Re: OCSP Connector on Tomcat 8.5 not working
On 11/07/2019 21:18, Michael Magnuson wrote: > > > Thanks Mark. I would like to deny access if an unknown response is received. Understood. Please open an enhancement request in Bugzilla to deny a request if an unknown OCSP response is received. http://tomcat.apache.org/bugreport.html It is going to require changes in both Tomcat and Tomcat Native. Probably best to open it against Tomcat 9. Thanks, Mark > > > From: Mark Thomas > Sent: Thursday, July 11, 2019 12:59 PM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 11/07/2019 17:46, Michael Magnuson wrote: >> The OCSP function is working as expected for both "good" and "revoked" >> responses. However, I find that it also allows "unknown" responses. Is the >> "unknown" response behavior adjustable? > > The relevant code is: > > else if (ocsp_response == OCSP_STATUS_UNKNOWN) { >/* TODO: do nothing for time being */ > > So, not at the moment. > > What behaviour would you like to see / do you think there should be? > > Mark > > >> >> Thanks, >> Mike >> >> ____________ >> From: Michael Magnuson >> Sent: Friday, June 28, 2019 10:38 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> >> >> Mark, I was able to get this working. Thank you again for all your help. >> The fix happened when I concatenated both the intermediate CA certificate >> and the root CA certificate into a single PEM file, and used it for the >> caCertificate= attribute. >> >> >> From: Mark Thomas >> Sent: Tuesday, June 25, 2019 12:41 PM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 25/06/2019 20:22, Michael Magnuson wrote: >>> >>> >>> Mark, thanks for the further clarification. With that setup, it prompts >>> for the smart card PIN and you can select your certificate, but then >>> nothing happens. The only way I can get it to successfully open the page >>> is if I also add the attributes trustStoreFile= and trustStorePass= but >>> still no OCSP action. >> >> Can you post your current configuration please. >> >> Please also list the certificate(s) in each of the keystores / PEM files. >> >> I'm wondering if the chain from the sever to the CA is missing. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Thanks Mark. I would like to deny access if an unknown response is received. From: Mark Thomas Sent: Thursday, July 11, 2019 12:59 PM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 11/07/2019 17:46, Michael Magnuson wrote: > The OCSP function is working as expected for both "good" and "revoked" > responses. However, I find that it also allows "unknown" responses. Is the > "unknown" response behavior adjustable? The relevant code is: else if (ocsp_response == OCSP_STATUS_UNKNOWN) { /* TODO: do nothing for time being */ So, not at the moment. What behaviour would you like to see / do you think there should be? Mark > > Thanks, > Mike > > > From: Michael Magnuson > Sent: Friday, June 28, 2019 10:38 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > > > Mark, I was able to get this working. Thank you again for all your help. > The fix happened when I concatenated both the intermediate CA certificate and > the root CA certificate into a single PEM file, and used it for the > caCertificate= attribute. > > > From: Mark Thomas > Sent: Tuesday, June 25, 2019 12:41 PM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 25/06/2019 20:22, Michael Magnuson wrote: >> >> >> Mark, thanks for the further clarification. With that setup, it prompts for >> the smart card PIN and you can select your certificate, but then nothing >> happens. The only way I can get it to successfully open the page is if I >> also add the attributes trustStoreFile= and trustStorePass= but still no >> OCSP action. > > Can you post your current configuration please. > > Please also list the certificate(s) in each of the keystores / PEM files. > > I'm wondering if the chain from the sever to the CA is missing. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 11/07/2019 17:46, Michael Magnuson wrote: > The OCSP function is working as expected for both "good" and "revoked" > responses. However, I find that it also allows "unknown" responses. Is the > "unknown" response behavior adjustable? The relevant code is: else if (ocsp_response == OCSP_STATUS_UNKNOWN) { /* TODO: do nothing for time being */ So, not at the moment. What behaviour would you like to see / do you think there should be? Mark > > Thanks, > Mike > > > From: Michael Magnuson > Sent: Friday, June 28, 2019 10:38 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > > > Mark, I was able to get this working. Thank you again for all your help. > The fix happened when I concatenated both the intermediate CA certificate and > the root CA certificate into a single PEM file, and used it for the > caCertificate= attribute. > > > From: Mark Thomas > Sent: Tuesday, June 25, 2019 12:41 PM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 25/06/2019 20:22, Michael Magnuson wrote: >> >> >> Mark, thanks for the further clarification. With that setup, it prompts for >> the smart card PIN and you can select your certificate, but then nothing >> happens. The only way I can get it to successfully open the page is if I >> also add the attributes trustStoreFile= and trustStorePass= but still no >> OCSP action. > > Can you post your current configuration please. > > Please also list the certificate(s) in each of the keystores / PEM files. > > I'm wondering if the chain from the sever to the CA is missing. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
The OCSP function is working as expected for both "good" and "revoked" responses. However, I find that it also allows "unknown" responses. Is the "unknown" response behavior adjustable? Thanks, Mike From: Michael Magnuson Sent: Friday, June 28, 2019 10:38 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working Mark, I was able to get this working. Thank you again for all your help. The fix happened when I concatenated both the intermediate CA certificate and the root CA certificate into a single PEM file, and used it for the caCertificate= attribute. From: Mark Thomas Sent: Tuesday, June 25, 2019 12:41 PM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 25/06/2019 20:22, Michael Magnuson wrote: > > > Mark, thanks for the further clarification. With that setup, it prompts for > the smart card PIN and you can select your certificate, but then nothing > happens. The only way I can get it to successfully open the page is if I > also add the attributes trustStoreFile= and trustStorePass= but still no OCSP > action. Can you post your current configuration please. Please also list the certificate(s) in each of the keystores / PEM files. I'm wondering if the chain from the sever to the CA is missing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Mark, I was able to get this working. Thank you again for all your help. The fix happened when I concatenated both the intermediate CA certificate and the root CA certificate into a single PEM file, and used it for the caCertificate= attribute. From: Mark Thomas Sent: Tuesday, June 25, 2019 12:41 PM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 25/06/2019 20:22, Michael Magnuson wrote: > > > Mark, thanks for the further clarification. With that setup, it prompts for > the smart card PIN and you can select your certificate, but then nothing > happens. The only way I can get it to successfully open the page is if I > also add the attributes trustStoreFile= and trustStorePass= but still no OCSP > action. Can you post your current configuration please. Please also list the certificate(s) in each of the keystores / PEM files. I'm wondering if the chain from the sever to the CA is missing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 25/06/2019 20:22, Michael Magnuson wrote: > > > Mark, thanks for the further clarification. With that setup, it prompts for > the smart card PIN and you can select your certificate, but then nothing > happens. The only way I can get it to successfully open the page is if I > also add the attributes trustStoreFile= and trustStorePass= but still no OCSP > action. Can you post your current configuration please. Please also list the certificate(s) in each of the keystores / PEM files. I'm wondering if the chain from the sever to the CA is missing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Mark, thanks for the further clarification. With that setup, it prompts for the smart card PIN and you can select your certificate, but then nothing happens. The only way I can get it to successfully open the page is if I also add the attributes trustStoreFile= and trustStorePass= but still no OCSP action. From: Mark Thomas Sent: Tuesday, June 25, 2019 11:33 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 25/06/2019 19:24, Michael Magnuson wrote: > > > Oh I see. I was trying to use those fields for the OCSP responder > information. Thanks for the clarification. You shouldn't need to explicitly define that. The assumption is that the OSCP response have a trust chain that leads back to the same trusted root as the client certs. Mark > > From: Mark Thomas > Sent: Tuesday, June 25, 2019 11:03 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 25/06/2019 18:04, Michael Magnuson wrote: >> >> >> Mark, are you defining your server SSL certificate someplace else, other >> than within the connector in server.xml? > > No. > >> From your example connector config, I'm not seeing it defined. > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" SSLEnabled="true" > > > caCertificateFile="conf/ca-rsa-cert.pem" > certificateRevocationListFile="conf/crl.pem"> > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > > > > Server key is defined by certificateKeyFile > Server cert is defined by certificateFile > Server cert chain is defined by certificateChainFile > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 25/06/2019 19:24, Michael Magnuson wrote: > > > Oh I see. I was trying to use those fields for the OCSP responder > information. Thanks for the clarification. You shouldn't need to explicitly define that. The assumption is that the OSCP response have a trust chain that leads back to the same trusted root as the client certs. Mark > > From: Mark Thomas > Sent: Tuesday, June 25, 2019 11:03 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 25/06/2019 18:04, Michael Magnuson wrote: >> >> >> Mark, are you defining your server SSL certificate someplace else, other >> than within the connector in server.xml? > > No. > >> From your example connector config, I'm not seeing it defined. > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" SSLEnabled="true" > > > caCertificateFile="conf/ca-rsa-cert.pem" > certificateRevocationListFile="conf/crl.pem"> > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > > > > Server key is defined by certificateKeyFile > Server cert is defined by certificateFile > Server cert chain is defined by certificateChainFile > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Oh I see. I was trying to use those fields for the OCSP responder information. Thanks for the clarification. Mike From: Mark Thomas Sent: Tuesday, June 25, 2019 11:03 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 25/06/2019 18:04, Michael Magnuson wrote: > > > Mark, are you defining your server SSL certificate someplace else, other than > within the connector in server.xml? No. > From your example connector config, I'm not seeing it defined. Server key is defined by certificateKeyFile Server cert is defined by certificateFile Server cert chain is defined by certificateChainFile Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 25/06/2019 18:04, Michael Magnuson wrote: > > > Mark, are you defining your server SSL certificate someplace else, other than > within the connector in server.xml? No. > From your example connector config, I'm not seeing it defined. Server key is defined by certificateKeyFile Server cert is defined by certificateFile Server cert chain is defined by certificateChainFile Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Mark, are you defining your server SSL certificate someplace else, other than within the connector in server.xml? From your example connector config, I'm not seeing it defined. From: Mark Thomas Sent: Monday, June 24, 2019 1:54 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 21/06/2019 17:12, Michael Magnuson wrote: > > > Can I point certificateRevocationListFile= to an empty file so it always > reverts to OCSP? Just don't specify it at all. I've confirmed this locally. Mark > > > From: Mark Thomas > Sent: Friday, June 21, 2019 9:10 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:46, Michael Magnuson wrote: >> >> >> Thanks. Is that setup using a CRL instead of OCSP? > > It will work with either/both. I had a local OCSP responder running with > OpenSSL so I could monitor the requests and responses. OCSP was working > correctly. It rejected a cert that had been invalidated that wasn't in > the CRL. > > Mark > > >> >> >> From: Mark Thomas >> Sent: Friday, June 21, 2019 8:44 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 21/06/2019 16:31, Michael Magnuson wrote: >>> Hmm. It's still not working at all for me. Can you post your SSL >>> connector