On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301
That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > ________________________________ > От: Rainer Jung <rainer.j...@kippdata.de> > Отправлено: 17 октября 2018 г. 16:41:27 > Кому: Tomcat Users List; Усманов Азат Анварович > Тема: Re: OCSP stapling in tomcat 7 with APR > > Redirect when accessing http://ocsp.comodoca.com could simply be a > trailing slash redirect (Location: http://ocsp.comodoca.com/). You > better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). > > Regards, > > Rainer > > Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: >> SSLLabs test still shows "OCSP stapling no" even with the latest version >> openssl >> >> I've tried to test it manually and got an error >> >> >> openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR >> >> >> _ieml_ru.crt -text -url http://ocsp.comodoca.com >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >> Hash Algorithm: sha1 >> Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 >> Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 >> Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 >> Request Extensions: >> OCSP Nonce: >> 041002914B015477EC5C503D4FD630D616F3 >> Error querying OCSP responder >> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server >> response er >> >> ror:crypto/ocsp/ocsp_ht.c:260:Code=301 >> >> Not sure what might be the problem? >> 301 looks like a http error Moved Permamently which is strange because >> i tried to access http://ocsp.comodoca.com via wget >> >> wget http://ocsp.comodoca.com >> --2018-10-17 16:03:12-- http://ocsp.comodoca.com/ >> Устанавливается соединение с 192.168.1.2:3128... соединение установлено. >> Запрос Proxy послан, ожидается ответ... 200 OK >> Длина: 5 [application/ocsp-response] >> Saving to: «index.html.7» >> >> 100%[===================================================================================================================================================================================================>] >> 5 --.-K/s в 0s >> >> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5] >> >> [root] ~# less index.html.7 >> 0^C >> ^A^A >> index.html.7 (END) >> any ideas what might be the problem? >> >> >> ________________________________ >> От: Усманов Азат Анварович <usma...@ieml.ru> >> Отправлено: 15 октября 2018 г. 18:20:14 >> Кому: users@tomcat.apache.org >> Тема: Re: OCSP stapling in tomcat 7 with APR >> >> how do I make sure ocsp is enabled on tomcat native >> >> when I try to pass --enable-ocsp to tomcat native configure i get >> unrecognized option warning >> >> >> ./configure --with-apr=/usr/local/apr >> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl >> --enable-ocsp >> configure: WARNING: unrecognized options: --enable-ocsp >> checking build system type... x86_64-pc-linux-gnu >> checking host system type... x86_64-pc-linux-gnu >> checking target system type... x86_64-pc-linux-gnu >> checking for a BSD-compatible install... /usr/bin/install -c >> checking for working mkdir -p... yes >> Tomcat Native Version: 1.2.17 >> checking for chosen layout... tcnative >> checking for APR... yes >> configure: APR 1.6.5 detected. >> setting CC to "gcc" >> setting CPP to "gcc -E" >> setting LIBTOOL to "/usr/local/apr/build-1/libtool" >> checking JAVA_HOME... /usr/java/jdk1.7.0_79 >> adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES >> checking for JDK os include directory... linux >> adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES >> checking for gcc... gcc >> checking whether the C compiler works... yes >> checking for C compiler default output file name... a.out >> checking for suffix of executables... >> checking whether we are cross compiling... no >> checking for suffix of object files... o >> checking whether we are using the GNU C compiler... yes >> checking whether gcc accepts -g... yes >> checking for gcc option to accept ISO C89... none needed >> checking for OpenSSL library... using openssl from >> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include >> checking OpenSSL library version >= 1.0.2... ok >> checking for OpenSSL DSA support... yes >> adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES >> setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib >> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto" >> adding "-DHAVE_OPENSSL" to CFLAGS >> setting TCNATIVE_LIBS to "" >> setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt >> -lpthread" >> checking for apr_pollset_wakeup in -lapr-1... yes >> adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS >> configure: creating ./config.status >> config.status: creating tcnative.pc >> config.status: creating Makefile >> config.status: executing default commands >> configure: WARNING: unrecognized options: --enable-ocsp >> >> >> >> ________________________________ >> От: Mark Thomas <ma...@apache.org> >> Отправлено: 15 октября 2018 г. 15:01:58 >> Кому: users@tomcat.apache.org >> Тема: Re: OCSP stapling in tomcat 7 with APR >> >> On 14/10/18 18:45, Усманов Азат Анварович wrote: >>> Hello everyone! I have an java 7 web app running on tomcat 7 with >>> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP >>> stapling on tomcat >>> so that >>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own >>> certificate and deliver the response to the user's browser during the TLS >>> handshake. This eliminates the need to make a separate connection to the >>> CA's revocation service before the Web page is displayed, improving the >>> page's performance and reliability. >>> I did search the mailing list and found this question >>> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html >>> but that user is using JSSE implementation for TLS not APR >>> documentation for tomcat7 does have an example >>> >>> Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> secure="true" scheme="https" >>> SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" >>> SSLCertificateKeyFile="/path/to/ocsp-cert.key" >>> SSLCACertificateFile="/path/to/ca.pem" >>> SSLVerifyClient="require" >>> SSLVerifyDepth="10" >>> clientAuth="true"/> >>> >>> >>> but that is for client-cert verification, Can we do it on server side? or >>> do I miss something on how ocsp is supposed to work in the first place? >> >> If you build an OCSP enabled version of the APR/native connector, OCSP >> stapling should just happen without any additional configuration. >> Assuming you use an appropriate certificate etc. >> >> Mark > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
