On 14/10/18 18:45, Усманов Азат Анварович wrote: > Hello everyone! I have an java 7 web app running on tomcat 7 with > APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP > stapling on tomcat > so that > When OCSP is enabled, a server will pre-fetch the OCSP response for its own > certificate and deliver the response to the user's browser during the TLS > handshake. This eliminates the need to make a separate connection to the CA's > revocation service before the Web page is displayed, improving the page's > performance and reliability. > I did search the mailing list and found this question > https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html > but that user is using JSSE implementation for TLS not APR > documentation for tomcat7 does have an example > > Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > secure="true" scheme="https" > SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" > SSLCertificateKeyFile="/path/to/ocsp-cert.key" > SSLCACertificateFile="/path/to/ca.pem" > SSLVerifyClient="require" > SSLVerifyDepth="10" > clientAuth="true"/> > > > but that is for client-cert verification, Can we do it on server side? or do > I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP stapling should just happen without any additional configuration. Assuming you use an appropriate certificate etc. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