configuration? >> >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>maxThreads="150" SSLEnabled="true" > >> >> > caCertificateFile="conf/ca-rsa-cert.pem" >> certificateRevocationListFile="conf/crl.pem"> >> > certificateFile="conf/localhost-rsa-cert.pem" >> certificateChainFile="conf/localhost-rsa-chain.pem" >> type="RSA" /> >> >> >> >> Mark >> >> >>> >>> >>> >>> >>> From: Mark Thomas >>> Sent: Thursday, June 20, 2019 11:36 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 18:50, Mark Thomas wrote: >>>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>>> Thanks Mark. A couple clarifications on your example first. You don't >>>>> list the clientAuth= attribute. I assume this was a simple oversight. >>>> >>>> It is replaced by certificateVerification="required" >>>> >>>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>>> secure="true"? >>>> >>>> It should. >>>> >>>>> For the certificateVerification= attribute, is the correct syntax >>>>> "require" or "required"? >>>> >>>> "required" >>>> >>>> Setting up an OCSP responder locally is next on my TODO list. I'll >>>> report back with the results. >>> >>> Works as expected. >>> >>> Mark >>> >>> >>>> >>>> Mark >>>> >>>> >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>>> >>>>> >>>>> >>>>> From: Mark Thomas >>>>> Sent: Thursday, June 20, 2019 10:00 AM >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>>> >>>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>>> Mark, >>>>>> >>>>>> Thank you for your replies and help. >>>>>> >>>>>> I'm not sure how to verify that Tomcat Native was built with OCSP >>>>>> support? >>>>> >>>>> Lets assume it has been. I think that is a safe assumption for now. >>>>> >>>>>> Removing the element had no negative effect. I >>>>>> originally put it in there following this guide: >>>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7Cc6ba2767e80a4283680f08d6f
Re: OCSP Connector on Tomcat 8.5 not working
On 21/06/2019 17:12, Michael Magnuson wrote: > > > Can I point certificateRevocationListFile= to an empty file so it always > reverts to OCSP? Just don't specify it at all. I've confirmed this locally. Mark > > > From: Mark Thomas > Sent: Friday, June 21, 2019 9:10 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:46, Michael Magnuson wrote: >> >> >> Thanks. Is that setup using a CRL instead of OCSP? > > It will work with either/both. I had a local OCSP responder running with > OpenSSL so I could monitor the requests and responses. OCSP was working > correctly. It rejected a cert that had been invalidated that wasn't in > the CRL. > > Mark > > >> >> >> From: Mark Thomas >> Sent: Friday, June 21, 2019 8:44 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 21/06/2019 16:31, Michael Magnuson wrote: >>> Hmm. It's still not working at all for me. Can you post your SSL >>> connector configuration? >> >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>maxThreads="150" SSLEnabled="true" > >> >> > caCertificateFile="conf/ca-rsa-cert.pem" >> certificateRevocationListFile="conf/crl.pem"> >> > certificateFile="conf/localhost-rsa-cert.pem" >> certificateChainFile="conf/localhost-rsa-chain.pem" >> type="RSA" /> >> >> >> >> Mark >> >> >>> >>> >>> >>> >>> From: Mark Thomas >>> Sent: Thursday, June 20, 2019 11:36 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 18:50, Mark Thomas wrote: >>>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>>> Thanks Mark. A couple clarifications on your example first. You don't >>>>> list the clientAuth= attribute. I assume this was a simple oversight. >>>> >>>> It is replaced by certificateVerification="required" >>>> >>>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>>> secure="true"? >>>> >>>> It should. >>>> >>>>> For the certificateVerification= attribute, is the correct syntax >>>>> "require" or "required"? >>>> >>>> "required" >>>> >>>> Setting up an OCSP responder locally is next on my TODO list. I'll >>>> report back with the results. >>> >>> Works as expected. >>> >>> Mark >>> >>> >>>> >>>> Mark >>>> >>>> >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>>> >>>>> >>>>> >>>>> From: Mark Thomas >>>>> Sent: Thursday, June 20, 2019 10:00 AM >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>>> >>>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>>> Mark, >>>>>> >>>>>> Thank you for your replies and help. >>>>>> >>>>>> I'm not sure how to verify that Tomcat Native was built with OCSP >>>>>> support? >>>>> >>>>> Lets assume it has been. I think that is a safe assumption for now. >>>>> >>>>>> Removing the element had no negative effect. I >>>>>> originally put it in there following this guide: >>>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C70a560314fd34bd2daae08d6f662f60d%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967302246863617sdata=yjo3dU%2B8NquIICb4qLJe42AOWjRpAqCilN2RSdjUlMw%3Dreserved=0 >>>>> >>>>> Hmm. We might need to revisit that. It looks "odd". >>>>> >>>>>> Without the trustStore attributes, it prompts fo
Re: OCSP Connector on Tomcat 8.5 not working
Can I point certificateRevocationListFile= to an empty file so it always reverts to OCSP? From: Mark Thomas Sent: Friday, June 21, 2019 9:10 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 21/06/2019 16:46, Michael Magnuson wrote: > > > Thanks. Is that setup using a CRL instead of OCSP? It will work with either/both. I had a local OCSP responder running with OpenSSL so I could monitor the requests and responses. OCSP was working correctly. It rejected a cert that had been invalidated that wasn't in the CRL. Mark > > > From: Mark Thomas > Sent: Friday, June 21, 2019 8:44 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:31, Michael Magnuson wrote: >> Hmm. It's still not working at all for me. Can you post your SSL connector >> configuration? > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" SSLEnabled="true" > > > caCertificateFile="conf/ca-rsa-cert.pem" > certificateRevocationListFile="conf/crl.pem"> > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > > > > Mark > > >> >> >> >> >> From: Mark Thomas >> Sent: Thursday, June 20, 2019 11:36 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 18:50, Mark Thomas wrote: >>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>> Thanks Mark. A couple clarifications on your example first. You don't >>>> list the clientAuth= attribute. I assume this was a simple oversight. >>> >>> It is replaced by certificateVerification="required" >>> >>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>> secure="true"? >>> >>> It should. >>> >>>> For the certificateVerification= attribute, is the correct syntax >>>> "require" or "required"? >>> >>> "required" >>> >>> Setting up an OCSP responder locally is next on my TODO list. I'll >>> report back with the results. >> >> Works as expected. >> >> Mark >> >> >>> >>> Mark >>> >>> >>>> >>>> Thanks, >>>> Mike >>>> >>>> >>>> >>>> >>>> From: Mark Thomas >>>> Sent: Thursday, June 20, 2019 10:00 AM >>>> To: users@tomcat.apache.org >>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>> >>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>> Mark, >>>>> >>>>> Thank you for your replies and help. >>>>> >>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>>> >>>> Lets assume it has been. I think that is a safe assumption for now. >>>> >>>>> Removing the element had no negative effect. I originally >>>>> put it in there following this guide: >>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C70a560314fd34bd2daae08d6f662f60d%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967302246863617sdata=yjo3dU%2B8NquIICb4qLJe42AOWjRpAqCilN2RSdjUlMw%3Dreserved=0 >>>> >>>> Hmm. We might need to revisit that. It looks "odd". >>>> >>>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>>> you can select the cert you want to use, but then it doesn't do anything >>>>> from there. With those attributes present, Tomcat serves up the expected >>>>> page after PIN+cert. >>>> >>>> Interesting. That suggests Tomcat is using the trustStore to validate >>>> the client certs. >>>> >>>> I've looked at this again and the config is more mixed up that I first >>>> realised. Lets get that fixed first. >>>> >>>>> Changing clientAuth to "required" from
Re: OCSP Connector on Tomcat 8.5 not working
On 21/06/2019 16:46, Michael Magnuson wrote: > > > Thanks. Is that setup using a CRL instead of OCSP? It will work with either/both. I had a local OCSP responder running with OpenSSL so I could monitor the requests and responses. OCSP was working correctly. It rejected a cert that had been invalidated that wasn't in the CRL. Mark > > > From: Mark Thomas > Sent: Friday, June 21, 2019 8:44 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:31, Michael Magnuson wrote: >> Hmm. It's still not working at all for me. Can you post your SSL connector >> configuration? > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" SSLEnabled="true" > > > caCertificateFile="conf/ca-rsa-cert.pem" > certificateRevocationListFile="conf/crl.pem"> > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > > > > Mark > > >> >> >> >> >> From: Mark Thomas >> Sent: Thursday, June 20, 2019 11:36 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 18:50, Mark Thomas wrote: >>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>> Thanks Mark. A couple clarifications on your example first. You don't >>>> list the clientAuth= attribute. I assume this was a simple oversight. >>> >>> It is replaced by certificateVerification="required" >>> >>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>> secure="true"? >>> >>> It should. >>> >>>> For the certificateVerification= attribute, is the correct syntax >>>> "require" or "required"? >>> >>> "required" >>> >>> Setting up an OCSP responder locally is next on my TODO list. I'll >>> report back with the results. >> >> Works as expected. >> >> Mark >> >> >>> >>> Mark >>> >>> >>>> >>>> Thanks, >>>> Mike >>>> >>>> >>>> >>>> >>>> From: Mark Thomas >>>> Sent: Thursday, June 20, 2019 10:00 AM >>>> To: users@tomcat.apache.org >>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>> >>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>> Mark, >>>>> >>>>> Thank you for your replies and help. >>>>> >>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>>> >>>> Lets assume it has been. I think that is a safe assumption for now. >>>> >>>>> Removing the element had no negative effect. I originally >>>>> put it in there following this guide: >>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C410a86aa49c041d4c51208d6f65f5db1%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967286823962847sdata=h10h73IHgmzkRikvK%2B3AxcaGWf20PPbejYe8gt87Tcc%3Dreserved=0 >>>> >>>> Hmm. We might need to revisit that. It looks "odd". >>>> >>>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>>> you can select the cert you want to use, but then it doesn't do anything >>>>> from there. With those attributes present, Tomcat serves up the expected >>>>> page after PIN+cert. >>>> >>>> Interesting. That suggests Tomcat is using the trustStore to validate >>>> the client certs. >>>> >>>> I've looked at this again and the config is more mixed up that I first >>>> realised. Lets get that fixed first. >>>> >>>>> Changing clientAuth to "required" from "want" has no effect either way. >>>> >>>> OK. Lets leave it on required for now since that takes one variable out >>>> of the equation. >>>> >>>> Back to the config. I'm going to try and
Re: OCSP Connector on Tomcat 8.5 not working
Thanks. Is that setup using a CRL instead of OCSP? From: Mark Thomas Sent: Friday, June 21, 2019 8:44 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 21/06/2019 16:31, Michael Magnuson wrote: > Hmm. It's still not working at all for me. Can you post your SSL connector > configuration? Mark > > > > > From: Mark Thomas > Sent: Thursday, June 20, 2019 11:36 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 20/06/2019 18:50, Mark Thomas wrote: >> On 20/06/2019 18:27, Michael Magnuson wrote: >>> Thanks Mark. A couple clarifications on your example first. You don't >>> list the clientAuth= attribute. I assume this was a simple oversight. >> >> It is replaced by certificateVerification="required" >> >>> You list the SSLEnabled="true" attribute twice. Should one of these be >>> secure="true"? >> >> It should. >> >>> For the certificateVerification= attribute, is the correct syntax >>> "require" or "required"? >> >> "required" >> >> Setting up an OCSP responder locally is next on my TODO list. I'll >> report back with the results. > > Works as expected. > > Mark > > >> >> Mark >> >> >>> >>> Thanks, >>> Mike >>> >>> >>> >>> >>> From: Mark Thomas >>> Sent: Thursday, June 20, 2019 10:00 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>> Mark, >>>> >>>> Thank you for your replies and help. >>>> >>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>> >>> Lets assume it has been. I think that is a safe assumption for now. >>> >>>> Removing the element had no negative effect. I originally >>>> put it in there following this guide: >>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C410a86aa49c041d4c51208d6f65f5db1%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967286823962847sdata=h10h73IHgmzkRikvK%2B3AxcaGWf20PPbejYe8gt87Tcc%3Dreserved=0 >>> >>> Hmm. We might need to revisit that. It looks "odd". >>> >>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>> you can select the cert you want to use, but then it doesn't do anything >>>> from there. With those attributes