On Mon, Oct 15, 2018 at 11:39 AM Mark Thomas <ma...@apache.org> wrote:
> On 15/10/18 16:20, Усманов Азат Анварович wrote:
> > how do I make sure ocsp is enabled on tomcat native
> >
> > when I try to pass --enable-ocsp to tomcat native configure i get
> unrecognized option warning
>
> As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
> disable OCSP when building on Linux so you should be good with a
> standard build.
>
+1, just build it and as long as the openssl version you're using supports
it you're good.
>
> Mark
>
>
> >
> >
> > ./configure --with-apr=/usr/local/apr
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
> --enable-ocsp
> > configure: WARNING: unrecognized options: --enable-ocsp
> > checking build system type... x86_64-pc-linux-gnu
> > checking host system type... x86_64-pc-linux-gnu
> > checking target system type... x86_64-pc-linux-gnu
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking for working mkdir -p... yes
> > Tomcat Native Version: 1.2.17
> > checking for chosen layout... tcnative
> > checking for APR... yes
> > configure: APR 1.6.5 detected.
> > setting CC to "gcc"
> > setting CPP to "gcc -E"
> > setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> > checking JAVA_HOME... /usr/java/jdk1.7.0_79
> > adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> > checking for JDK os include directory... linux
> > adding "-I/usr/java/jdk1.7.0_79/include/linux" to
> TCNATIVE_PRIV_INCLUDES
> > checking for gcc... gcc
> > checking whether the C compiler works... yes
> > checking for C compiler default output file name... a.out
> > checking for suffix of executables...
> > checking whether we are cross compiling... no
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether gcc accepts -g... yes
> > checking for gcc option to accept ISO C89... none needed
> > checking for OpenSSL library... using openssl from
> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> > checking OpenSSL library version >= 1.0.2... ok
> > checking for OpenSSL DSA support... yes
> > adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
> > setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
> > adding "-DHAVE_OPENSSL" to CFLAGS
> > setting TCNATIVE_LIBS to ""
> > setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt
> -lcrypt -lpthread"
> > checking for apr_pollset_wakeup in -lapr-1... yes
> > adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> > configure: creating ./config.status
> > config.status: creating tcnative.pc
> > config.status: creating Makefile
> > config.status: executing default commands
> > configure: WARNING: unrecognized options: --enable-ocsp
> >
> >
> >
> > ________________________________
> > От: Mark Thomas <ma...@apache.org>
> > Отправлено: 15 октября 2018 г. 15:01:58
> > Кому: users@tomcat.apache.org
> > Тема: Re: OCSP stapling in tomcat 7 with APR
> >
> > On 14/10/18 18:45, Усманов Азат Анварович wrote:
> >> Hello everyone! I have an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> >> so that
> >> When OCSP is enabled, a server will pre-fetch the OCSP response for its
> own certificate and deliver the response to the user's browser during the
> TLS handshake. This eliminates the need to make a separate connection to
> the CA's revocation service before the Web page is displayed, improving the
> page's performance and reliability.
> >> I did search the mailing list and found this question
> >> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html
> >> but that user is using JSSE implementation for TLS not APR
> >> documentation for tomcat7 does have an example
> >>
> >> Connector port="8443"
> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> secure="true" scheme="https"
> >> SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
> >> SSLCertificateKeyFile="/path/to/ocsp-cert.key"
> >> SSLCACertificateFile="/path/to/ca.pem"
> >> SSLVerifyClient="require"
> >> SSLVerifyDepth="10"
> >> clientAuth="true"/>
> >>
> >>
> >> but that is for client-cert verification, Can we do it on server side?
> or do I miss something on how ocsp is supposed to work in the first place?
> >
> > If you build an OCSP enabled version of the APR/native connector, OCSP
> > stapling should just happen without any additional configuration.
> > Assuming you use an appropriate certificate etc.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
