[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Mark Thomas changed: What|Removed |Added Component|Catalina|Connectors --- Comment #18 from Mark Thomas --- Correct component after move to Tomcat 9. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Mark Thomas changed: What|Removed |Added Version|8.5.x-trunk |unspecified Product|Tomcat 8|Tomcat 9 Component|Connectors |Catalina Target Milestone||- --- Comment #17 from Mark Thomas --- Tomcat 8 has reached End Of Life. Moving this bug to Tomcat 9. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #16 from Mark Thomas --- Plans haven't changed from comment #6. Patches still welcome. I'm expecting the OpenSSL 3.0.x and 1.1.1 solutions to look broadly similar (but haven't looked at the code). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #15 from logo --- Mark, would you mind updating your plans for this request. It may be outdated as to Tomcat version, Openssl 1.1.1 vs. 3.1 and usage of Tomcat native. Nevertheless it would be great to have this working. I create all my certs with the "OCSP must staple" extension, but for Tomcat I have to work around this bug. Thank you. Peter -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Mark Thomas changed: What|Removed |Added Version|unspecified |8.5.x-trunk Product|Tomcat 7|Tomcat 8 Component|Connectors |Connectors Target Milestone|--- | --- Comment #14 from Mark Thomas --- With Tomcat 7 reaching EOL, move the remaining open enhancement requests to Tomcat 8. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #13 from Mark Thomas --- (In reply to Azat from comment #12) > (In reply to Mark Thomas from comment #11) > > It is on the TODO list but there are quite a few things ahead of it on the > > list. > > Couple of questions to Mark related to this bug: > 1) is this enhancement request still on your TODO list? Yes. > 2) if this issue doesn't get implemented before tomcat 7 EOL date next March > what will happen with it? Do I then need to generate a new bugzilla issue > against Tomcat 8.5? No. We'll review all the open 7.0.x issues at that point and unless they are Tomcat 7.0.x specific (most aren't) we'll bulk update them to 8.5.x. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #12 from Azat --- (In reply to Mark Thomas from comment #11) > It is on the TODO list but there are quite a few things ahead of it on the > list. Couple of questions to Mark related to this bug: 1) is this enhancement request still on your TODO list? 2) if this issue doesn't get implemented before tomcat 7 EOL date next March what will happen with it? Do I then need to generate a new bugzilla issue against Tomcat 8.5? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #11 from Mark Thomas --- It is on the TODO list but there are quite a few things ahead of it on the list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #10 from Azat --- (In reply to Mark Thomas from comment #9) > The current status is what you see here. It will be implemented when someone > provides a suitable patch. Ok.Thanks, Mark. I understand that patches from the Tomcat community are welcome, but is this item on your TODO list as well? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #9 from Mark Thomas --- The current status is what you see here. It will be implemented when someone provides a suitable patch. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #8 from Azat --- (In reply to Mark Thomas from comment #6) > This will need code changes in Tomcat Native. A rough outline of what is > required is provided by: > https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html Hi Мark! What's the current status of this?Any (approximate) timeline on when someone could expect these changes to be implemented to Tomcat native? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Azat changed: What|Removed |Added CC||usma...@ieml.ru -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #7 from Christopher Schultz --- (In reply to Mark Thomas from comment #4) > -Djdk.tls.server.enableStatusRequestExtension=true Is this something that is possible via Tomcat configuration? Or is it only possible via a system property, which may be required to be set quite early-on in the JVM initialization? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #6 from Mark Thomas --- This will need code changes in Tomcat Native. A rough outline of what is required is provided by: https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #5 from Mark Thomas --- Just switching implementations (no config changes) NIO-OpenSSL - no stapling APR-OpenSSL - no stapling Next step is to look at OpenSSL config and API to see a) if this can be enabled and b) what the options are for doing so. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #4 from Mark Thomas --- I can confirm this "just works" if you have a suitably configured certificate (LetsEncrypt in my test), a Java version that supports it (JDK 11.0.3+7 in my test), are using a JSSE based connector (NIO with JSSE in my test) and have set the appropriate system property (-Djdk.tls.server.enableStatusRequestExtension=true). Confirmed with SSLLabs. Next up is testing with an OpenSSL based connector. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 jfclere changed: What|Removed |Added CC||jfcl...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 --- Comment #3 from Christopher Schultz --- Looks like Java 9 has OCSP stapling[1]. See slide 47. Looks like you can just set a system preference and magically you get OCSP stapling. [1] https://cdn.app.compendium.com/uploads/user/e7c690e8-6ff9-102a-ac6d-e4aebca50425/f4a5b21d-66fa-4885-92bf-c4e81c06d916/File/3c93ea22f64e8a22f67d65c46613c466/j1_2015_con6710.pdf -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 Ralf Hauser changed: What|Removed |Added CC||hau...@acm.org --- Comment #2 from Ralf Hauser --- see also https://community.letsencrypt.org/t/ocsp-uri-http-ocsp-comodoca-com-why-not-https/2135 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://issues.apache.org/bugzilla/show_bug.cgi?id=56148 Violeta Georgieva changed: What|Removed |Added Severity|normal |enhancement -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56148] support (multiple) ocsp stapling
https://issues.apache.org/bugzilla/show_bug.cgi?id=56148 Mark Thomas changed: What|Removed |Added OS||All --- Comment #1 from Mark Thomas --- Support for this in the BIO and NIO connectors is going to have to wait until Java provides the support. I don't see it in Java 8 which means that it is likely to be at least Java 9. It should be possible to do something for APR/native. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