present, Tomcat serves up the expected >>>> page after PIN+cert. >>> >>> Interesting. That suggests Tomcat is using the trustStore to validate >>> the client certs. >>> >>> I've looked at this again and the config is more mixed up that I first >>> realised. Lets get that fixed first. >>> >>>> Changing clientAuth to "required" from "want" has no effect either way. >>> >>> OK. Lets leave it on required for now since that takes one variable out >>> of the equation. >>> >>> Back to the config. I'm going to try and convert everything to the new >>> style format. >>> >>> >>protocol="org.apache.coyote.http11.Http11AprProtocol" >>>maxThreads="150" >>>SSLEnabled="true" >>>scheme="https" >>>SSLEnabled="true" >>> >>certificateVerification="required" >>>caCertificateFile="path_to_ca_file"> >>> >> certificateKeyFile="path_to_server.key" >>> certificateKeyPassword="password" >>> certificateChainFile="path_to_chain" /> >>> >>> >>> >>> I have removed settings that are the same as the defaults. >>> SSLCertificateChainFile isn't a recognised attribute. >>> >>> I opted for the OpenSSL style store for trusted CA certs. That probably >>> means you need to export the trusted certs from your trustStoreFile to a >>> PEM encoded file for caCertificate
Re: OCSP Connector on Tomcat 8.5 not working
On 21/06/2019 16:31, Michael Magnuson wrote: > Hmm. It's still not working at all for me. Can you post your SSL connector > configuration? Mark > > > > > From: Mark Thomas > Sent: Thursday, June 20, 2019 11:36 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 20/06/2019 18:50, Mark Thomas wrote: >> On 20/06/2019 18:27, Michael Magnuson wrote: >>> Thanks Mark. A couple clarifications on your example first. You don't >>> list the clientAuth= attribute. I assume this was a simple oversight. >> >> It is replaced by certificateVerification="required" >> >>> You list the SSLEnabled="true" attribute twice. Should one of these be >>> secure="true"? >> >> It should. >> >>> For the certificateVerification= attribute, is the correct syntax >>> "require" or "required"? >> >> "required" >> >> Setting up an OCSP responder locally is next on my TODO list. I'll >> report back with the results. > > Works as expected. > > Mark > > >> >> Mark >> >> >>> >>> Thanks, >>> Mike >>> >>> >>> >>> >>> From: Mark Thomas >>> Sent: Thursday, June 20, 2019 10:00 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>> Mark, >>>> >>>> Thank you for your replies and help. >>>> >>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>> >>> Lets assume it has been. I think that is a safe assumption for now. >>> >>>> Removing the element had no negative effect. I originally >>>> put it in there following this guide: >>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C0c191aa872024cbf07a708d6f5ae2ceb%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966525783014430sdata=gg7Xk9uuawyPhOt0q96e9gHsjsFVSdZSc2E0NPpWuHA%3Dreserved=0 >>> >>> Hmm. We might need to revisit that. It looks "odd". >>> >>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>> you can select the cert you want to use, but then it doesn't do anything >>>> from there. With those attributes present, Tomcat serves up the expected >>>> page after PIN+cert. >>> >>> Interesting. That suggests Tomcat is using the trustStore to validate >>> the client certs. >>> >>> I've looked at this again and the config is more mixed up that I first >>> realised. Lets get that fixed first. >>> >>>> Changing clientAuth to "required" from "want" has no effect either way. >>> >>> OK. Lets leave it on required for now since that takes one variable out >>> of the equation. >>> >>> Back to the config. I'm going to try and convert everything to the new >>> style format. >>> >>> >>protocol="org.apache.coyote.http11.Http11AprProtocol" >>>maxThreads="150" >>>SSLEnabled="true" >>>scheme="https" >>>SSLEnabled="true" >>> >>certificateVerification="required" >>>caCertificateFile="path_to_ca_file"> >>> >> certificateKeyFile="path_to_server.key" >>> certificateKeyPassword="password" >>> certificateChainFile="path_to_chain" /> >>> >>> >>> >>> I have removed settings that are the same as the defaults. >>> SSLCertificateChainFile isn't a recognised attribute. >>> >>> I opted for the OpenSSL style store for trusted CA certs. That probably >>> means you need to export the trusted certs from your trustStoreFile to a >>> PEM encoded file for caCertificateFile. >>> >>> For the purposes of the test, you only need to export the cert that >>> issued cert used by the client. >>> >>> I'm wondering if the slightly odd trust store config was causing >>> problems. We really need more logging in Tomcat Native to figure that >>> sort of thing out. >>> >>> I also think I need to get OCSP working with client certs locally so I >>> can test it as well. I'll add that to my TODO list. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Hmm. It's still not working at all for me. Can you post your SSL connector configuration? From: Mark Thomas Sent: Thursday, June 20, 2019 11:36 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 20/06/2019 18:50, Mark Thomas wrote: > On 20/06/2019 18:27, Michael Magnuson wrote: >> Thanks Mark. A couple clarifications on your example first. You don't list >> the clientAuth= attribute. I assume this was a simple oversight. > > It is replaced by certificateVerification="required" > >> You list the SSLEnabled="true" attribute twice. Should one of these be >> secure="true"? > > It should. > >> For the certificateVerification= attribute, is the correct syntax "require" >> or "required"? > > "required" > > Setting up an OCSP responder locally is next on my TODO list. I'll > report back with the results. Works as expected. Mark > > Mark > > >> >> Thanks, >> Mike >> >> >> >> >> From: Mark Thomas >> Sent: Thursday, June 20, 2019 10:00 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 17:24, Michael Magnuson wrote: >>> Mark, >>> >>> Thank you for your replies and help. >>> >>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >> >> Lets assume it has been. I think that is a safe assumption for now. >> >>> Removing the element had no negative effect. I originally >>> put it in there following this guide: >>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7C0c191aa872024cbf07a708d6f5ae2ceb%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966525783014430sdata=gg7Xk9uuawyPhOt0q96e9gHsjsFVSdZSc2E0NPpWuHA%3Dreserved=0 >> >> Hmm. We might need to revisit that. It looks "odd". >> >>> Without the trustStore attributes, it prompts for the smart card PIN and >>> you can select the cert you want to use, but then it doesn't do anything >>> from there. With those attributes present, Tomcat serves up