What, if anything, needs to be configured to ENABLE (preferably REQUIRE) tomat to do CLIENT certificate revocation checking via OCSP in Tomcat 8.5.38 using Openssl ? (will this work with NIO2 ? )
1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP support - the X64 dll from tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip (i'd prefer to have this working with OpenSSl for a couple of reasons). 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java options for the tomat service). I can't see anything indicating OCSP checks in the logs for either. (logs do indicate the OpenSSL for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the tomcat service I see logging for key & trust stores being loaded, etc. in tomcat8-stdout(date).log the server requesting a client cert, the Client cert being received and finding a trusted root for it ("Found trusted certificate:"), but nothing about revocation checking.... (I do see: check handshake state: certificate_verify[15] update handshake state: certificate_verify[15] but I'm not sure that's revocation checking...). for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling pretty much ALL the logging org.apache.coyote.http2.level=ALL org.apache.level=ALL org.apache.catalina.session.level=ALL I can see the truststore ("Added client CA cert") being loaded but not much else about certificates. Wireshark shows me OCSP calls for the SERVER cert, presumable from the browswer (fireFox). (I'm testing this on a personal computer, tomcat and browser on the same computer). If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing them. the Connector part of the server xml.config file is (ip address and server name etc removed): <Connector address="a.b.c.d" port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig protocols="+TLSv1.2+TLSv1.3" honorCipherOrder="true" certificateVerification="REQUIRED" truststoreFile="C:/certs/trustStore.pfx" truststoreType="PKCS12" truststorePassword="abcdef" > <Certificate certificateKeystoreFile="C:/certs/(server).pfx" certificateKeystoreType="PKCS12" certificateKeystorePassword="abcdef" /> </SSLHostConfig> </Connector>