality else
we may start to see CI failures as we test latest Tomcat code with
latest Tomcat Native code.
Before I do that, I want to look at what went wrong with the Windows
binaries for the Commons Daemon 1.5.0 release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