the expected >>> page after PIN+cert. >> >> Interesting. That suggests Tomcat is using the trustStore to validate >> the client certs. >> >> I've looked at this again and the config is more mixed up that I first >> realised. Lets get that fixed first. >> >>> Changing clientAuth to "required" from "want" has no effect either way. >> >> OK. Lets leave it on required for now since that takes one variable out >> of the equation. >> >> Back to the config. I'm going to try and convert everything to the new >> style format. >> >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>maxThreads="150" >>SSLEnabled="true" >>scheme="https" >>SSLEnabled="true" >> >certificateVerification="required" >>caCertificateFile="path_to_ca_file"> >> > certificateKeyFile="path_to_server.key" >> certificateKeyPassword="password" >> certificateChainFile="path_to_chain" /> >> >> >> >> I have removed settings that are the same as the defaults. >> SSLCertificateChainFile isn't a recognised attribute. >> >> I opted for the OpenSSL style store for trusted CA certs. That probably >> means you need to export the trusted certs from your trustStoreFile to a >> PEM encoded file for caCertificateFile. >> >> For the purposes of the test, you only need to export the cert that >> issued cert used by the client. >> >> I'm wondering if the slightly odd trust store config was causing >> problems. We really need more logging in Tomcat Native to figure that >> sort of thing out. >> >> I also think I need to get OCSP working with client certs locally so I >> can test it as well. I'll add that to my TODO list. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 20/06/2019 18:50, Mark Thomas wrote: > On 20/06/2019 18:27, Michael Magnuson wrote: >> Thanks Mark. A couple clarifications on your example first. You don't list >> the clientAuth= attribute. I assume this was a simple oversight. > > It is replaced by certificateVerification="required" > >> You list the SSLEnabled="true" attribute twice. Should one of these be >> secure="true"? > > It should. > >> For the certificateVerification= attribute, is the correct syntax "require" >> or "required"? > > "required" > > Setting up an OCSP responder locally is next on my TODO list. I'll > report back with the results. Works as expected. Mark > > Mark > > >> >> Thanks, >> Mike >> >> >> >> >> From: Mark Thomas >> Sent: Thursday, June 20, 2019 10:00 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 17:24, Michael Magnuson wrote: >>> Mark, >>> >>> Thank you for your replies and help. >>> >>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >> >> Lets assume it has been. I think that is a safe assumption for now. >> >>> Removing the element had no negative effect. I originally >>> put it in there following this guide: >>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3Dreserved=0 >> >> Hmm. We might need to revisit that. It looks "odd". >> >>> Without the trustStore attributes, it prompts for the smart card PIN and >>> you can select the cert you want to use, but then it doesn't do anything >>> from there. With those attributes present, Tomcat serves up the expected >>> page after PIN+cert. >> >> Interesting. That suggests Tomcat is using the trustStore to validate >> the client certs. >> >> I've looked at this again and the config is more mixed up that I first >> realised. Lets get that fixed first. >> >>> Changing clientAuth to "required" from "want" has no effect either way. >> >> OK. Lets leave it on required for now since that takes one variable out >> of the equation. >> >> Back to the config. I'm going to try and convert everything to the new >> style format. >> >> >protocol="org.apache.coyote.http11.Http11AprProtocol" >>maxThreads="150" >>SSLEnabled="true" >>scheme="https" >>SSLEnabled="true" >> >certificateVerification="required" >>caCertificateFile="path_to_ca_file"> >> > certificateKeyFile="path_to_server.key" >> certificateKeyPassword="password" >> certificateChainFile="path_to_chain" /> >> >> >> >> I have removed settings that are the same as the defaults. >> SSLCertificateChainFile isn't a recognised attribute. >> >> I opted for the OpenSSL style store for trusted CA certs. That probably >> means you need to export the trusted certs from your trustStoreFile to a >> PEM encoded file for caCertificateFile. >> >> For the purposes of the test, you only need to export the cert that >> issued cert used by the client. >> >> I'm wondering if the slightly odd trust store config was causing >> problems. We really need more logging in Tomcat Native to figure that >> sort of thing out. >> >> I also think I need to get OCSP working with client certs locally so I >> can test it as well. I'll add that to my TODO list. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 20/06/2019 18:27, Michael Magnuson wrote: > Thanks Mark. A couple clarifications on your example first. You don't list > the clientAuth= attribute. I assume this was a simple oversight. It is replaced by certificateVerification="required" > You list the SSLEnabled="true" attribute twice. Should one of these be > secure="true"? It should. > For the certificateVerification= attribute, is the correct syntax "require" > or "required"? "required" Setting up an OCSP responder locally is next on my TODO list. I'll report back with the results. Mark > > Thanks, > Mike > > > > > From: Mark Thomas > Sent: Thursday, June 20, 2019 10:00 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 20/06/2019 17:24, Michael Magnuson wrote: >> Mark, >> >> Thank you for your replies and help. >> >> I'm not sure how to verify that Tomcat Native was built with OCSP support? > > Lets assume it has been. I think that is a safe assumption for now. > >> Removing the element had no negative effect. I originally >> put it in there following this guide: >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3Dreserved=0 > > Hmm. We might need to revisit that. It looks "odd". > >> Without the trustStore attributes, it prompts for the smart card PIN and you >> can select the cert you want to use, but then it doesn't do anything from >> there. With those attributes present, Tomcat serves up the expected page >> after PIN+cert. > > Interesting. That suggests Tomcat is using the trustStore to validate > the client certs. > > I've looked at this again and the config is more mixed up that I first > realised. Lets get that fixed first. > >> Changing clientAuth to "required" from "want" has no effect either way. > > OK. Lets leave it on required for now since that takes one variable out > of the equation. > > Back to the config. I'm going to try and convert everything to the new > style format. > > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="150" >SSLEnabled="true" >scheme="https" >SSLEnabled="true" > certificateVerification="required" >caCertificateFile="path_to_ca_file"> > certificateKeyFile="path_to_server.key" > certificateKeyPassword="password" > certificateChainFile="path_to_chain" /> > > > > I have removed settings that are the same as the defaults. > SSLCertificateChainFile isn't a recognised attribute. > > I opted for the OpenSSL style store for trusted CA certs. That probably > means you need to export the trusted certs from your trustStoreFile to a > PEM encoded file for caCertificateFile. > > For the purposes of the test, you only need to export the cert that > issued cert used by the client. > > I'm wondering if the slightly odd trust store config was causing > problems. We really need more logging in Tomcat Native to figure that > sort of thing out. > > I also think I need to get OCSP working with client certs locally so I > can test it as well. I'll add that to my TODO list. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Thanks Mark. A couple clarifications on your example first. You don't list the clientAuth= attribute. I assume this was a simple oversight. You list the SSLEnabled="true" attribute twice. Should one of these be secure="true"? For the certificateVerification= attribute, is the correct syntax "require" or "required"? Thanks, Mike From: Mark Thomas Sent: Thursday, June 20, 2019 10:00 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 20/06/2019 17:24, Michael Magnuson wrote: > Mark, > > Thank you for your replies and help. > > I'm not sure how to verify that Tomcat Native was built with OCSP support? Lets assume it has been. I think that is a safe assumption for now. > Removing the element had no negative effect. I originally put > it in there following this guide: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connectordata=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3Dreserved=0 Hmm. We might need to revisit that. It looks "odd". > Without the trustStore attributes, it prompts for the smart card PIN and you > can select the cert you want to use, but then it doesn't do anything from > there. With those attributes present, Tomcat serves up the expected page > after PIN+cert. Interesting. That suggests Tomcat is using the trustStore to validate the client certs. I've looked at this again and the config is more mixed up that I first realised. Lets get that fixed first. > Changing clientAuth to "required" from "want" has no effect either way. OK. Lets leave it on required for now since that takes one variable out of the equation. Back to the config. I'm going to try and convert everything to the new style format. I have removed settings that are the same as the defaults. SSLCertificateChainFile isn't a recognised attribute. I opted for the OpenSSL style store for trusted CA certs. That probably means you need to export the trusted certs from your trustStoreFile to a PEM encoded file for caCertificateFile. For the purposes of the test, you only need to export the cert that issued cert used by the client. I'm wondering if the slightly odd trust store config was causing problems. We really need more logging in Tomcat Native to figure that sort of thing out. I also think I need to get OCSP working with client certs locally so I can test it as well. I'll add that to my TODO list. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 20/06/2019 17:24, Michael Magnuson wrote: > Mark, > > Thank you for your replies and help. > > I'm not sure how to verify that Tomcat Native was built with OCSP support? Lets assume it has been. I think that is a safe assumption for now. > Removing the element had no negative effect. I originally put > it in there following this guide: > https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector Hmm. We might need to revisit that. It looks "odd". > Without the trustStore attributes, it prompts for the smart card PIN and you > can select the cert you want to use, but then it doesn't do anything from > there. With those attributes present, Tomcat serves up the expected page > after PIN+cert. Interesting. That suggests Tomcat is using the trustStore to validate the client certs. I've looked at this again and the config is more mixed up that I first realised. Lets get that fixed first. > Changing clientAuth to "required" from "want" has no effect either way. OK. Lets leave it on required for now since that takes one variable out of the equation. Back to the config. I'm going to try and convert everything to the new style format. I have removed settings that are the same as the defaults. SSLCertificateChainFile isn't a recognised attribute. I opted for the OpenSSL style store for trusted CA certs. That probably means you need to export the trusted certs from your trustStoreFile to a PEM encoded file for caCertificateFile. For the purposes of the test, you only need to export the cert that issued cert used by the client. I'm wondering if the slightly odd trust store config was causing problems. We really need more logging in Tomcat Native to figure that sort of thing out. I also think I need to get OCSP working with client certs locally so I can test it as well. I'll add that to my TODO list. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Mark, Thank you for your replies and help. I'm not sure how to verify that Tomcat Native was built with OCSP support? Removing the element had no negative effect. I originally put it in there following this guide: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector Without the trustStore attributes, it prompts for the smart card PIN and you can select the cert you want to use, but then it doesn't do anything from there. With those attributes present, Tomcat serves up the expected page after PIN+cert. Changing clientAuth to "required" from "want" has no effect either way. Mike From: Mark Thomas Sent: Thursday, June 20, 2019 9:02 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 20/06/2019 16:19, Michael Magnuson wrote: > Mark, > > Tomcat version 8.5.41 and TCNative version 1.2.21. There is a OCSP related bug in 1.2.21 but that should not affect you since the client certs have a responder URL. 8.5.41 isn't the latest but there aren't any OCSP related changes in 8.5.42 or any known bugs I can think of so you should be OK there as well. I'm assuming that Tomcat Native was built with OCSP support. That is the default on Linux and I can't think of a good reason why it would be explicitly disabled. >> My connector configuration is as follows: >> >> > maxThreads="150" SSLEnabled="true" >> scheme="https" SSLEnabled="true" >> SSLCertificateFile="path_to_server.crt" >> SSLCertificateKeyFile="path_to_server.key" >> SSLPassword="password" >> SSLCertificateChainFile="path_to_chain" >> SSLProtocol="TLSv1.1+TLSv1.2" >> clientAuth="want" trustStoreFile="path_to_truststore" >> trustStorePass="password" >> caCertificateFile="path_to_ca_file" >> certificateVerification="require" >> certificateVerificationDepth="10" > >> > certificateFile="path_to_OCSP_signing_cert" >> certificateKeyFile="path_to_OCSP_public_key" /> >> That is a mix of deprecated 8.0.x style config and incorrect (you can't nest a directly inside a ) 8.5.x onwards style configuration. There also appears to be a few JSSE attributes (trustStore*) amongst a lot of OpenSSL attributes. I'm surprised there isn't something in the logs complaining about the configuration. I'm not sure what the element is meant to be configuring. Can you elaborate? I'd first suggest: - remove the element - remove the trustStore* attributes - re-test to ensure everything works as it did before those changes Next I'd confirm that CLIENT-CERT is working as intended. The simplest way is probably to set clientAuth="required" temporarily and make sure that a) you are prompted for a cert and b) you can see the expected page from Tomcat when you provide one. If all that is working and still OCSP is not working then I don't have any more ideas at this point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
On 20/06/2019 16:19, Michael Magnuson wrote: > Mark, > > Tomcat version 8.5.41 and TCNative version 1.2.21. There is a OCSP related bug in 1.2.21 but that should not affect you since the client certs have a responder URL. 8.5.41 isn't the latest but there aren't any OCSP related changes in 8.5.42 or any known bugs I can think of so you should be OK there as well. I'm assuming that Tomcat Native was built with OCSP support. That is the default on Linux and I can't think of a good reason why it would be explicitly disabled. >> My connector configuration is as follows: >> >> > maxThreads="150" SSLEnabled="true" >> scheme="https" SSLEnabled="true" >> SSLCertificateFile="path_to_server.crt" >> SSLCertificateKeyFile="path_to_server.key" >> SSLPassword="password" >> SSLCertificateChainFile="path_to_chain" >> SSLProtocol="TLSv1.1+TLSv1.2" >> clientAuth="want" trustStoreFile="path_to_truststore" >> trustStorePass="password" >> caCertificateFile="path_to_ca_file" >> certificateVerification="require" >> certificateVerificationDepth="10" > >> > certificateFile="path_to_OCSP_signing_cert" >> certificateKeyFile="path_to_OCSP_public_key" /> >> That is a mix of deprecated 8.0.x style config and incorrect (you can't nest a directly inside a ) 8.5.x onwards style configuration. There also appears to be a few JSSE attributes (trustStore*) amongst a lot of OpenSSL attributes. I'm surprised there isn't something in the logs complaining about the configuration. I'm not sure what the element is meant to be configuring. Can you elaborate? I'd first suggest: - remove the element - remove the trustStore* attributes - re-test to ensure everything works as it did before those changes Next I'd confirm that CLIENT-CERT is working as intended. The simplest way is probably to set clientAuth="required" temporarily and make sure that a) you are prompted for a cert and b) you can see the expected page from Tomcat when you provide one. If all that is working and still OCSP is not working then I don't have any more ideas at this point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Mark, Tomcat version 8.5.41 and TCNative version 1.2.21. Mike Magnuson | Semper Valens Solutions, Inc. DCGS-A Fixed Systems Engineer Phone: (520) 263-0759 Email: mmagnu...@sempervalens.com http://www.sempervalens.com/ ISO 9001:2015 | CMMI DEV /3 From: Mark Thomas Sent: Thursday, June 20, 2019 3:33 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working Tomcat version? Tomcat Native version? Mark On 19/06/2019 23:46, Michael Magnuson wrote: > Hi, > > I'm running Tomcat 8.5 on RHEL 7.6. I'm successfully using client > certificate validation from the smart card, but I would like to add > client-cert OCSP revocation checking. I *think* I've set up the connector > correctly in the server.xml file, but although the server starts and operates > fine with no errors in the logs, it is not sending any sort of OCSP traffic. > The user certs do have the responder URL in the AIA field. > I'm fairly new to this, so I ask some of you more knowledgeable folks to > please review my connector configuration and point out if something is wrong, > or missing, or if there's a setting some place else that I need to turn on. > My connector configuration is as follows: > > maxThreads="150" SSLEnabled="true" > scheme="https" SSLEnabled="true" > SSLCertificateFile="path_to_server.crt" > SSLCertificateKeyFile="path_to_server.key" > SSLPassword="password" > SSLCertificateChainFile="path_to_chain" > SSLProtocol="TLSv1.1+TLSv1.2" > clientAuth="want" trustStoreFile="path_to_truststore" > trustStorePass="password" > caCertificateFile="path_to_ca_file" > certificateVerification="require" > certificateVerificationDepth="10" > >certificateFile="path_to_OCSP_signing_cert" > certificateKeyFile="path_to_OCSP_public_key" /> > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OCSP Connector on Tomcat 8.5 not working
Tomcat version? Tomcat Native version? Mark On 19/06/2019 23:46, Michael Magnuson wrote: > Hi, > > I'm running Tomcat 8.5 on RHEL 7.6. I'm successfully using client > certificate validation from the smart card, but I would like to add > client-cert OCSP revocation checking. I *think* I've set up the connector > correctly in the server.xml file, but although the server starts and operates > fine with no errors in the logs, it is not sending any sort of OCSP traffic. > The user certs do have the responder URL in the AIA field. > I'm fairly new to this, so I ask some of you more knowledgeable folks to > please review my connector configuration and point out if something is wrong, > or missing, or if there's a setting some place else that I need to turn on. > My connector configuration is as follows: > > maxThreads="150" SSLEnabled="true" > scheme="https" SSLEnabled="true" > SSLCertificateFile="path_to_server.crt" > SSLCertificateKeyFile="path_to_server.key" > SSLPassword="password" > SSLCertificateChainFile="path_to_chain" > SSLProtocol="TLSv1.1+TLSv1.2" > clientAuth="want" trustStoreFile="path_to_truststore" > trustStorePass="password" > caCertificateFile="path_to_ca_file" > certificateVerification="require" > certificateVerificationDepth="10" > >certificateFile="path_to_OCSP_signing_cert" > certificateKeyFile="path_to_OCSP_public_key" /> > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org